Forum Discussion

gdoyle's avatar
gdoyle
Icon for Cirrostratus rankCirrostratus
Nov 07, 2019

X-Fowraded-For with a UDP profile?

Hey, all. I have a request from a customer that they want to see the originating source IP (i.e. not the IP of the VIP) for logs they are receiving. Currently this is setup using a UDP protocol and U...
application delivery
iRules
LTM
  • Stephen_Anders1's avatar
    Stephen_Anders1
    Nov 07, 2019

    In order to have any chance at doing this, you will need to do a stream rewrite or a payload and append operation. Since BigIP doesn't have a protocol parser for UDP, and since Syslog is not a request/response protocol, there are only when CLIENT_DATA events.

    You will need to map out the current syslog message format and your rule might look very roughly like:

     

    when CLIENT_DATA {

    set sNewMsg "SourceIP:[IP::client_addr]:[UDP::payload]"

    UDP::payload replace 0 0 $sNewMsg

    }

Stephen_Anders1's avatar
Stephen_Anders1
Icon for Employee rankEmployee
Nov 07, 2019

In order to have any chance at doing this, you will need to do a stream rewrite or a payload and append operation. Since BigIP doesn't have a protocol parser for UDP, and since Syslog is not a request/response protocol, there are only when CLIENT_DATA events.

You will need to map out the current syslog message format and your rule might look very roughly like:

 

when CLIENT_DATA {

set sNewMsg "SourceIP:[IP::client_addr]:[UDP::payload]"

UDP::payload replace 0 0 $sNewMsg

}