cancel
Showing results for 
Search instead for 
Did you mean: 

TCP Rewrite Rule used in Syslog TCP

Maximiliano_C
Nimbostratus
Nimbostratus

Hi Dev/Central community!

I've a SIEM with two syslog/tcp recievers (Let's name it R1 and R2). I 've created a VS to listen a 514/TCP, recieve the Syslog TCP message and send it to R1. In case R1 is down, the VS will send the Syslog TCP message to R2. As my SIEM assign a tag to each message recieved with the client IP, I need to rewrite the syslog message before send it to the R1 or R2 receivers (because I see the f5 self ip as client IP in the recievers). So, I've writed an iRule to rewrite the header of each syslog message before send it.

this is my irule so far:

 

when CLIENT_ACCEPTED {     # Tomo la IP del cliente que se conecta al VS / Get the client IP connecting to the VS     set ip_original [IP::remote_addr]     # Tomo el Payload y la paso al siguiente nivel / Get the tcp payload to send it to Client Data     TCP::collect     log local0. "Client Accepted from $ip_original" } when CLIENT_DATA {     set OrgininalTCPLength [TCP::payload length]     # Primer <PRI> del payload / Try to detect <PRI> header in very first payload bytes    regsub {^<\d+>} [TCP::payload] "\[\]\[\]\[$ip_original\]\[[clock seconds]\]\[\] " string     # CRLF 0d0a \r\n + <PRI> / Look for another syslog message in the same TCP Payload    regsub -all {\r\n<\d+>} $string "\r\n\[\]\[\]\[$ip_original\]\[[clock seconds]\]\[\] " string     set len [TCP::payload length]     TCP::payload replace 0 $len $string     set ModifiedTCPLength [TCP::payload length]     # Se pasa el Payload al siguiente nivel / Send the modified payload to the next level     log local0. "Forwarindg message from $ip_original \t original length: $OrgininalTCPLength \t modified length: $ModifiedTCPLength"     TCP::release     #Preparo una nueva recoleccion / Get ready for a new collection    TCP::collect }

 

The iRule works like a charm, but in some very little times, it seem to doesn't rewrite the message...

Any clue/ideas/troubleshooting tips?

 

Regards,

Max

 

 

0 REPLIES 0