log

44 Topics

APM - How to configure logging of snat addresses for network access and app tunnels
Hello everyone, we are using BIG-IP Access Policy Manager to enable administrative access to systems via App Tunnel and Network Access resources. For security reasons, we need to be able to map requests logged on backend resources/systems (e.g. in SSH audit logs) to the session or user accessing said backend resource via App Tunnel or Network Access in APM. Currently, the following request information is logged. Network Access: May 17 14:42:00 tmm0 tmm[22565]: 01580002:5: /APM/ap_rmgw:Common:c1237463: allow ACL: #app_tunnel_/APM/Some_App-Tunnel@c1237463:15 packet: tcp 192.168.12.18:58680 -> 10.0.0.1:22 App Tunnels: May 17 14:41:10 tmm1 tmm1[22565]: 01580002:5: /APM/ap_rmgw:Common:c6787463: allow ACL: #app_tunnel_/APM/Some_App-Tunnel@c6787463:0 packet: tcp 89.229.152.144:63252 -> 10.0.0.1:2 For Network Access requests, an IP address of the lease pool configured in the Network Access resource is logged as the client IP. For App Tunnel requests, the public IP of the client accessing APM is logged as the client IP. In our setup, both requests will be NATed by APM before hitting the target system (through a snat pool in case of a Network Access request, through the active appliances backend IP in case of App Tunnels). Therefore, the APM self IPs (snat pool/appliance backend) will be logged on the target host, leading to us not being able to correlate logs in APM with logs on the target systems. Is there any way to log the SNAT/NAT addresses and ports used to access target systems through APM? I've tried using ACCESS_ACL_ALLOWED in an iRule to log additional information, unfortunately this event only seems to trigger on Portal Access resources, not when using App Tunnels or Network Access resources. Thank you, Fabian
fwendlandt
May 17, 2022 Place Technical Forum
2KViews
0likes
1Comment
How to ensure BIG-IQ can keep log from F5 AWAF for 90 day?
Hi, I config F5 AWAF logging profile to send all request to BIG-IQ How to ensure BIG-IQ can keep log from F5 AWAF for 90 day? Should I need to modify some default configuration on BIG-IQ CM? or just left it at default? Kridsana
Solved
kridsana
Feb 10, 2023 Place Technical Forum
2KViews
0likes
5Comments
F5 Sending syslogs with two hostname to remote syslog server
HI All, we have F5 Device (LTM + AFM), we configured syslog sever splunk via linux syslog server as forwarder. in Linux server each F5 creating two syslog files, only with just host name and another one is FQDN name. Both are different logs , not duplicate . I am not sure, where to merge it or make it single, any one guide me please!
Solved
IRONMAN
Nov 13, 2020 Place Technical Forum
1.6KViews
0likes
2Comments
Query on GTM irule based on Pool Availability
Hello, I am very beginner to iRule creation. In GTM I tried to create irule as below. But getting error. Our intention is we need to reroute the DNS query to different pool based on client IP and pool availability. Condition: If the client IP match and the pool is available then need to go normal pool If the client IP match and the pool is not available then need to go failback pool Pool EUR_LDS0_ITHUBPR_POOL with TTL 300 pool GLOBAL_LDS0_POOL with TTL 300 pool GLOBAL_FAILBACK_LDS0_POOL with TTL 60 when DNS_REQUEST { if [{ [IP::addr [IP::client_addr] equals 10.235.24.64/27] and ([active_members EUR_LDS0_ITHUBPR_POOL] > 0) } { pool EUR_LDS0_ITHUBPR_POOL } else { pool GLOBAL_FAILBACK_LDS0_POOL } } else { pool GLOBAL_LDS0_POOL } } Appreciate any help on this.
