Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

iRule to log traffic details

Go to solution
yadgayan
Cirrus
Cirrus

‎21-Sep-2023 14:44

Hi,

I want to log below information to syslog via iRule

Request headers including e.g. tap-*, X-* (e.g. X-Forwarded-For & X-Forwarded-Port )
src IP
src Port
request url
referral url
method
response
sessionid
x_uri (assume included from F5)
timestamp (ms granular)

Any one has iRule handy for this or covers partially? 

 

Thank you, 

0 Kudos
2 ACCEPTED SOLUTIONS

Go to solution
Mohamed_Ahmed_Kansoh
MVP
MVP

‎21-Sep-2023 15:34

Hi @yadgayan , 

U can use this : 

when HTTP_REQUEST {
    log local0. "HTTP Method = [HTTP::method]"
    log local0. "HTTP URI = [HTTP::uri]"
    log local0. "HTTP Path = [HTTP::path]"
    log local0. "HTTP Query = [HTTP::query]"
    log local0. "HTTP Version = [HTTP::version]"
    log local0. "HTTP Host Header = [HTTP::host]"
    log local0. "HTTP User Agent Header = [HTTP::header value "user-agent"]"
}
when HTTP_RESPONSE {
    log local0. "HTTP Status = [HTTP::status]"
    log local0. "HTTP version = [HTTP::version]"
    log local0. "HTTP Content Length Header = [HTTP::header value "content-length"]"
}

- you can remove any info you don't want to log it. 
refer to this Link to find our more : https://my.f5.com/manage/s/article/K42210592

I haven't tested this irule , but it should work. 

By the way : you can use High speed logging ( HSL ), it's pretty good to use : 
https://my.f5.com/manage/s/article/K00847516

I hope this helps u 🙂 

_______________________
Regards
Mohamed Kansoh

View solution in original post

0 Kudos

Go to solution
yadgayan
Cirrus
Cirrus

‎25-Sep-2023 23:42

Thanks @Mohamed_Ahmed_Kansoh 

I modified and made a single log entry to achieve my goal. But thanks a lot for the direction. 

View solution in original post

8 REPLIES 8

Go to solution
Mohamed_Ahmed_Kansoh
MVP
MVP

‎21-Sep-2023 15:34

Hi @yadgayan , 

U can use this : 

when HTTP_REQUEST {
    log local0. "HTTP Method = [HTTP::method]"
    log local0. "HTTP URI = [HTTP::uri]"
    log local0. "HTTP Path = [HTTP::path]"
    log local0. "HTTP Query = [HTTP::query]"
    log local0. "HTTP Version = [HTTP::version]"
    log local0. "HTTP Host Header = [HTTP::host]"
    log local0. "HTTP User Agent Header = [HTTP::header value "user-agent"]"
}
when HTTP_RESPONSE {
    log local0. "HTTP Status = [HTTP::status]"
    log local0. "HTTP version = [HTTP::version]"
    log local0. "HTTP Content Length Header = [HTTP::header value "content-length"]"
}

- you can remove any info you don't want to log it. 
refer to this Link to find our more : https://my.f5.com/manage/s/article/K42210592

I haven't tested this irule , but it should work. 

By the way : you can use High speed logging ( HSL ), it's pretty good to use : 
https://my.f5.com/manage/s/article/K00847516

I hope this helps u 🙂 

_______________________
Regards
Mohamed Kansoh
0 Kudos

Go to solution
yadgayan
Cirrus
Cirrus

‎21-Sep-2023 16:12

i added all into single. 

 

when HTTP_REQUEST {

    log local0. "HTTP Method = [HTTP::method] Client = [IP::client_addr] HTTP URI = [HTTP::uri] HTTP Path = [HTTP::path] HTTP Query = [HTTP::query] HTTP Version = [HTTP::version] HTTP Host Header = [HTTP::host] HTTP User Agent Header = [HTTP::header value "user-agent"] Session_ID=[ACCESS::session data get session.user.sessionid] Assigned PPP Dynamic IPv4: [ACCESS::session data get session.assigned.clientip] NA Resource: [ACCESS::session data get session.assigned.resources.na] Client IP: [ACCESS::session data get session.user.clientip]"

}

when HTTP_RESPONSE {

    log local0. "HTTP Status = [HTTP::status] HTTP version = [HTTP::version] HTTP Content Length Header = [HTTP::header value "content-length"]"

}

 

will this cover all?

0 Kudos

Go to solution
Mohamed_Ahmed_Kansoh
MVP
MVP
In response to yadgayan

‎21-Sep-2023 16:18

@yadgayan , 
yes all in same irule , this will be good. 

but monitor your system resources utilization ( CPU , Memory ) 

Go to Statistics >>> Performance report >>>> then have a look in CPU & memory graphs and curves after adding this irule. 

it's recommended to monitor that because irules consumes cpu cycles .

_______________________
Regards
Mohamed Kansoh
0 Kudos

Go to solution
yadgayan
Cirrus
Cirrus

‎21-Sep-2023 17:53

its working but how i log meta of a session (e.g. cookie, transaction)?

0 Kudos

Go to solution
Mohamed_Ahmed_Kansoh
MVP
MVP
In response to yadgayan

‎21-Sep-2023 18:13

@yadgayan , 

you can log cookie info by this way in the following article : 

https://community.f5.com/t5/technical-forum/log-the-http-cookie-name-value-and-path-using-irule/td-p...

I don't understand what do you mean by transaction ? 

Transaction means >>>> HTTP request and u already log ( methods , headers , cookies , ips , .... ) 
so what is the transaction do you want to log ? 

_______________________
Regards
Mohamed Kansoh
0 Kudos

Go to solution
LiefZimmerman
Community Manager
Community Manager

‎25-Sep-2023 21:45

@yadgayan  - If your post was solved it would be helpful to the community to select Accept As Solution.
Thanks for joining and being part of our community.

Go to solution
yadgayan
Cirrus
Cirrus

‎25-Sep-2023 23:42

Thanks @Mohamed_Ahmed_Kansoh 

I modified and made a single log entry to achieve my goal. But thanks a lot for the direction. 

Go to solution
LiefZimmerman
Community Manager
Community Manager
In response to yadgayan

‎26-Sep-2023 08:37

Since there was a bit of modification on the original suggestion I've also accepted your clarification as part of the solution.
Thanks for following up.

0 Kudos
Copyright © 2023 Khoros, LLC