cancel
Showing results for 
Search instead for 
Did you mean: 

iRule HSL logging question with user specified text

martin1
Altostratus
Altostratus

I wish to log via HSL a mesage that contains some repeatable text as well as some user generated text. so one of two ways to get text generated I can see. But I some issues with each method. #1: Use a loggin profile template, but when you do how to you add some text to the end (or access via a variable text you feed it? i.e the vIP has a template assignmed, iRule has an HSL::open call, then the iRule later calls say HSL::send $hsl "and does this then get appended to the end?". And all you get is what is specified in the template. How can I pass my string body (value or reference) into the template.

#2 Use all text generation in the iRule, but then how do I get at dynamic values that I want but that are only available when you log via the profile/template. For example: $DATE_MON $DATE_DD $TIME_HMS $BIGIP_HOSTNAME and so on.

1 ACCEPTED SOLUTION

Hello Martin.

 

With a request-logging profile you can set any kind of format in the template field.

An example of CEF format:

CEF:0|F5|MyEnv|1|sip=$CLIENT_IP sprt=$CLIENT_PORT snatip=$SNAT_IP snatprt=$SNAT_PORT dstip=$SERVER_IP dstprt=$SERVER_PORT dhost=$BIGIP_HOSTNAME apm=$X_APM

Where 'X_APM can be configured injecting an HTTP header:

when HTTP_REQUEST { HTTP::header replace X_APM [ACCESS::session data get session.custom.name] } when HTTP_REQUEST_RELEASE { HTTP::header remove X_APM }

---

In case you still want to use an iRule, you can get those parameters with:

1) Hostname

$static::tcl_platform(machine)

2) Time

set curtime [clock seconds] set formattedtime [clock format $curtime] log "$curtime seconds since epoch, $formattedtime"

Output: 1129552706 seconds since epoch, Mon Oct 17 07:38:26 CDT 2005

 

Regards,

Dario.

Regards,
Dario.

View solution in original post

6 REPLIES 6

Hello Martin.

 

It's better to use a request logging profile.

https://support.f5.com/csp/article/K00847516

 

You can add extra variables injecting HTTP headers into the HTTP_REQUEST and referencing them with the same name of the header:

$BIGIP_HOSTNAME $Host ${X-Forwarded-For} ...

 

If you want to avoid sending those headers to the backend server, you can remove them again using this event:

https://clouddocs.f5.com/api/irules/HTTP-REQUEST-RELEASE.html

 

Regards,

Dario.

Regards,
Dario.

Thanks, Not sure that would work in this case. What I need to simulate is the CEF logging format and that is not available from a native profile format choice, plus the data I need to pass in (some arbitrary data). If in effect I am manually writing the CEF formatted message out by a number of profile objects/variables and as well a HTTP header variable(s) or two as data place holders I pretty much may as well just manually create the whole thing via HSL as I am currently. However some (most) of the data that I want is matched from data available in a logging profile, This I am currently getting it from TCL calls, Should they have too great a performance hit I may well see if your proposal would alleviate that. I also didn't know of (think of) using HTTP_REQUEST like that. Interesting and devious I will file that one away, thank you. Martyn Roberts Vodafone/IBM Venture Swindon ISC 07881846887

Hello Martin.

 

With a request-logging profile you can set any kind of format in the template field.

An example of CEF format:

CEF:0|F5|MyEnv|1|sip=$CLIENT_IP sprt=$CLIENT_PORT snatip=$SNAT_IP snatprt=$SNAT_PORT dstip=$SERVER_IP dstprt=$SERVER_PORT dhost=$BIGIP_HOSTNAME apm=$X_APM

Where 'X_APM can be configured injecting an HTTP header:

when HTTP_REQUEST { HTTP::header replace X_APM [ACCESS::session data get session.custom.name] } when HTTP_REQUEST_RELEASE { HTTP::header remove X_APM }

---

In case you still want to use an iRule, you can get those parameters with:

1) Hostname

$static::tcl_platform(machine)

2) Time

set curtime [clock seconds] set formattedtime [clock format $curtime] log "$curtime seconds since epoch, $formattedtime"

Output: 1129552706 seconds since epoch, Mon Oct 17 07:38:26 CDT 2005

 

Regards,

Dario.

Regards,
Dario.

Dario, Sure but whether I write the CEF format out once as a template or once doesn't make much difference. I was more contrasting it against the in built native ability to log to CEF that exists fro mthe AFM and ASM modules. Why is using a template better than using an HSL handle in an iRule? Is it a CPU or RAM usage item? I am not familiar enough with F5s and potential iRule overhead to know (yet). At the moment my logging is of the form: set hsl [HSL::open -proto UDP -pool MAR-syslog] . . . set curtime [clock seconds] set formattedtime [clock format $curtime -format { %b %d %T } ] HSL::send $hsl "$formattedtime $static::tcl_platform(machine) CEF:0|F5|BIG-IP|$static::tcl_platform(osVersion)|URIiRule|URI Blocking|Low| msg=Returning from irule---no match on URI or IP found" Martyn Roberts Vodafone/IBM Venture Swindon ISC 07881846887

Hello Martin.

 

Actually request-logging should have a better performance.

But any of both solutions are fine :-).

 

If this was helpful, I'll appreciate if you mark my answer as the best to help me for the contribution.

 

Regards,

Dario.

Regards,
Dario.

Dario, No probs. Of course I will. The answer was reasonable, considered and properly related to the question. It also included some very interesting and useful information. As I said I like the HTTP injection. Martyn Roberts Vodafone/IBM Venture Swindon ISC 07881846887