cancel
Showing results for 
Search instead for 
Did you mean: 

Sending HSL data in json format.

Akshay_SK
Nimbostratus
Nimbostratus

Just wanted to know if data can be sent via HSL in json format as below :

 

HSL::send $hsl "{ "Attacker_IP":$remoteip, "Destination_IP":[IP::local_addr], "User-Agent":$useragent, "ISP":$isp, "Country":$country, "Original_Domain":[HTTP::host], "Original_URI":[HTTP::uri], "Fully_decoded_URI":$decodedUri, "Timestamp":$timestamp, "XFF_Header":[HTTP::header X-Forwarded-For]}"

 

Is there some other way to achieve this?

1 ACCEPTED SOLUTION

One example of how to configure this.

 

1.- Configure iRule.

when SERVER_CONNECTED { catch { set hsl [HSL::open -publisher /Common/HSL_PUB] } set timestamp [clock clicks -milliseconds] set cs_client_ip [clientside {IP::remote_addr}] set cs_client_port [clientside {TCP::remote_port}] set cs_server_ip [clientside {IP::local_addr}] set cs_server_port [clientside {TCP::local_port}] set ss_client_ip [serverside {IP::local_addr}] set ss_client_port [serverside {TCP::local_port}] set ss_server_ip [serverside {IP::remote_addr}] set ss_server_port [serverside {TCP::remote_port}]   catch { HSL::send $hsl "{\"version\":\"1.1\",\"level\":\"6\",\"_stream_filter\":\"test\",\"_TIMESTAMP\":\"[clock clicks -milliseconds]\",\"_CLIENT\":\"[clientside {IP::remote_addr}]:[clientside {TCP::remote_port}]\",\"_VIP\":\"[clientside {IP::local_addr}]:[clientside {TCP::local_port}]\",\"_SNAT\":\"[serverside {IP::local_addr}]:[serverside {TCP::local_port}] \",\"_SERVER\":\"[serverside {IP::remote_addr}]:[serverside {TCP::remote_port}]\"}" } }

2.- Configure HSL_PUB

sys log-config destination remote-high-speed-log HSL_SRV { pool-name P-WEB1_80 protocol udp } sys log-config publisher HSL_PUB { destinations { HSL_SRV { } } }

3.- Apply iRule to the VS and generate traffic.

 

---

 

After capturing traffic output, that's the result.

13:13:09.553783 00:50:56:8f:8f:ec > 00:50:56:8f:ae:99, ethertype 802.1Q (0x8100), length 260: vlan 4094, p 0, ethertype IPv4, 10.130.40.41.47233 > 172.16.100.1.80: UDP, length 207 out slot1/tmm1 lis= E....?@..... .()..d....P..C.{"version":"1.1","level":"6","_stream_filter":"test","_TIMESTAMP":"1580299989553","_CLIENT":"10.130.41.41:54197","_VIP":"10.130.41.50:80","_SNAT":"10.130.40.41:54197 ","_SERVER":"172.16.100.2:80"}.......

Let me know if this helps.

 

KR,

Dario.

Regards,
Dario.

View solution in original post

6 REPLIES 6

Hello Akshay

 

Sure, you can. Let try something like this:

HSL::send $hsl "{\"TIMESTAMP\":\"[clock clicks -milliseconds]\",\"CLIENT\":\"$client_ip\", ... }"

KR,

Dario.

Regards,
Dario.

BTW, you have the chance to use a faster solution for logging HSL with request-logging profiles. That includes some usefull variables, and it's possible to expand this variable set referencing any HTTP header (note that any variable could be included as a HTTP header using iRules).

 

REF - https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-imple...

 

KR,

Dario.

Regards,
Dario.

The first option doesn't seem to be working.

One example of how to configure this.

 

1.- Configure iRule.

when SERVER_CONNECTED { catch { set hsl [HSL::open -publisher /Common/HSL_PUB] } set timestamp [clock clicks -milliseconds] set cs_client_ip [clientside {IP::remote_addr}] set cs_client_port [clientside {TCP::remote_port}] set cs_server_ip [clientside {IP::local_addr}] set cs_server_port [clientside {TCP::local_port}] set ss_client_ip [serverside {IP::local_addr}] set ss_client_port [serverside {TCP::local_port}] set ss_server_ip [serverside {IP::remote_addr}] set ss_server_port [serverside {TCP::remote_port}]   catch { HSL::send $hsl "{\"version\":\"1.1\",\"level\":\"6\",\"_stream_filter\":\"test\",\"_TIMESTAMP\":\"[clock clicks -milliseconds]\",\"_CLIENT\":\"[clientside {IP::remote_addr}]:[clientside {TCP::remote_port}]\",\"_VIP\":\"[clientside {IP::local_addr}]:[clientside {TCP::local_port}]\",\"_SNAT\":\"[serverside {IP::local_addr}]:[serverside {TCP::local_port}] \",\"_SERVER\":\"[serverside {IP::remote_addr}]:[serverside {TCP::remote_port}]\"}" } }

2.- Configure HSL_PUB

sys log-config destination remote-high-speed-log HSL_SRV { pool-name P-WEB1_80 protocol udp } sys log-config publisher HSL_PUB { destinations { HSL_SRV { } } }

3.- Apply iRule to the VS and generate traffic.

 

---

 

After capturing traffic output, that's the result.

13:13:09.553783 00:50:56:8f:8f:ec > 00:50:56:8f:ae:99, ethertype 802.1Q (0x8100), length 260: vlan 4094, p 0, ethertype IPv4, 10.130.40.41.47233 > 172.16.100.1.80: UDP, length 207 out slot1/tmm1 lis= E....?@..... .()..d....P..C.{"version":"1.1","level":"6","_stream_filter":"test","_TIMESTAMP":"1580299989553","_CLIENT":"10.130.41.41:54197","_VIP":"10.130.41.50:80","_SNAT":"10.130.40.41:54197 ","_SERVER":"172.16.100.2:80"}.......

Let me know if this helps.

 

KR,

Dario.

Regards,
Dario.

This worked for me. Thanks Dario!

Glad to hear this.

 

Please, don't forget to mark the answer as "the best".

 

KR,

Dario.

Regards,
Dario.