Intermediate iRules: High Speed Logging - Spray Those Log Statements!

High Speed Logging has been around since version 10.1, and has been integral to many projects over the past few years. Prior to HSL's introduction, logging remotely was configured entirely in syslog ...
Updated Oct 02, 2023
Version 2.0
200
application delivery
devops
hsl
iRules
series-intermediate-irules
Jason_Adams's avatar
Jason_Adams
Icon for Employee rankEmployee
Nov 07, 2017

@kazeem: We can infer that the IP:PORT of the Virtual Server is 192.168.101.51:80

 

However, this same solution can be applied to ANY Virtual Server. The concept to be gotten is that the log publisher will duplicate the log to ALL log destinations that are defined in the publisher.

 

It is also important to note that by using a publisher, you can send logs to the local system and to a remote syslog server. Or to any combination of log-destinations.

 

In the example below (borrowed from Jason Rahm's above example, the output would go to the local-db and a pool of remote syslog servers:

 

 

ltm rule testrule {
    when CLIENT_ACCEPTED {
        set lpAll [HSL::open -publisher /Common/splunk_n_local]
    }
    when HTTP_REQUEST {
        HSL::send $lpAll "<190> [IP::client_addr]:[TCP::client_port]-[IP::local_addr]:[TCP::local_port]; [HTTP::host][HTTP::uri]"
    }
}

sys log-config destination remote-high-speed-log remote_hsl {
    pool-name syslog_pool
}
sys log-config destination splunk splunk_hsl {
    forward-to remote_hsl
}
sys log-config publisher splunk_n_local {
    destinations {
        local-db
        splunk_hsl
    }
}