cancel
Showing results for 
Search instead for 
Did you mean: 

Client source IP -> SSH VS forward to Syslog

Nacho_de_Aguina
Nimbostratus
Nimbostratus

Hello all

 

I have a big problem with the following scenario and any help will be wonderfull and apreciate

 

I have a VS serving ssh to a pool of servers, til now everything works fine. The problem comes with knowing who is being connected to the SSH serves, cause i receive the IP of F5 due we use SNAT.

 

I have been talking a lot of hours with F5 support team (opening an official case), and at the end we need to use SNAT (Due our environment FW, Routers etc) so at yhe end they advice me to use an iRule to send the information (the source ip of client) to a syslog.

 

They have send me this info

 

1 when CLIENT_ACCEPTED {

 

2 set hsl [HSL::open -proto UDP -pool syslog_server_pool]

 

 

3 }

 

 

4 when HTTP_REQUEST {

 

 

5 Log HTTP request via syslog protocol as local7.info; see RFC 3164 for more info

 

 

6 HSL::send $hsl "<190> [IP::local_addr] [HTTP::uri]\n"

 

 

7 }

 

 

But i´m completly lost

 

My syslog is at 150.175.45.206 (should i create a pool with the syslog server)

 

and the i´m serving TCP 22 (SSH)

 

Line 6 is awfull 🙂

 

Does anybody can help me

 

 

Thxs in advance

 

 

Nacho

 

10 REPLIES 10

nitass
F5 Employee
F5 Employee
should i create a pool with the syslog serveryes

 

 

e.g.

 

syslog server is 192.168.206.51:514

 

ssh client is 172.28.69.28

 

 

[root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.252:22 ip protocol 6 rules myrule } [root@ve10:Active] config b rule myrule list rule myrule { when CLIENT_ACCEPTED { set hsl [HSL::open -proto UDP -pool syslog_server_pool] HSL::send $hsl "<190> client is [IP::client_addr]:[TCP::client_port]" } } [root@ve10:Active] config b pool syslog_server_pool list pool syslog_server_pool { members 192.168.206.51:514 {} } [root@ve10:Active] config tcpdump -nni 0.0 -s0 port 514 -X tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 21:14:15.436158 IP 172.28.19.253.53360 > 192.168.206.51.514: SYSLOG local7.info, length: 34 out slot1/tmm0 lis= 0x0000: 0ffe 0800 4500 003e b49e 0000 ff11 b81a ....E..>........ 0x0010: ac1c 13fd c0a8 ce33 d070 0202 002a 830d .......3.p...*.. 0x0020: 3c31 3930 3e20 636c 6965 6e74 2069 7320 <190>.client.is. 0x0030: 3137 322e 3238 2e36 392e 3238 3a33 3734 172.28.69.28:374 0x0040: 3831 0114 0000 0000 0000 0000 0000 0000 81.............. 0x0050: 0000 0000 0000 0000 ........

Nacho_de_Aguina
Nimbostratus
Nimbostratus
Hello Nitass i

 

Fist thxs for your reply

 

i belive i have a problem cause when i create the syslog pool and i have added the member it is being defined with TCP port instead of UDP 514

 

 

[nacho@UniF53400:Active] ~ b pool pool_syslog list

 

pool pool_syslog {

 

monitor all gateway_icmp

 

members 150.175.45.24:shell {}

 

 

How can i define udp 514 when i add a member in a pool

 

 

Thxs a lot

 

 

Nacho

Laudec_55181
Nimbostratus
Nimbostratus
Hi Nacho,

 

In a pool definition you dont define tcp or udp, that is defined on the VS level. So on the VS, the traffic would come in as TCP or UDP, and sent to the pool, where address / port translation is done for load balancing.

Nacho_de_Aguina
Nimbostratus
Nimbostratus
Laudec if you see the answer of nitass lthe VSS is serving on port 22 (TCP SSH)

 

but i have to create a pool for syslog whcih are serving on udp 514 in order to use them with an irule

Laudec_55181
Nimbostratus
Nimbostratus
I understand, I think you missed my first point. You cant set UDP or TCP on the pool level.

nitass
F5 Employee
F5 Employee
as Laudec said, there is no protocol (e.g. tcp, udp) defined in pool. it is in virtual server configuration. for hsl, protocol is set in HSL::open command.

 

 

if you do not receive syslog, you may check if tmm route (route which uses tmm/selfip interface) for syslog is configured.

Nacho_de_Aguina
Nimbostratus
Nimbostratus
Hello Nitass

 

I´m confused

 

the syslog pool does not contains any service but the member should has?

 

as you write me in your example

 

 

pool syslog_server_pool {

 

members 192.168.206.51:514 {}

 

}

 

 

my problem is how to declare a member with udp, cause when i add a member of the pool and i cannot see any place where define UDP.

 

So as you said i must not say service, but if i try to add a pool member with service number declaration F% says me that is required.

 

 

here you have how i define the objects

 

 

[nacho@UniF53400:Active] ~ b virtual BSPLINK_FTP list

 

virtual BSPLINK_FTP {

 

snat automap

 

pool pool_bsplink-sftp

 

destination 10.24.0.32:ssh

 

ip protocol tcp

 

rules syslog

 

profiles FastL4_Bsplink {}

 

}

 

[nacho@UniF53400:Active] ~ b rule syslog list

 

rule syslog {

 

when CLIENT_ACCEPTED {

 

set hsl [HSL::open -proto UDP -pool pool_syslog]

 

HSL::send $hsl "<190> client is [IP::client_addr]:[TCP::client_port]"

 

}

 

}

 

[nacho@UniF53400:Active] ~ b pool pool_syslog list

 

pool pool_syslog {

 

monitor all gateway_icmp

 

members 150.175.45.24:shell {}

 

}

 

 

Thxs

Nacho_de_Aguina
Nimbostratus
Nimbostratus
Hello all

 

i have been talking with F5 support team at it seems that F5 assumes port 514 as UDP by itself ?¿?¿ Sure They know more than me

 

I have checked that the irule is being executed and it is

 

 

[nacho@UniF53400:Active] / b rule syslog

 

RULE syslog

 

+-> CLIENT_ACCEPTED 20 total 0 fail 0 abort

 

 

I have enable UDP and TCP 514 in Syslog.

 

I have tested successfully to telnet from F5 514 and it receives entries at syslog

 

 

But when i connect to the endpoint servers to port 22 using VS nothing is being sent to syslog.

 

 

Any idea?

 

 

Thxs a lot

 

 

Nacho

Nacho_de_Aguina
Nimbostratus
Nimbostratus
Also Tcpdump doesn´t gives any infio

 

[nacho@UniF53400:Active] / tcpdump -nni 0.0 -s0 port 514 -X

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

 

listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes

 

 

0 packets captured

 

0 packets received by filter

 

0 packets dropped by kernel

 

Nacho_de_Aguina
Nimbostratus
Nimbostratus
What version do you installed v10 ¿