cancel
Showing results for 
Search instead for 
Did you mean: 

Logging all VIP connections to syslog - Irule only?

Mattmans1
Nimbostratus
Nimbostratus

Hi Guys,

 

I have around 35 VIP's setup on my LTM - i have a requirement to log the original Source IP of the requesting client to a syslog server so we can audit who has been accessing the servers by querying the syslog messages. If i take the LTM log file below, is all the connections to VIP's logged to this file by default? if so would it be the original src/dst or the src/dst after its been "Snat" and "Dnat" by the LTM?

 

**************************************************************************************************************************************************************

local traffic / The local traffic messages pertain specifically to the BIG-IP local traffic management events ./var/log/ltm

***************************************************************************************************************************************************************

 

I have been told you can only log traffic events to VIP's using an Irule but i'm not sure i this is true? can anyone clarify please?

 

1 ACCEPTED SOLUTION

Samir
Nacreous
Nacreous

Its possible via iRule to capture client IP address but default F5 syslogs "/var/log/ltm" file will quickly fill. Assign below iRule to all VIPs.

when HTTP_REQUEST { log local0. "clientIP:[IP::client_addr] accessed [HTTP::host][HTTP::uri]" }

Please review my old post: https://devcentral.f5.com/s/question/0D51T00006i7k94/capturing-source-ip-addresses-for-vip

 

 

 

View solution in original post

3 REPLIES 3

Samir
Nacreous
Nacreous

Its possible via iRule to capture client IP address but default F5 syslogs "/var/log/ltm" file will quickly fill. Assign below iRule to all VIPs.

when HTTP_REQUEST { log local0. "clientIP:[IP::client_addr] accessed [HTTP::host][HTTP::uri]" }

Please review my old post: https://devcentral.f5.com/s/question/0D51T00006i7k94/capturing-source-ip-addresses-for-vip

 

 

 

Hello Samir,

 

Thankyou so much, just what i was looking for. Do you know if this is the same as configuring a HTTP profile? Would it do the same thing?

 

Am i also right in thinking that if you had a custom VIP for a random SSH jump server that you would have to use an irule to log that since you cant use a HTTP profile?

Samir
Nacreous
Nacreous

Above iRule will work for HTTP connection. If you wanted to capture all connection date then go with below irule.

 

It will give complete picture

when SERVER_CONNECTED { # This logs information about the TCP connections on *both* sides of the full proxy set client_remote "[IP::client_addr]:[TCP::client_port]" set client_local "[IP::local_addr clientside]:[TCP::local_port clientside]" set server_local "[IP::local_addr]:[TCP::local_port]" set server_remote "[IP::server_addr]:[TCP::server_port]" log local0. "Got connection: Client($client_remote)<->($client_local)LTM($server_local)<->($server_remote)Server" }

Output will be like below.

 

<SERVER_CONNECTED>: Got connection: Client(101.3.3.20:33791)<->(10.2.4.111:80)LTM(10.1.1.110:33768)<->(10.3.5.200:8080)Server