Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Logging all VIP connections to syslog - Irule only?

Go to solution
Mattmans1
Nimbostratus
Nimbostratus

‎30-Jun-2020 07:26

Hi Guys,

 

I have around 35 VIP's setup on my LTM - i have a requirement to log the original Source IP of the requesting client to a syslog server so we can audit who has been accessing the servers by querying the syslog messages. If i take the LTM log file below, is all the connections to VIP's logged to this file by default? if so would it be the original src/dst or the src/dst after its been "Snat" and "Dnat" by the LTM?

 

**************************************************************************************************************************************************************

local traffic / The local traffic messages pertain specifically to the BIG-IP local traffic management events ./var/log/ltm

***************************************************************************************************************************************************************

 

I have been told you can only log traffic events to VIP's using an Irule but i'm not sure i this is true? can anyone clarify please?

 

Labels:
1 ACCEPTED SOLUTION

Go to solution
Samir
MVP
MVP

‎02-Jul-2020 06:27 - last edited on ‎04-Jun-2023 21:23 by Fog

Its possible via iRule to capture client IP address but default F5 syslogs "/var/log/ltm" file will quickly fill. Assign below iRule to all VIPs.

    when HTTP_REQUEST {
        log local0. "clientIP:[IP::client_addr] accessed [HTTP::host][HTTP::uri]"
      }

Please review my old post: https://devcentral.f5.com/s/question/0D51T00006i7k94/capturing-source-ip-addresses-for-vip

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
Samir
MVP
MVP

‎02-Jul-2020 06:27 - last edited on ‎04-Jun-2023 21:23 by Fog

Its possible via iRule to capture client IP address but default F5 syslogs "/var/log/ltm" file will quickly fill. Assign below iRule to all VIPs.

    when HTTP_REQUEST {
        log local0. "clientIP:[IP::client_addr] accessed [HTTP::host][HTTP::uri]"
      }

Please review my old post: https://devcentral.f5.com/s/question/0D51T00006i7k94/capturing-source-ip-addresses-for-vip

0 Kudos

Go to solution
Mattmans1
Nimbostratus
Nimbostratus
In response to Samir

‎02-Jul-2020 09:13

Hello Samir,

 

Thankyou so much, just what i was looking for. Do you know if this is the same as configuring a HTTP profile? Would it do the same thing?

 

Am i also right in thinking that if you had a custom VIP for a random SSH jump server that you would have to use an irule to log that since you cant use a HTTP profile?

0 Kudos

Go to solution
Samir
MVP
MVP

‎03-Jul-2020 00:36 - last edited on ‎04-Jun-2023 21:23 by Fog

Above iRule will work for HTTP connection. If you wanted to capture all connection date then go with below irule.

It will give complete picture

when SERVER_CONNECTED {
  # This logs information about the TCP connections on *both* sides of the full proxy
  set client_remote "[IP::client_addr]:[TCP::client_port]"
  set client_local  "[IP::local_addr clientside]:[TCP::local_port clientside]"
  set server_local  "[IP::local_addr]:[TCP::local_port]"
  set server_remote "[IP::server_addr]:[TCP::server_port]"
  log local0. "Got connection: Client($client_remote)<->($client_local)LTM($server_local)<->($server_remote)Server"
}

Output will be like below.

<SERVER_CONNECTED>: Got connection: Client(101.3.3.20:33791)<->(10.2.4.111:80)LTM(10.1.1.110:33768)<->(10.3.5.200:8080)Server

0 Kudos
Copyright © 2023 Khoros, LLC