Forum Discussion
Nimbostratuswriting an irule to log all traffic
I'm looking to log source and destination IP addresses along with the corresponding ports.
Thanks
50 Replies
natheCirrocumulus
Apologies. I copied your original post, rather than the amended one, as recommended by acidkewpie, and left in the "." - can you remove this and try again please?
Rdgs
N- natheAnd I've noticed more " to escape:
match(\"logger\");
N 
opers13_3280same issue:
b syslog include "
>
> filter f_local0info {
> facility(local0) and level(info) and match(\"logger\");
> };
>
> destination d_logger {
> udp(\"10.160.161.253\" port (1026));
> };
>
> log {
> source(local);
> filter(f_local0info);
> destination(d_logger);
> };"
BIGpipe parsing error:
012e0008:3: The requested command (filter f_local0info {) is invalid- natheWhat LTM version are you running? My v10 works with this:
syslog include " filter f_local0_info { facility(local0) and level(info) and match(\"logger\"); }; destination d_logger { udp(\"10.160.161.253\" port (1026)); }; log { source(local); filter(f_local0_info); destination(d_logger); };"
bpsh < syslog.inc
bP syslog include
SYSLOG - Include Data:
filter f_local0_info { facility(local0) and level(info) and match("logger"); }; destination d_logger { udp("10.160.161.253" port (1026)); }; log { source(local); filter(f_local0_info); destination(d_logger); };
Rgds
N - opers13_32809.4.8
sinamotamedi_15I was getting a TCL error (TCL error: /Common/LogRule - can't read "client": no such variable while executing "log local0.info "Client $client -> VIP: $vip -> Node: $node"") when I created an iRule by copying/pasting the TCP logger rule in hoolio's first post and found I had to remove some quotation marks to properly set the variables. I'm running 11.6.0 Build 5.123.429. I also slightly modified it so it logs both when the connection is made and disconnected.
Here's what I used:
when CLIENT_ACCEPTED { set vip [IP::local_addr]:[TCP::local_port] } when SERVER_CONNECTED { set client [IP::client_addr]:[TCP::client_port] set node [IP::server_addr]:[TCP::server_port] log local0.info "Connected: Client $client -> VIP: $vip -> Node: $node" } when CLIENT_CLOSED { log local0.info "Disconnected: Client $client -> VIP: $vip -> Node: $node" }This was a super helpful thread, thanks hoolio!
aries22Altocumulus
Hi everyone,
I applied sinamotamedi's revised script but still get TCL errors.
I even made adjustments in hopes to reduce errors:
when CLIENT_ACCEPTED { set vip [IP::local_addr]:[TCP::local_port] set client [IP::client_addr]:[TCP::client_port] } when SERVER_CONNECTED { set node [IP::server_addr]:[TCP::server_port] log local0.info "Connected: Client $client -> VIP: $vip -> Node: $node" } when CLIENT_CLOSED { log local0.info "Disconnected: Client $client -> VIP: $vip" } when SERVER_CLOSED { log local0.info "A client has disconnected on Node: $node" }The Client_CLOSED event does not generate error anymore but I'm still getting error for the SERVER_CLOSED event sometimes:
01220001:3: TCL error: /Common/TCP_Logger - can't read "node": no such variable while executing "log local0.info "A client has disconnected on Node: $node""I'm assuming this is caused by a connection with established client-side but unestablished server-side. Is my assumption correct? How do I correct the SERVER_CLOSED event logging script so that it won;t generate errors?
- sinamotamedi_15
It seems like the error is saying the "node" variable doesn't exist so what you could do is add an IF/ELSE statement that checks whether the variable exists before writing to the log. Here's an example given the script you posted:
when CLIENT_ACCEPTED { set vip [IP::local_addr]:[TCP::local_port] set client [IP::client_addr]:[TCP::client_port] } when SERVER_CONNECTED { set node [IP::server_addr]:[TCP::server_port] log local0.info "Connected: Client $client -> VIP: $vip -> Node: $node" } when CLIENT_CLOSED { log local0.info "Disconnected: Client $client -> VIP: $vip" } when SERVER_CLOSED { if {[info exists node]} { log local0.info "A client has disconnected on Node: $node" } else { do nothing } } - aries22
thank you so much sinamotamedi for your help! i edited the rule you gave and tested below which did not generate errors:
when CLIENT_ACCEPTED { set vip [IP::local_addr]:[TCP::local_port] set client [IP::client_addr]:[TCP::client_port] } when SERVER_CONNECTED { set node [IP::server_addr]:[TCP::server_port] log local0.info "Connected: Client $client -> VIP: $vip -> Node: $node" } when CLIENT_CLOSED { log local0.info "Disconnected: Client $client -> VIP: $vip" } when SERVER_CLOSED { if {[info exists node] and [info exists client]} { log local0.info "Disconnected: Client $client -> VIP: $vip -> Node: $node" } else { do nothing } }
- Pablo_soft
I need help me
I followed the steps but I can't get the IRULE to work.
when HTTP_REQUEST {
set url "identities-esb.rg.repsol.com"
set url [HTTP::header Host][HTTP::uri]
set vip [IP::local_addr]:[TCP::local_port]
}
when HTTP_RESPONSE {
set client [IP::client_addr]:[TCP::client_port]
set node [IP::server_addr]:[TCP::server_port]
set nodeResp [HTTP::status]
}
log local0.
filter f_local0 {
facility(local0) and level(info..emerg);
}
destination d_ltm {
file("/var/log/ltm" create_dirs(yes));
}
log {
source(local);
filter(f_local0);
destination(d_ltm);
}
This is the error that appears in F5
01070151:3: Rule [/TI_TECNOLOGIA_WEB/identities_443] error: /TI_TECNOLOGIA_WEB/identities_443:13: error: [command is not valid in the current scope][log local0. ]
/TI_TECNOLOGIA_WEB/identities_443:14: error: [undefined procedure: filter][filter f_local0 {
facility(local0) and level(info..emerg);
}]
/TI_TECNOLOGIA_WEB/identities_443:18: error: [undefined procedure: destination][destination d_ltm {
file("/var/log/ltm" create_dirs(yes));
}]
/TI_TECNOLOGIA_WEB/identities_443:22: error: [command is not valid in the current scope][log {
source(local);
filter(f_local0);
destination(d_ltm);
}]
regards