Solved
Kannan_Thalaia1
Apr 13, 2021 Place Technical Forum
1.6KViews
0likes
12Comments
iRule causing http connection resets
I have an iRule that is set up to do redirects based on host and uri. Whenever I try to access sites on the virtual server that the iRule is attached to, I immediately get a "connection reset" error in the browser. Fiddler shows "[Fiddler] ReadResponse() failed: The server did not return a complete response for this request. Server returned 0 bytes." I've turned on RST logging, and attached a screenshot of the relevant section of the log. aaa.aaa.aaa.aaa is the main external IP address (no virtual servers assigned to it). bbb.bbb.bbb.bbb is the external IP address of the virtual server having the issue. This is a virtual edition running in Azure. Any ideas? un2 18:03:50 nameofF5VE err tmm2[17730]: 01230140:3: RST sent from aaa.aaa.aaa.aaa:30968 to 169.254.169.254:80, [0x29da995:271] {peer} handshake timeout Jun2 18:03:50 nameofF5VE err tmm2[17730]: 01230140:3: RST sent from 169.254.169.254:80 to aaa.aaa.aaa.aaa:54230, [0x29da995:271] handshake timeout Jun2 18:03:51 nameofF5VE.westeurope.cloudapp.azure.com warning httpd[3451]: 0118000a:4: The Service Check Date check was skipped. Jun2 18:03:53 nameofF5VE err tmm2[17730]: 01220001:3: TCL error: /Common/iRule_SelectURL_PRD_mydomain_com_443 <HTTP_REQUEST> - Can't call after responding - ERR_NOT_SUPPORTED (line 2)invoked from within "HTTP::uri"("csr.mydomain.com" arm line 12)invoked from within "switch [ string tolower [HTTP::host]] {"timesheet.mydomain.com" {#log local0. "BGI Timesheet PRD: [HTTP::host] uri : [HTTP::uri]"if {[a..." Jun2 18:03:53 nameofF5VE warning tmm2[17730]: 01260020:4: SSL Connection terminated for TCP 99.55.158.9:61481 -> bbb.bbb.bbb.bbb:443 Jun2 18:03:53 nameofF5VE err tmm2[17730]: 01230140:3: RST sent from bbb.bbb.bbb.bbb:443 to 99.55.158.9:61481, [0x2a155c4:1878] iRule execution error Jun2 18:03:53 nameofF5VE err tmm1[17730]: 01220001:3: TCL error: /Common/iRule_SelectURL_PRD_mydomain_com_443 <HTTP_REQUEST> - Can't call after responding - ERR_NOT_SUPPORTED (line 2)invoked from within "HTTP::uri"("csr.mydomain.com" arm line 12)invoked from within "switch [ string tolower [HTTP::host]] {"timesheet.mydomain.com" {#log local0. "BGI Timesheet PRD: [HTTP::host] uri : [HTTP::uri]"if {[a..." Jun2 18:03:53 nameofF5VE warning tmm1[17730]: 01260020:4: SSL Connection terminated for TCP 99.55.158.9:37962 -> bbb.bbb.bbb.bbb:443 Jun2 18:03:53 nameofF5VE err tmm1[17730]: 01230140:3: RST sent from bbb.bbb.bbb.bbb:443 to 99.55.158.9:37962, [0x2a155c4:1878] iRule execution error Jun2 18:03:53 nameofF5VE err tmm2[17730]: 01220001:3: TCL error: /Common/iRule_SelectURL_PRD_mydomain_com_443 <HTTP_REQUEST> - Can't call after responding - ERR_NOT_SUPPORTED (line 2)invoked from within "HTTP::uri"("csr.mydomain.com" arm line 12)invoked from within "switch [ string tolower [HTTP::host]] {"timesheet.mydomain.com" {#log local0. "BGI Timesheet PRD: [HTTP::host] uri : [HTTP::uri]"if {[a..." Jun2 18:03:53 nameofF5VE warning tmm2[17730]: 01260020:4: SSL Connection terminated for TCP 99.55.158.9:44158 -> bbb.bbb.bbb.bbb:443 Jun2 18:03:53 nameofF5VE err tmm2[17730]: 01230140:3: RST sent from bbb.bbb.bbb.bbb:443 to 99.55.158.9:44158, [0x2a155c4:1878] iRule execution error Jun2 18:03:56 nameofF5VE.westeurope.cloudapp.azure.com warning httpd[30653]: 0118000a:4: The Service Check Date check was skipped. Jun2 18:03:59 nameofF5VE err tmm1[17730]: 01220001:3: TCL error: /Common/iRule_SelectURL_PRD_mydomain_com_443 <HTTP_REQUEST> - Can't call after responding - ERR_NOT_SUPPORTED (line 2)invoked from within "HTTP::uri"("csr.mydomain.com" arm line 12)invoked from within "switch [ string tolower [HTTP::host]] {"timesheet.mydomain.com" {#log local0. "BGI Timesheet PRD: [HTTP::host] uri : [HTTP::uri]"if {[a..." Jun2 18:03:59 nameofF5VE warning tmm1[17730]: 01260020:4: SSL Connection terminated for TCP 99.55.158.9:14261 -> bbb.bbb.bbb.bbb:443 Jun2 18:03:59 nameofF5VE err tmm1[17730]: 01230140:3: RST sent from bbb.bbb.bbb.bbb:443 to 99.55.158.9:14261, [0x2a155c4:1878] iRule execution error Jun2 18:04:01 nameofF5VE.westeurope.cloudapp.azure.com warning httpd[30652]: 0118000a:4: The Service Check Date check was skipped. Jun2 18:04:05 nameofF5VE err tmm[17730]: 01230140:3: RST sent from aaa.aaa.aaa.aaa:29511 to 169.254.169.254:80, [0x29da995:271] {peer} handshake timeout Jun2 18:04:05 nameofF5VE err tmm[17730]: 01230140:3: RST sent from 169.254.169.254:80 to aaa.aaa.aaa.aaa:54348, [0x29da995:271] handshake timeout Jun2 18:04:06 nameofF5VE.westeurope.cloudapp.azure.com warning httpd[30653]: 0118000a:4: The Service Check Date check was skipped.
