Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Need iRule for logging all LDAPS requests to HSL Splunk

Go to solution
steve_michaels
Cirrus
Cirrus

‎30-Sep-2022 04:58

Hi DevCentral-

We have a VS for loadbalancing our Domain Controllers. I need an iRule to log all LDAPS requests coming in to the VS and send to our HSL logging pool which used UDP port 514. Any h

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
xuwen
MVP
MVP

‎04-Oct-2022 21:15

if ssl offload work on bigip(clientside ssl profile, client ldap), you can use CLIENTSSL_HANDSHAKE, CLIENTSSL_DATA irules event to collect decrypt payload

when CLIENTSSL_HANDSHAKE {
   # log local0. "[IP::client_addr]:[TCP::client_port]: SSL handshake completed, collecting SSL payload"
   set hsl [HSL::open -proto UDP -pool syslogvip_pool]
   SSL::collect
}
when CLIENTSSL_DATA {
   # log local0. "[IP::client_addr]:[TCP::client_port]: Collected bytes [SSL::payload length], releasing payload"
   # log local0. "\[SSL::payload\]: [SSL::payload]"
   HSL::send $hsl "DCreqlogging Client connect from [IP::client_addr]:[TCP::client_port]"
   HSL::send $hsl "DCreqlogging SSL Payload [SSL::payload]"
   SSL::release
}

 

View solution in original post

4 REPLIES 4

Go to solution
Dario_Garrido
MVP
MVP

‎30-Sep-2022 20:32

Hello @steve_michaels,

You have an example here

https://support.f5.com/csp/article/K50040950

 

Regards,
Dario.
0 Kudos

Go to solution
steve_michaels
Cirrus
Cirrus
In response to Dario_Garrido

‎04-Oct-2022 10:51

Here is some more info. I have this iRule setup on the VIP which uses ldaps (tcp/636) to conect to our pool of Domain Comain contollers:

when CLIENT_ACCEPTED {
TCP::collect
set hsl [HSL::open -proto UDP -pool syslogvip_pool]
HSL::send $hsl "DCreqlogging Client connect from [IP::client_addr]:[TCP::client_port]"
HSL::send $hsl "DCreqlogging TCP Payload [TCP::payload]"
TCP::release
}

It is logging the client IP and port to the Splunk system but i am not seeing anything on the TCP payload that is of use. Is encrypted. Is there any way I can log the ldaps traffic so I can see all the fields like (User=Administrator) or any other of the fields in the ldaps requests? Thanks.

0 Kudos

Go to solution
xuwen
MVP
MVP

‎04-Oct-2022 21:15

if ssl offload work on bigip(clientside ssl profile, client ldap), you can use CLIENTSSL_HANDSHAKE, CLIENTSSL_DATA irules event to collect decrypt payload

when CLIENTSSL_HANDSHAKE {
   # log local0. "[IP::client_addr]:[TCP::client_port]: SSL handshake completed, collecting SSL payload"
   set hsl [HSL::open -proto UDP -pool syslogvip_pool]
   SSL::collect
}
when CLIENTSSL_DATA {
   # log local0. "[IP::client_addr]:[TCP::client_port]: Collected bytes [SSL::payload length], releasing payload"
   # log local0. "\[SSL::payload\]: [SSL::payload]"
   HSL::send $hsl "DCreqlogging Client connect from [IP::client_addr]:[TCP::client_port]"
   HSL::send $hsl "DCreqlogging SSL Payload [SSL::payload]"
   SSL::release
}

 

Go to solution
steve_michaels
Cirrus
Cirrus
In response to xuwen

‎05-Oct-2022 06:01

Thanks @xuwen . i tested with the local logging and it is showing the Bind DN of the LDAPS request. Just what we need.

0 Kudos
Copyright © 2023 Khoros, LLC