Logging all VIP connections to syslog - Irule only?
Hi Guys,
I have around 35 VIP's setup on my LTM - i have a requirement to log the original Source IP of the requesting client to a syslog server so we can audit who has been accessing the servers by querying the syslog messages. If i take the LTM log file below, is all the connections to VIP's logged to this file by default? if so would it be the original src/dst or the src/dst after its been "Snat" and "Dnat" by the LTM?
**************************************************************************************************************************************************************
local traffic / The local traffic messages pertain specifically to the BIG-IP local traffic management events ./var/log/ltm
***************************************************************************************************************************************************************
I have been told you can only log traffic events to VIP's using an Irule but i'm not sure i this is true? can anyone clarify please?
Its possible via iRule to capture client IP address but default F5 syslogs "/var/log/ltm" file will quickly fill. Assign below iRule to all VIPs.
when HTTP_REQUEST { log local0. "clientIP:[IP::client_addr] accessed [HTTP::host][HTTP::uri]" }
Please review my old post: https://devcentral.f5.com/s/question/0D51T00006i7k94/capturing-source-ip-addresses-for-vip