Forum Discussion

Nacho_de_Aguina's avatar
Nacho_de_Aguina
Icon for Nimbostratus rankNimbostratus
May 25, 2013

Client source IP -> SSH VS forward to Syslog

Hello all

 

I have a big problem with the following scenario and any help will be wonderfull and apreciate

 

I have a VS serving ssh to a pool of servers, til now everything works fine. The problem comes with knowing who is being connected to the SSH serves, cause i receive the IP of F5 due we use SNAT.

 

I have been talking a lot of hours with F5 support team (opening an official case), and at the end we need to use SNAT (Due our environment FW, Routers etc) so at yhe end they advice me to use an iRule to send the information (the source ip of client) to a syslog.

 

They have send me this info

 

1 when CLIENT_ACCEPTED {

 

2 set hsl [HSL::open -proto UDP -pool syslog_server_pool]

 

 

3 }

 

 

4 when HTTP_REQUEST {

 

 

5 Log HTTP request via syslog protocol as local7.info; see RFC 3164 for more info

 

 

6 HSL::send $hsl "<190> [IP::local_addr] [HTTP::uri]\n"

 

 

7 }

 

 

But i´m completly lost

 

My syslog is at 150.175.45.206 (should i create a pool with the syslog server)

 

and the i´m serving TCP 22 (SSH)

 

Line 6 is awfull :)

 

Does anybody can help me

 

 

Thxs in advance

 

 

Nacho

 

application delivery
dev
devops
iRules

10 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    May 25, 2013
    should i create a pool with the syslog serveryes

    e.g.

    syslog server is 192.168.206.51:514

    ssh client is 172.28.69.28 

    [root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.252:22
   ip protocol 6
   rules myrule
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
   set hsl [HSL::open -proto UDP -pool syslog_server_pool]
   HSL::send $hsl "<190> client is [IP::client_addr]:[TCP::client_port]"
}
}
[root@ve10:Active] config  b pool syslog_server_pool list
pool syslog_server_pool {
   members 192.168.206.51:514 {}
}

[root@ve10:Active] config  tcpdump -nni 0.0 -s0 port 514 -X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:14:15.436158 IP 172.28.19.253.53360 > 192.168.206.51.514: SYSLOG local7.info, length: 34 out slot1/tmm0 lis=
        0x0000:  0ffe 0800 4500 003e b49e 0000 ff11 b81a  ....E..>........
        0x0010:  ac1c 13fd c0a8 ce33 d070 0202 002a 830d  .......3.p...*..
        0x0020:  3c31 3930 3e20 636c 6965 6e74 2069 7320  <190>.client.is.
        0x0030:  3137 322e 3238 2e36 392e 3238 3a33 3734  172.28.69.28:374
        0x0040:  3831 0114 0000 0000 0000 0000 0000 0000  81..............
        0x0050:  0000 0000 0000 0000                      ........
  • Nacho_de_Aguina's avatar
    Nacho_de_Aguina
    Icon for Nimbostratus rankNimbostratus
    May 27, 2013
    Hello Nitass i

     

    Fist thxs for your reply

     

    i belive i have a problem cause when i create the syslog pool and i have added the member it is being defined with TCP port instead of UDP 514

     

     

    [nacho@UniF53400:Active] ~ b pool pool_syslog list

     

    pool pool_syslog {

     

    monitor all gateway_icmp

     

    members 150.175.45.24:shell {}

     

     

    How can i define udp 514 when i add a member in a pool

     

     

    Thxs a lot

     

     

    Nacho
  • Laudec_55181's avatar
    Laudec_55181
    Icon for Altostratus rankAltostratus
    May 27, 2013
    Hi Nacho,

     

    In a pool definition you dont define tcp or udp, that is defined on the VS level. So on the VS, the traffic would come in as TCP or UDP, and sent to the pool, where address / port translation is done for load balancing.
  • Nacho_de_Aguina's avatar
    Nacho_de_Aguina
    Icon for Nimbostratus rankNimbostratus
    May 27, 2013
    Laudec if you see the answer of nitass lthe VSS is serving on port 22 (TCP SSH)

     

    but i have to create a pool for syslog whcih are serving on udp 514 in order to use them with an irule
  • Laudec_55181's avatar
    Laudec_55181
    Icon for Altostratus rankAltostratus
    May 27, 2013
    I understand, I think you missed my first point. You cant set UDP or TCP on the pool level.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    May 27, 2013
    as Laudec said, there is no protocol (e.g. tcp, udp) defined in pool. it is in virtual server configuration. for hsl, protocol is set in HSL::open command.

     

     

    if you do not receive syslog, you may check if tmm route (route which uses tmm/selfip interface) for syslog is configured.
  • Nacho_de_Aguina's avatar
    Nacho_de_Aguina
    Icon for Nimbostratus rankNimbostratus
    May 27, 2013
    Hello Nitass

     

    I´m confused

     

    the syslog pool does not contains any service but the member should has?

     

    as you write me in your example

     

     

    pool syslog_server_pool {

     

    members 192.168.206.51:514 {}

     

    }

     

     

    my problem is how to declare a member with udp, cause when i add a member of the pool and i cannot see any place where define UDP.

     

    So as you said i must not say service, but if i try to add a pool member with service number declaration F% says me that is required.

     

     

    here you have how i define the objects

     

     

    [nacho@UniF53400:Active] ~ b virtual BSPLINK_FTP list

     

    virtual BSPLINK_FTP {

     

    snat automap

     

    pool pool_bsplink-sftp

     

    destination 10.24.0.32:ssh

     

    ip protocol tcp

     

    rules syslog

     

    profiles FastL4_Bsplink {}

     

    }

     

    [nacho@UniF53400:Active] ~ b rule syslog list

     

    rule syslog {

     

    when CLIENT_ACCEPTED {

     

    set hsl [HSL::open -proto UDP -pool pool_syslog]

     

    HSL::send $hsl "<190> client is [IP::client_addr]:[TCP::client_port]"

     

    }

     

    }

     

    [nacho@UniF53400:Active] ~ b pool pool_syslog list

     

    pool pool_syslog {

     

    monitor all gateway_icmp

     

    members 150.175.45.24:shell {}

     

    }

     

     

    Thxs
  • Nacho_de_Aguina's avatar
    Nacho_de_Aguina
    Icon for Nimbostratus rankNimbostratus
    May 28, 2013
    Hello all

     

    i have been talking with F5 support team at it seems that F5 assumes port 514 as UDP by itself ?¿?¿ Sure They know more than me

     

    I have checked that the irule is being executed and it is

     

     

    [nacho@UniF53400:Active] / b rule syslog

     

    RULE syslog

     

    +-> CLIENT_ACCEPTED 20 total 0 fail 0 abort

     

     

    I have enable UDP and TCP 514 in Syslog.

     

    I have tested successfully to telnet from F5 514 and it receives entries at syslog

     

     

    But when i connect to the endpoint servers to port 22 using VS nothing is being sent to syslog.

     

     

    Any idea?

     

     

    Thxs a lot

     

     

    Nacho
  • Nacho_de_Aguina's avatar
    Nacho_de_Aguina
    Icon for Nimbostratus rankNimbostratus
    May 28, 2013
    Also Tcpdump doesn´t gives any infio

     

    [nacho@UniF53400:Active] / tcpdump -nni 0.0 -s0 port 514 -X

     

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

     

    listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes

     

     

    0 packets captured

     

    0 packets received by filter

     

    0 packets dropped by kernel

     

Related Content