Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

VIP Client Logging "Not RFC1918"

Go to solution
bwilliam
Cirrus
Cirrus

‎06-May-2021 07:41

Hi, I have gone through the dev/central site and found an irule capturing VIP client connections . The problem I have is that I don't need to log internal IP space or RFC1918 networks. I want to log all other public IP client connections.

 

This is the irule I am using. This is my first time working with any programming language and I cant see how the logic will flow.

 

when HTTP_REQUEST {  log local0. "clientIP:[IP::client_addr] accessed  [HTTP::host][HTTP::uri]" ]

 

Labels:
1 ACCEPTED SOLUTION

Go to solution
bwilliam
Cirrus
Cirrus

‎11-May-2021 07:13 - last edited on ‎21-Nov-2022 16:18 by Fog

Thank you Alex for the response. I ended up going with this irule. Initially after applying the irule I was still logging the private networks. What I found is that I had to surround the private_net with quotes. After doing this I only saw public networks.

 

Now I need to send it to a remote syslog instead of logging local0. I just have to research how those lines of code will look like.

 

when HTTP_REQUEST {
  if { not ([class match [IP::client_addr] equals "private_net"])} {
 
  log local0. "clientIP:[IP::client_addr] accessed
  [HTTP::host][HTTP::uri]"}
}

 

View solution in original post

3 REPLIES 3

Go to solution
AlexBCT
MVP
MVP

‎06-May-2021 11:43

First of all, congrats on your first dip in the iRules pool! 🙂

 

A couple of suggestions;

  • The bracket on line 4 should be a curly bracket } instead of a square bracket, this is the closing bracket for the one on line 1.
  • The log statement should work the way you have it at the moment, and will log the client address, as well as the full URL.
  • If you want to add the logic to only look for non-private IP's, you can add an "if" statement, similar to this one (the "private_net" is a data group that's already configured on the system with the private IP ranges in it);

 

when HTTP_REQUEST {

if { !([class match [IP::client_addr] equals private_net])} {

log local0. "clientIP:[IP::client_addr] accessed [HTTP::host][HTTP::uri]"

}

}

 

Hope this helps.

0 Kudos

Go to solution
bwilliam
Cirrus
Cirrus

‎11-May-2021 07:13 - last edited on ‎21-Nov-2022 16:18 by Fog

Thank you Alex for the response. I ended up going with this irule. Initially after applying the irule I was still logging the private networks. What I found is that I had to surround the private_net with quotes. After doing this I only saw public networks.

 

Now I need to send it to a remote syslog instead of logging local0. I just have to research how those lines of code will look like.

 

when HTTP_REQUEST {
  if { not ([class match [IP::client_addr] equals "private_net"])} {
 
  log local0. "clientIP:[IP::client_addr] accessed
  [HTTP::host][HTTP::uri]"}
}

 

Go to solution
AlexBCT
MVP
MVP
In response to bwilliam

‎11-May-2021 12:33

Ahyes, sorry I missed that.

Regarding sending to remote log, have a look at HSL logging; https://clouddocs.f5.com/api/irules/HSL__open.html

This is the most efficient way to send logs to remote servers.

0 Kudos
Copyright © 2023 Khoros, LLC