Help
CodeShare
Have some code. Share some code.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Log Http Headers

hooleylist
Cirrostratus
Cirrostratus

on ‎18-Mar-2015 12:22

Problem this snippet solves:

This simple rule logs all HTTP headers in requests and responses to /var/log/ltm. This can be helpful in troubleshooting.

Code :

when HTTP_REQUEST {
   set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]"
   log local0. "============================================="
   log local0. "$LogString (request)"
   foreach aHeader [HTTP::header names] {
      log local0. "$aHeader: [HTTP::header value $aHeader]"
   }
   log local0. "============================================="
}
when HTTP_RESPONSE {
   log local0. "============================================="
   log local0. "$LogString (response) - status: [HTTP::status]"
   foreach aHeader [HTTP::header names] {
      log local0. "$aHeader: [HTTP::header value $aHeader]"
   }
   log local0. "============================================="   
}

# Sample output:

Rule log_http_headers_rule : =============================================
Rule log_http_headers_rule : Client 192.168.99.32:2950 -> webmail.example.com/exchange/Aaron/Inbox/?Cmd=contents (request)
Rule log_http_headers_rule : Host: webmail
Rule log_http_headers_rule : User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9)
Rule log_http_headers_rule : Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,im
Rule log_http_headers_rule : Accept-Language: en-us,en;q=0.5
Rule log_http_headers_rule : Accept-Encoding: gzip,deflate
Rule log_http_headers_rule : Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Rule log_http_headers_rule : Keep-Alive: 300
Rule log_http_headers_rule : Connection: keep-alive
Rule log_http_headers_rule : Referer: https://webmail.example.com/exchange/
Rule log_http_headers_rule : X-Forwarded-For: 192.168.99.32
Rule log_http_headers_rule : Front-End-Https: On
Rule log_http_headers_rule : =============================================
Rule log_http_headers_rule : =============================================
Rule log_http_headers_rule : Client 192.168.99.32:2950 -> webmail.example.com/exchange/Aaron/Inbox/?Cmd=contents (response) - status: 200
Rule log_http_headers_rule : Date: Tue, 06 Nov 2007 16
Rule log_http_headers_rule : Server: Microsoft-IIS/6.0
Rule log_http_headers_rule : X-Powered-By: ASP.NET
Rule log_http_headers_rule : Content-Type: text/html
Rule log_http_headers_rule : Content-Length: 55446
Rule log_http_headers_rule : MS-WebStorage: 6.5.7638
Rule log_http_headers_rule : Cache-Control: no-cache
Rule log_http_headers_rule : =============================================
0 Kudos
Comments
Chew_Bacca_1523
Nimbostratus
Nimbostratus
‎29-Sep-2015 16:31
Great article. I applied the irule to my VS but I dont see the any HTTP_RESPONSE in the /var/log/ltm Do I need to enable debug in any particular log for this to work?
0 Kudos
Chew_Bacca_1523
Nimbostratus
Nimbostratus
‎29-Sep-2015 16:35
nevermind. It works. I was just looking at the wrong box (standby). Thanks
0 Kudos
F5Hopper_28651
Nimbostratus
Nimbostratus
‎02-Oct-2015 07:30
how can I tweak this irule to a Virtual Server for port 3389(RDP) also, 1433(SQL).. I found two VirtualServers running and I dont know who is connecting to them.
0 Kudos
Ernesto_Mayol_2
Nimbostratus
Nimbostratus
‎14-May-2016 16:11
Is there a way to overcome the 1024 byte limitation on log size. I am testing an application that utilizes huge http headers and those are being truncated in the log which hinders troubleshooting. I am looking for a way to get this logs locally somehow without the need to setup a remote Syslog server and use HSL, that would take considerable time and expertise that I do not have unfortunately.
0 Kudos
philyeo_72087
Nimbostratus
Nimbostratus
‎31-May-2016 08:39
Just a quick warning. In the case where there are multiple headers with the same name, it will only show the last one. I think you can use: log local0. "$aHeader: [HTTP::header values $aHeader]" to get the full list
0 Kudos
arunalukka_1616
Nimbostratus
Nimbostratus
‎27-Jul-2016 18:38

Great article.Thanks

 

0 Kudos
bsb
Nimbostratus
Nimbostratus
‎16-Dec-2017 22:49

Excellant, we have this irule handy and bind whenever there is a troubleshooting required. i normally capture tcpdump everytime, this helped me a lot. is there an option to forward it to an email once it logs.

 

0 Kudos
jaikumar_f5
MVP
MVP
‎28-Dec-2017 19:46

@Saravana,

 

You can add the sendmail part in the irule and email it.

 

https://clouddocs.f5.com/api/irules/Send-Email-via-iRule-Procedures.html

 

0 Kudos
jeromeN
Nimbostratus
Nimbostratus
‎04-Mar-2020 02:35

how to have a simple unique line

0 Kudos
Version history
Last update:
‎18-Mar-2015 12:22
Updated by:
Cirrostratus
Contributors
Copyright © 2023 Khoros, LLC