NEDS Rule
Problem this snippet solves:
Used in conjunction with the NEDS specification contained in the Logging & Reporting Toolkit series.
Code :
when RULE_INIT {
set ::inbound_vlan "4094"
set ::device_id "mybigip.test.net"
set ::strlimit 256
set ::doAES 0
set ::AESKey "F(NY$*@&TYY%($&@(%SLJSDLF"
}
when CLIENT_ACCEPTED {
set secs [clock seconds]
set usecs [expr {[clock clicks] - [expr {$secs * 1000000}]}]
# Since the seconds counter can increment between the two clock
# calls above, we need to correct for values over 1000000.
# This may adjust the measured time to be somewhere between
# the two calls (instead of using the second measurement).
# All other rollover conditions will not cause a problem.
if { $usecs > 1000000 } {
set usecs "999999"
} else {
set usecs [format "%06u" $usecs]
}
set conn_start_time $secs.$usecs
set clientside_client_addr [IP::client_addr]
set clientside_client_port [TCP::client_port]
set clientside_server_addr [IP::local_addr]
set clientside_server_port [TCP::local_port]
set clientflow "$clientside_client_addr:$clientside_client_port"
append clientflow "-$clientside_server_addr:$clientside_server_port@$conn_start_time"
set vlanid "[LINK::vlan_id]"
if { [string compare $vlanid $::inbound_vlan] } {
set direction "Inbound"
} else {
set direction "Outbound"
}
set log_event "neds.f5.conn.start.v1"
set log_content "\"$::device_id\","
append log_content "\"$clientflow\","
append log_content "$conn_start_time,"
append log_content "\"[LINK::vlan_id]\","
append log_content "[IP::protocol],"
append log_content "[IP::tos],"
append log_content "[IP::ttl],"
append log_content "\"[virtual]\","
append log_content "\"$direction\""
if { $::doAES } {
append log_event ".AES+base64"
set log_content [b64encode [AES::encrypt $::AESKey $log_content]]
}
log local0. \"$log_event\",$log_content
}
when CLIENT_CLOSED {
set secs [clock seconds]
set usecs [expr {[clock clicks] - [expr {$secs * 1000000}]}]
if { $usecs > 1000000 } {
set usecs "999999"
} else {
set usecs [format "%06u" $usecs]
}
set conn_end_time $secs.$usecs
set log_event "neds.f5.conn.end.v1"
set log_content "\"$::device_id\","
append log_content "\"$clientflow\",$conn_end_time,"
append log_content "[lindex [IP::stats pkts] 0],"
append log_content "[lindex [IP::stats pkts] 1],"
append log_content "[lindex [IP::stats bytes] 0],"
append log_content "[lindex [IP::stats bytes] 1]"
if { $::doAES } {
append log_event ".AES+base64"
set log_content [b64encode [AES::encrypt $::AESKey $log_content]]
}
log local0. \"$log_event\",$log_content
}
when HTTP_REQUEST {
set secs [clock seconds]
set usecs [expr {[clock clicks] - [expr {$secs * 1000000}]}]
if { $usecs > 1000000 } {
set usecs "999999"
} else {
set usecs [format "%06u" $usecs]
}
set http_request_time $secs.$usecs
set http_host [string range [HTTP::host] 0 $::strlimit]
set http_host [string map {{"} {""}} $http_host]
set http_request_uri [string range [HTTP::uri] 0 $::strlimit]
set http_request_uri [string map {{"} {""}} $http_request_uri]
set http_username [string range [HTTP::username] 0 $::strlimit]
set http_username [string map {{"} {""}} $http_username]
set http_user_agent [string range [HTTP::header User-Agent] 0 $::strlimit]
set http_user_agent [string map {{"} {""}} $http_user_agent]
set log_event "neds.f5.http.req.v1"
set log_content "\"$::device_id\","
append log_content "\"$clientflow\","
append log_content "$http_request_time,"
append log_content "[HTTP::request_num],"
append log_content "\"$http_host\","
append log_content "\"$http_request_uri\","
append log_content "\"$http_username\","
append log_content "\"$http_user_agent\""
if { $::doAES } {
append log_event ".AES+base64"
set log_content [b64encode [AES::encrypt $::AESKey $log_content]]
}
log local0. \"$log_event\",$log_content
}
when HTTP_RESPONSE {
set secs [clock seconds]
set usecs [expr {[clock clicks] - [expr {$secs * 1000000}]}]
if { $usecs > 1000000 } {
set usecs "999999"
} else {
set usecs [format "%06u" $usecs]
}
set http_reply_time $secs.$usecs
set content_length ""
if { [HTTP::header exists "Content-Length"] } {
set content_length [HTTP::header "Content-Length"]
}
set lb_server "[LB::server addr]:[LB::server port]"
if { [string compare "$lb_server" ""] == 0 } {
set lb_server ""
}
set status_code [HTTP::status]
set status_code [string map {{"} {""}} $status_code]
set content_type [HTTP::header "Content-type"]
set content_type [string map {{"} {""}} $content_type]
set serverside_client_addr [IP::local_addr]
set serverside_client_port [TCP::local_port]
set serverside_server_addr [IP::remote_addr]
set serverside_server_port [TCP::remote_port]
set serverflow "$serverside_client_addr:$serverside_client_port"
append serverflow "-$serverside_server_addr:$serverside_server_port"
set log_event "neds.f5.http.resp.v1"
set log_content "\"$::device_id\","
append log_content "\"$clientflow\","
append log_content "$http_reply_time,"
append log_content "[HTTP::request_num],"
append log_content "\"$status_code\","
append log_content "\"$content_type\","
append log_content "\"$content_length\","
append log_content "\"$lb_server\","
append log_content "\"$serverflow\""
if { $::doAES } {
append log_event ".AES+base64"
set log_content [b64encode [AES::encrypt $::AESKey $log_content]]
}
log local0. \"$log_event\",$log_content
} Published Mar 18, 2015
Version 1.0
No CommentsBe the first to comment