26-Apr-2023 06:54
Hi guys,
I have several VS that do loadbalancing to DNS servers. All of VS have AutoMap configured. The real DNS servers only see the SNATed client IP of the BIG-IP because of AutoMap. Currently there is no way to change that configuration.
I need to extract the client IP address that is querying DNS RRs. I tried different ways, found one solution that is not recommended (local logging) and I am currently stuck with HSL.
Because of AutoMap I tried to figure out the client IPs with iRules. I found one for UDP here: https://community.f5.com/t5/technical-forum/log-dns-queries-with-irule/td-p/212655
when CLIENT_ACCEPTED {
binary scan [UDP::payload] H4@12A*@12H* id dname question
set dname [string tolower [getfield $dname \x00 1 ] ]
log local0. "dns_src_ip=[IP::client_addr] requested dns_query=$dname"
}
For TCP here: https://my.f5.com/manage/s/article/K33126241
when CLIENT_ACCEPTED {
log local0. "[virtual] - client ip=[IP::client_addr]:[TCP::client_port]"
}
Both iRules work gread. The logs were written locally and to the remote syslog server; I configured the the server previously in the "Remote Logging" settings. But unfortunatley there are so many log entries for UDP that I was afraid the hard disk will be blown away some time. So I turned off logging.
I then tried to send the logs to my remote syslog server and changed the log command in the iRule to something like this:
log <MySyslogIPaddress> "dns_src_ip=[IP::client_addr] requested dns_query=$dname"
Unfortunately I can see no logs. I found out that the command log <IPaddress> needs this:
"<remote_ip> must be a TMM-routed address. If you must route specific messages to a remote address via the management interface, you must log locally. syslog-ng is able to route messages via both TMM and management interfaces using the standard syntax. You can define an appropriate filter and remote log destination in LTM’s syslog-ng service."
In my environment the default route points to "mgmt". I have no special route for the syslog servers so the traffic is being routed through "mgmt". I couldn't find a way to route the traffic over a tmm-routed interface.
My next try was to solve the problem via HSL. I followed this guide: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-imple...
I tried to trigger the HSL publisher like this:
when CLIENT_ACCEPTED {
binary scan [UDP::payload] H4@12A*@12H* id dname question
set dname [string tolower [getfield $dname \x00 1 ] ]
# logs locally only
#log local0. "dns_src_ip=[IP::client_addr] requested dns_query=$dname"
# high speed logging
set hsl [HSL::open -publisher /<Partition>/<Publisher>]
HSL::send $hsl "dns_src_ip=[IP::client_addr] requested dns_query=$dname"
}
Unfortunately it did'nt work. There are no logs on my remote syslog server visible.
My last try was to bind the HSL publisher to a Virtual Server. But it seems that I still don't understand the whole concept of HSL. I am sort of mixed up for the moment. I hope the community can help me sorting this out.
Solved! Go to Solution.
26-Apr-2023 07:19
Have you tried using this guide to send HSL via the management interface?
K50040950: Configuring the BIG-IP system to send high-speed logs through the management interface
26-Apr-2023 07:19
Have you tried using this guide to send HSL via the management interface?
K50040950: Configuring the BIG-IP system to send high-speed logs through the management interface
26-Apr-2023 08:06
Hi Michael,
Thanks for the quick reply. I'm gonna give it a hit. I'll keep you posted.
28-Apr-2023 00:33
Unfortunately I doesn't work. The iRule code example states the following
when CLIENT_ACCEPTED {
set my_hsl [HSL::open -publisher /<partition>/<log publisher>]
}
when HTTP_REQUEST {
HSL::send $my_hsl "Request: [HTTP::host][HTTP::uri]"
log local0.info "Request: [HTTP::host][HTTP::uri]"
}
when CLIENT_CLOSED {
unset my_hsl
}
In my case I have UDP DNS traffic that I want to log to a remote syslog. However my iRule code only has the "when CLIENT_ACCEPTED" statement where I set the HSL variable and send the logs via HSL::send. Maybe this is the problem?
I configured the HSL pool in the Common partition as well as the log configuration (publisher, destination etc.). The iRule is configured in another partition. Is such a configuration valid or problematic?
28-Apr-2023 01:25
Hi,
I'm not sure about the partition part. However, I labbed this (all objects in the /Common partition) and it tested fine:
1) Create HSL management-port destination
create sys log-config destination management-port HSL-MGMT-DESTINATION ip-address <SYSLOG DST IP> port 514 protocol udp
2) Create HSL publisher referencing management-port destination
create sys log-config publisher management-port-pub destinations add { HSL-MGMT-DESTINATION }
3) Create DNS logging iRule
ltm rule IRULE-SYSLOG-MGMT {
when CLIENT_ACCEPTED {
binary scan [UDP::payload] H4@12A*@12H* id dname question
set dname [string tolower [getfield $dname \x00 1 ] ]
# logs locally only
#log local0. "dns_src_ip=[IP::client_addr] requested dns_query=$dname"
# high speed logging
set hsl [HSL::open -publisher /Common/management-port-pub]
HSL::send $hsl "dns_src_ip=[IP::client_addr] requested dns_query=$dname"
}
}
4) Create pool
create ltm pool <POOL NAME> members add { <POOL MEMBER IP>:53 }
5) Create UDP/53 virtual server
create ltm virtual <VS NAME> destination <VIP>:53 pool <POOL NAME> profiles add { udp } source-address-translation { type automap } rules { IRULE-SYSLOG-MGMT }
===============
// VERIFICATION
===============
# tcpdump on F5 MGMT interface for UDP syslog traffic
[root@bigip-1:Active:In Sync] config # tcpdump -i mgmt -nn -c 100 -A "udp port 514"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on mgmt, link-type EN10MB (Ethernet), capture size 65535 bytes
09:11:24.929974 IP <F5 MGMT IP>.39556 > <SYSLOG DST IP>.514: [|syslog]
E..S<.@.@...
...
..
.....?.Qdns_src_ip=<CLIENT IP> requested dns_query=.google.com
# Kiwi Sylog server entry showing client IP
04-28-2023 09:11:24 Local7.Debug <F5 MGMT IP> dns_src_ip=<CLIENT IP> requested dns_query=google.com
28-Apr-2023 04:08
Hey Michael,
Thanks for labbing this. I had the configuration you posted in mind but dont't know why I didn't do it 😉 I will give it try.
I re-implemented my whole configuration for "HSL via mgmt" in the specific partition and it worked out! For me the topic is solved. Thanks a lot for your support, @Michael_Saleem.
28-Apr-2023 04:15
Awesome. I'm glad that I could help 😊