Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

irule help to log a traffic to a VIP

Subrun
Cirrostratus
Cirrostratus

‎11-Jun-2021 09:14

Hello,

 

I need to log http request and response for a VIP using iRule. Was trying to follow below URL but i have some questions.

 

https://support.f5.com/csp/article/K42210592

 

1st what I should Put in the excel field. ? And here it does not say to match VIP IP , so how it will know how to match which VIP or whatever VIP I call this iRule will be applied to that VIP Only ?>

 

 

when HTTP_REQUEST {

    if {[IP::addr [IP::client_addr]] equals "10.10.10.10"} {

       <action>

    }

}

Labels:
0 Kudos
4 REPLIES 4

Dario_Garrido
MVP
MVP

‎11-Jun-2021 10:58

Hello Subrun.

 

First you need to provision this iRule in the resources section of one specific virtual server.

After that, this iRule will be executed when the specific condition occurs, in your example (HTTP_REQUEST), when one HTTP resquest is received.

 

Beside this, take into account that "<action>" will only be executed when source IP ([IP::client_addr]) matches "10.10.10.10". You can modify it appropriately.

 

In your "action" section you can log anything (variables, text, etc.). An example:

when HTTP_REQUEST { if {[IP::addr [IP::client_addr]] equals "10.10.10.10"} { log local0. "Traffic matches the iRule" } }

Another example:

when HTTP_REQUEST { if {[IP::addr [IP::client_addr]] equals "10.10.10.10"} { log local0. "Traffic matches the iRule with source IP: [IP::client_addr]" } }

For logging traffic with responses, you should use HTTP_RESPONSE event.

 

Regards,

Dario.

Regards,
Dario.
0 Kudos

Sajid
Cirrostratus
Cirrostratus

‎11-Jun-2021 13:46

have look at F5 and Splunk integration

 

 

iRule_http exampleiRuleirule_httpDescriptionThis rule collects and sends http(s) traffic data and lb_faild event data to the Splunk platform. A load balancing failure triggers this event.Example

 

when CLIENT_ACCEPTED {

set client_address [IP::client_addr]

set vip [IP::local_addr]

}

when HTTP_REQUEST {

set http_host [HTTP::host]:[TCP::local_port]

set http_uri [HTTP::uri]

set http_url $http_host$http_uri

set http_method [HTTP::method]

set http_version [HTTP::version]

set http_user_agent [HTTP::header "User-Agent"]

set http_content_type [HTTP::header "Content-Type"]

set http_referrer [HTTP::header "Referer"]

set tcp_start_time [clock clicks -milliseconds]

set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]

set cookie [HTTP::cookie names]

set user [HTTP::username]

set virtual_server [LB::server]

if { [HTTP::header Content-Length] > 0 } then {

set req_length [HTTP::header "Content-Length"]

} else {

set req_length 0

}

}

when HTTP_RESPONSE {

set res_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]

set node [IP::server_addr]

set node_port [TCP::server_port]

set http_status [HTTP::status]

set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]

if { [HTTP::header Content-Length] > 0 } then {

set res_length [HTTP::header "Content-Length"]

} else {

set res_length 0

}

set hsl [HSL::open -proto UDP -pool Pool-syslog]

HSL::send $hsl "<190>,f5_irule=Splunk-iRule-HTTP,src_ip=$client_address,vip=$vip,http_method=$http_method,http_host=$http_host,http_uri=$http_uri,http_url=$http_url,http_version=$http_version,http_user_agent=\"$http_user_agent\",http_content_type=$http_content_type,http_referrer=\"$http_referrer\",req_start_time=$req_start_time,cookie=\"$cookie\",user=$user,virtual_server=\"$virtual_server\",bytes_in=$req_length,res_start_time=$res_start_time,node=$node,node_port=$node_port,http_status=$http_status,req_elapsed_time=$req_elapsed_time,bytes_out=$res_length\r\n"

}

when LB_FAILED {

set hsl [HSL::open -proto UDP -pool Pool-syslog]

HSL::send $hsl "<190>,f5_irule=Splunk-iRule-LB_FAILED,src_ip=$client_address,vip=$vip,http_method=$http_method,http_host=$http_host,http_uri=$http_uri,http_url=$http_url,http_version=$http_version,http_user_agent=\"$http_user_agent\",http_content_type=$http_content_type,http_referrer=\"$http_referrer\",req_start_time=$req_start_time,cookie=\"$cookie\",user=$user,virtual_server=\"$virtual_server\",bytes_in=$req_length\r\n"

}

 

Reference:

https://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Setup

 

Nikoolayy1
MVP
MVP

‎13-Jun-2021 10:11

For HTTP VIP better use the integraded F5 Request Logging profile if possible as the previous solutions that were provided to you need an iRule. Check if you can use Request Logging profile or the iRules that @ Sajid or @Dario Garrido provided.

 

 

https://support.f5.com/csp/article/K00847516

jaikumar_f5
MVP
MVP

‎13-Jun-2021 22:45 - last edited on ‎24-Mar-2022 02:13 by Fog

 

 

You create the irule as per the article that you've shared. Then you have to bind (apply) that Irule to your VS. So only that VIP will process that Irule & you'll get your loggings.

 

I'm a fan of https://devcentral.f5.com/s/articles/ultimate-irule-debug-capture-and-investigate-1183 - this covers almost everything, but if its too much of info, you can simply go for https://devcentral.f5.com/s/articles/log-http-headers or go like   said above. Thats too simple.

0 Kudos
Copyright © 2023 Khoros, LLC