cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
jkstraw_44238
Nimbostratus
Nimbostratus

Problem this snippet solves:

I had a requirement to have the F5 BigIP produce logs which replicated our current custom Apache Logs. The Apache custom log format was:

CustomLog /../apache/logs/ssl_request_log "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" 
  \"%{User-Agent}i\" %T %{JSESSIONID}C %{SSL_PROTOCOL}x %{SSL_CIPHER}x %D"

This was used for logging a Tomcat based web application. We have scripts which parse through the logs and create .csv baed documents to aid in the creation of reports (hence the use of commas as separators and quotations around values which could contain commas such as URLs and SessionIDs). Thanks to a lot of help from the contributors at the forums here I have had success.

I hope you find this useful.

Code :

when HTTP_REQUEST {
  set http_request_time [clock clicks -milliseconds]
  set request_log_line "\
[HTTP::request_num],\
[IP::remote_addr],\
[HTTP::method],\
[HTTP::version],\
[HTTP::host],\
\"[HTTP::uri]\",\
\"[HTTP::header value Referer]\",
\"[HTTP::header User-Agent]\",\
\"[HTTP::cookie value JSESSIONID]\",\
[SSL::cipher name],\
[SSL::cipher version],\
[SSL::cipher bits]"
}

when HTTP_RESPONSE {
  set http_response_time [ clock clicks -milliseconds ]
  log local0. "$request_log_line,\
[HTTP::status],\
[HTTP::payload length],\
[expr $http_response_time - $http_request_time]"
}
Comments
gotran
Nimbostratus
Nimbostratus

You missed a backslash in line 10.

 

when HTTP_REQUEST { set http_request_time [clock clicks -milliseconds] set request_log_line "\ [HTTP::request_num],\ [IP::remote_addr],\ [HTTP::method],\ [HTTP::version],\ [HTTP::host],\ \"[HTTP::uri]\",\ \"[HTTP::header value Referer]\",\ \"[HTTP::header User-Agent]\",\ \"[HTTP::cookie value JSESSIONID]\",\ [SSL::cipher name],\ [SSL::cipher version],\ [SSL::cipher bits]" } when HTTP_RESPONSE { set http_response_time [ clock clicks -milliseconds ] log local0. "$request_log_line,\ [HTTP::status],\ [HTTP::payload length],\ [expr $http_response_time - $http_request_time]" }

Another option is to send the log to a remote syslog changing this line

 

log local0. "$request_log_line,\

to

 

log local0.info "$request_log_line,\
Walter_Kacynski
Cirrostratus
Cirrostratus

Why didn't you use the HTTP Logging profile instead of this iRule?

 

Version history
Last update:
‎17-Mar-2015 12:34
Updated by:
Contributors