Forum Discussion
NimbostratusXFF for retaining client's Original IP
NimbostratusHello Nützmann,
Thank you for your reply, really appreciate that. I'm actually looking for logs which are a week older or 10 days older and has the information about the client's original IP address or the client's true IP address. Is there a way we can do some customization or configuration on F5 to store those logs in var/log folder or to send it to some external syslog server? I know XFF work for only HTTP VS and then we need to configure the web server to extract the IP address from the HTTP header, but need to check the older logs which has the true client IP address.
can we tune F5 settings to send the logs which have the client True IP address to any syslog server or to store the logs on f5 itself in var/log for auditing or troubleshooting. Any further help on this would really help me. Thank you again for your kind support. Have a good day sir!
NacreousYou may want to configure a remote syslog server in System >> Logs : Remote Server
Now you can use an iRule to log each incoming http-request:
when HTTP_REQUEST {
log local0. "method=[HTTP::method];path=[HTTP::path];client_ip=[IP::client_addr]"
}Log facility local0. writes into the /var/log/ltm and logs will be replicated to the remote syslog server as well.
The logs on the BIG-IP are rotated each day around 3 AM, compressed and removed on the 10th day or earlier, if they are too large.
- mohammed5370
ok Thanks Stephan, does that mean I dont have to configure XFF if I use this irule. will this irule send the client's original or true IP address to syslog server instead of SNAT IP address? Appreciate any help on this.
- StephanManthey
The iRule will send the original client IP along with the HTTP method and requested path to the local syslog, which is writing into /var/log/ltm. In case you also have configured a remote syslog server, it will show up there as well.
In most environments its the preferred method to insert the X-Forwarded-For on the load balancer and to consolidate the server logs. On the servers its required to change the logging directive so its tracking the IP address provided in the X-Forwarded-For header instead of the IP address of the IP header (which is the serverside SNAT inserted by the BIG-IP).
If you lookup server logs, you will notice, that a log entry contains information both of the request and the response (i.e. status code), this can be accomplished as well.
This would require to store request information of your choise (i.e. the clients original IP address) in a variable in the context of the HTTP_REQUEST event and to write this information in the context of the HTTP_RESPONSE event along with i.e. status code, content type, content length to the logs.
- mohammed5370
is this how the logs in var/log/ltm look like.
Jul 7 23:47:14 OC1-BIGIP-F5LTM-T1 info tmm6[29783]: Rule /Common/Test-client-IP-Add <HTTP_REQUEST>: method=GET;path=/identify_user.asp;client_ip=10.50.50.144
Jul 7 23:47:14 OC1-BIGIP-F5LTM-T1 info tmm6[29783]: Rule /Common/Test-client-IP-Add <HTTP_REQUEST>: method=GET;path=/common/css/styles.css;client_ip=10.50.50.144
Jul 7 23:47:14 OC1-BIGIP-F5LTM-T1 info tmm5[29783]: Rule /Common/Test-client-IP-Add <HTTP_REQUEST>: method=GET;path=/common/inc_navigator_utility.js;client_ip=10.50.50.144
Jul 7 23:47:14 OC1-BIGIP-F5LTM-T1 info tmm6[29783]: Rule /Common/Test-client-IP-Add <HTTP_REQUEST>: method=GET;path=/common/js/script_login_utility.js;client_ip=10.50.50.144
Jul 7 23:57:07 OC1-BIGIP-F5LTM-T1 info tmm7[29783]: Rule /Common/Test-client-IP-Add <HTTP_REQUEST>: method=GET;path=/identify_user.asp;client_ip=10.50.50.144
Jul 7 23:57:27 OC1-BIGIP-F5LTM-T1 info tmm2[29783]: Rule /Common/Test-client-IP-Add <HTTP_REQUEST>: method=GET;path=/;client_ip=10.50.50.144
Jul 7 23:57:27 OC1-BIGIP-F5LTM-T1 info tmm2[29783]: Rule /Common/Test-
or can you give me a sample of how exactly the true client IP logs look like in. I just configured the irule and attached it to the virtual server. tried accessing the URL and looked for the client IP address, but couldn't find one. Do I need to use the any filter or grep to look ?
I tried filtering with Virtual server IP address and true client IP address and still couldn't find anyone of that.
- StephanManthey
For a more detailled request logging you may consider this log statement in the context of HTTP_REQUEST:
log local0. "irule=\"requestlogging\",virtual=\"[getfield [virtual name] / 3]\",src=\"[IP::client_addr]\",geo_country=\"[whereis [IP::client_addr] country]\",http_host=\"[HTTP::host]\",http_uri=\"[HTTP::uri]\",http_method=\"[HTTP::method]\",payload_lenght=\"[string length $payload]\",content_type=\"[HTTP::header value Content-Type]\",http_referer_path=\"[URI::path [HTTP::header value Referer]]\""It will also provide information about the virtual server, handling the request, geolocation information of the client, the referer header (how the client was directed to your site) and others.
Please note, that a local log entry is limited in size. So perhaps you may want to use
http_path=\"[HTTP::path]\"instead of the http_uri and to avoid the logging of the http_referer_path.
- mohammed5370
I'm sorry stephan,I'm not that expert in linux logging,appreciate if you can guide me with the exact command to filter out when in var/log/ltm. I still couldn't find the IP address I'm looking for. Below are the steps which I configured to test it
1. Irule configured on f5
2. attached it to the Virtual server
3.tried access the virtual server through browser again, URL is accessible
4.connected into f5 CLI, then went to cd /var/log/ltm
5. saw too many logs, tried filtering using the grep command to see if it could worked.
6. command I used to filter the logs (cat ltm | grep 10.50.50.144), where 10.50.50.144 is the client's true IP address. and still couldn't find the output.WOuld be grateful if you could give me the exact command to filter out the logs when I'm in below path or log folder
[admin@test-device] log #
