iRule: Log SNAT IP's when using Oneconnect
Hello F5 Friends,
I'm at a bit of a loss for how to write an iRule here and I'm hoping you all can help me out. I have a need to send a security vendor the Client Side and Server Side IP addresses used for all connections coming in through my F5. I tested out this iRule below and it logs successfully and forwards off to our vendor successfully within our infrastructure.
when SERVER_CONNECTED {
# log clientside and serverside connection details to /var/log/ltm
log local0. "Clientside connection: SrcIP:Port [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to DstIP:Port [clientside {IP::local_addr}]:[clientside {TCP::local_port}] translates to Serverside connection: SrcIP:Port [IP::local_addr]:[TCP::local_port] to DstIP:Port [IP::remote_addr]:[TCP::remote_port]"
}
Unfortunately, I found out after this was in place that it wasn't generating logs for all connections coming into the associated virtuals. (I have this iRule applied to All virtuals on my F5.) Through some testing I found that this iRule was not logging for connections where the Server Side connection was being reused by the oneconnect profile.
Next I tried using the "LB_SELECTED" event instead of "SERVER_CONNECTED" and in this case I see that I'm logging on all HTTP requests that come inbound. So the first event doesn't trigger enough and the second event triggers too often. I was hoping for some help in finding that happy medium.
Can someone help me with the right event trigger or logic in the iRule that would log the CS IP's and SS IP's as each new front end connection is established to a back end server when Oneconnect is in the mix?
Thanks,
Jeff