JoeH
Jun 02, 2020 Place Technical Forum
1.4KViews
0likes
4Comments
BIG-IQ Pool Member Address values
Hello , In the BIG-IQ -> Applications -> Analytics -> Pool Member addresses , beside the Node IP we see multiple values : Aggregated:0 Big IP Internal Module:0 N/A: 0 Do you have any ideea what those values represent ?
gbogdan
Nov 24, 2022 Place Technical Forum
1.3KViews
0likes
5Comments
Blocking Traffic based on Geo Location
I have requirement to block the traffic to a particular https path (Page) via iRule on WAF device in order to restrict the access of below url from all other geo location aspect Thailand country . Can someone help on this. I have write below iRule. when HTTP_REQUEST { if { [string tolower [HTTP::uri]] equals "http://abc.com/job-request/" && [whereis [IP::client_addr] country] ne "TH" } { drop } { else { #log local0. "The page is restricted" } }
Jaspreetgurm
Jul 14, 2021 Place Technical Forum
1.2KViews
0likes
7Comments
How to bypass log 1024 byte limit / truncation
I'm trying to log the content of excessively long Cookie HTTP headers, per the instructions in some questions such as: https://devcentral.f5.com/questions/logging-http-header-that-is-longer-than-the-maximum-allowed https://devcentral.f5.com/questions/problem-with-irule-that-logs-excessive-http-header-lengths https://devcentral.f5.com/questions/log-connections-that-exceed-maximum-header-size All of these are supposed to log the full content of the header - that's the point of them. But the log command goes through the local syslog-ng, and (per https://devcentral.f5.com/wiki/iRules.log.ashx) truncates messages at 1024 bytes. I found a few mentions that HSL may not have this limitation, but unfortunately my dev/test load balancer is running 9.4.7, so that's not possible. The production boxes are running 10.1.0, but I'm sort of hesitant to make my first use of HSL without testing it in a safe place. Is there any way to just dump this to disk somewhere, or any other way to bypass syslog?
Solved
Jason_Antman_40
Apr 25, 2014 Place Technical Forum
1.2KViews
0likes
5Comments
irule to redirect traffic to multiple pools
All, We have one vip which is redirecting traffic to multiple pools via irule. rule: when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals xxxx] } { pool xxxx } elseif { [class match [IP::client_addr] equals zzzz] } { pool zzzz } elseif { [class match [IP::client_addr] equals yyyy] } { pool yyyy } else { #loglocal0. "Default pool (drop): [IP::client_addr]-->[LB::server]" drop } } All pools have same pool member (IP) but ports are different. Now we need to add one more pool member not as a load balancing but it will receive traffic at a same time. I have prepared one irule for that: when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals test_1234] } { pool test pool test2 } else { #log local0. "Default pool (drop): [IP::client_addr]-->[LB::server]" drop } } But I am not seeing traffic in both the pools. Could someone check the code and let me know the correct way to do this.
F5SJ_
Aug 28, 2020 Place Technical Forum
1KViews
0likes
3Comments
Is it possible to set multiple IPs in the Source IP Address of the advanced ASM Event log search?
Hi, I want to exclude a couple IPs from the event logs I am looking at. I can set the drop down to 'is not' for the Source IP field and enter one IP address, removing this one IP from the event logs I am searching. Is there an operator or something similar that I can use to separate multiple IPs to remove more than one IP from the event logs? Thank You. Kind Regards Chris
saidshow_251381
Oct 19, 2016 Place Technical Forum
998Views
0likes
2Comments