Intermediate iRules: High Speed Logging - Spray Those Log Statements!
High Speed Logging has been around since version 10.1, and has been integral to many projects over the past few years. Prior to HSL's introduction, logging remotely was configured entirely in syslog or could be handled in iRules by specifying a destination in the log statement. One enhancement with HSL to that scenario was to allow a pool of servers to be configured for a destination, so given a pool of servers, the log messages were sure to arrive somewhere (ok, for TCP they were sure to arrive!) A drawback with either the log or HSL::send command, however, is that the message was only going to hit one destination. A workaround for that problem is to just use as many commands as necessary to hit all your destinations, but that's not very efficient.
Enter the publisher.
Beginning in version 11.3, a new option to the HSL::open command was added that allows you to send data to a log publisher instead of only to a pool. This allows you to spray that data to as many servers as you like. In my test setup, I used alias interfaces on a linux virtual machine as the destinations, and created a pool for each to be added to the publisher:
ltm pool lp1 { members { 192.168.101.20:514 { address 192.168.101.20 } } } ltm pool lp2 { members { 192.168.101.21:514 { address 192.168.101.21 } } } ltm pool lp3 { members { 192.168.101.22:514 { address 192.168.101.22 } } }
Once I have the pools defined, I create the log destinations:
sys log-config destination remote-high-speed-log lp1 { pool-name lp1 protocol udp } sys log-config destination remote-high-speed-log lp2 { pool-name lp2 protocol udp } sys log-config destination remote-high-speed-log lp3 { pool-name lp3 protocol udp }
Finally, I create the publisher for use in the iRules:
sys log-config publisher lpAll { destinations { lp1 lp2 lp3 } }
That's all the background magic required to get to the iRules showing off the -publisher option in HSL::open:
ltm rule testrule { when CLIENT_ACCEPTED { set lpAll [HSL::open -publisher /Common/lpAll] } when HTTP_REQUEST { HSL::send $lpAll "<190> [IP::client_addr]:[TCP::client_port]-[IP::local_addr]:[TCP::local_port]; [HTTP::host][HTTP::uri]" } }
Finally, some visual evidence for the skeptics out there:
You can see that all three destinations got the message, and the message arrived as formatted. So now, armed with this new option (as of version 11.3), go forth and code!
- kazeem_yusuf1Nimbostratus
What virtual server is the Irule applied to?
- Samir_Jha_52506Noctilucent
Apply iRule to Splunk/arcsight VIP.
- Jason_AdamsEmployee
@kazeem: We can infer that the IP:PORT of the Virtual Server is 192.168.101.51:80
However, this same solution can be applied to ANY Virtual Server. The concept to be gotten is that the log publisher will duplicate the log to ALL log destinations that are defined in the publisher.
It is also important to note that by using a publisher, you can send logs to the local system and to a remote syslog server. Or to any combination of log-destinations.
In the example below (borrowed from Jason Rahm's above example, the output would go to the local-db and a pool of remote syslog servers:
ltm rule testrule { when CLIENT_ACCEPTED { set lpAll [HSL::open -publisher /Common/splunk_n_local] } when HTTP_REQUEST { HSL::send $lpAll "<190> [IP::client_addr]:[TCP::client_port]-[IP::local_addr]:[TCP::local_port]; [HTTP::host][HTTP::uri]" } } sys log-config destination remote-high-speed-log remote_hsl { pool-name syslog_pool } sys log-config destination splunk splunk_hsl { forward-to remote_hsl } sys log-config publisher splunk_n_local { destinations { local-db splunk_hsl } }