iRules Concepts: Logging, a Deeper Understanding

Multiple times in recent iRules presentations, whether on the road or here within F5, there have been questions raised when the topic of logging within iRules gets brought up. Specifically people are...
Published Jun 18, 2012
Version 1.0
application delivery
BIG-IP
dev
devops
iRules
news
tech tip
tutorial
andreas_4646's avatar
andreas_4646
Icon for Nimbostratus rankNimbostratus
Jul 31, 2012
It took me a while to get this going because I did not realize that HSL would not send anything out the management interface, but given how it bypasses the OS layer, this makes sense. Also, 'referer' is misspelled, which caught me as well. Here is my apache style logging rule.

 

{code}

 

when HTTP_REQUEST {

 

set hsl [HSL::open -proto UDP -pool syslog_pool]

 

set agent [HTTP::header "User-Agent"]

 

set client [IP::client_addr]

 

set method [HTTP::method]

 

set referrer [HTTP::header "Referer"]

 

set uri [HTTP::uri]

 

set version [HTTP::version]

 

set vip [HTTP::host]:[TCP::local_port]

 

}

 

 

when HTTP_RESPONSE {

 

set time [clock format [clock seconds] -format "%d/%b/%Y:%H:%M:%S %z"]

 

set bytes [HTTP::header "Content-Length"]

 

set status [HTTP::status]

 

set version [HTTP::version]

 

log connection info

 

Log HTTP request via syslog protocol as local7.info; see RFC 3164 for more info

 

local3 = 19; info = 6; 8*19 + 6 = 158

 

HSL doesn't actually talk 'syslog-ng' must be something else.

 

HSL::send $hsl "<158> $vip $client - - \[$time\] \"$method $uri HTTP\/$version\" $status $bytes \"$referrer\" \"$agent\"\n"

 

}

 

{code}