Forum Discussion
The iRule will send the original client IP along with the HTTP method and requested path to the local syslog, which is writing into /var/log/ltm. In case you also have configured a remote syslog server, it will show up there as well.
In most environments its the preferred method to insert the X-Forwarded-For on the load balancer and to consolidate the server logs. On the servers its required to change the logging directive so its tracking the IP address provided in the X-Forwarded-For header instead of the IP address of the IP header (which is the serverside SNAT inserted by the BIG-IP).
If you lookup server logs, you will notice, that a log entry contains information both of the request and the response (i.e. status code), this can be accomplished as well.
This would require to store request information of your choise (i.e. the clients original IP address) in a variable in the context of the HTTP_REQUEST event and to write this information in the context of the HTTP_RESPONSE event along with i.e. status code, content type, content length to the logs.
is this how the logs in var/log/ltm look like.
Jul 7 23:47:14 OC1-BIGIP-F5LTM-T1 info tmm6[29783]: Rule /Common/Test-client-IP-Add <HTTP_REQUEST>: method=GET;path=/identify_user.asp;client_ip=10.50.50.144
Jul 7 23:47:14 OC1-BIGIP-F5LTM-T1 info tmm6[29783]: Rule /Common/Test-client-IP-Add <HTTP_REQUEST>: method=GET;path=/common/css/styles.css;client_ip=10.50.50.144
Jul 7 23:47:14 OC1-BIGIP-F5LTM-T1 info tmm5[29783]: Rule /Common/Test-client-IP-Add <HTTP_REQUEST>: method=GET;path=/common/inc_navigator_utility.js;client_ip=10.50.50.144
Jul 7 23:47:14 OC1-BIGIP-F5LTM-T1 info tmm6[29783]: Rule /Common/Test-client-IP-Add <HTTP_REQUEST>: method=GET;path=/common/js/script_login_utility.js;client_ip=10.50.50.144
Jul 7 23:57:07 OC1-BIGIP-F5LTM-T1 info tmm7[29783]: Rule /Common/Test-client-IP-Add <HTTP_REQUEST>: method=GET;path=/identify_user.asp;client_ip=10.50.50.144
Jul 7 23:57:27 OC1-BIGIP-F5LTM-T1 info tmm2[29783]: Rule /Common/Test-client-IP-Add <HTTP_REQUEST>: method=GET;path=/;client_ip=10.50.50.144
Jul 7 23:57:27 OC1-BIGIP-F5LTM-T1 info tmm2[29783]: Rule /Common/Test-
or can you give me a sample of how exactly the true client IP logs look like in. I just configured the irule and attached it to the virtual server. tried accessing the URL and looked for the client IP address, but couldn't find one. Do I need to use the any filter or grep to look ?
I tried filtering with Virtual server IP address and true client IP address and still couldn't find anyone of that.
- Jul 08, 2022
Hi mohammed5370, it looks like the BIG-IP is seeing the 10.50.50.144 as client IP address only.
This is, because there is only one client (10.50.50.144) requesting your service or (more likely) all incoming client requests go through a proxy or other device first, which applies a hiding NAT.
So there is little to no chance to see the actual client IP address.
But perhaps this device in front of your BIP-IP is inserting an X-Forwarded-For header? If this would be the case, you can log its value:
when HTTP_REQUEST { log local0. "method=[HTTP::method];path=[HTTP::path];client_ip=[HTTP::header value X-Forwarded-For]" }