Forum Discussion
CirrusiRule to log traffic details
Hi,
I want to log below information to syslog via iRule
Request headers including e.g. tap-*, X-* (e.g. X-Forwarded-For & X-Forwarded-Port )
src IP
src Port
request url
referral url
method
response
sessionid
x_uri (assume included from F5)
timestamp (ms granular)
Any one has iRule handy for this or covers partially?
Thank you,
Hi yadgayan ,
U can use this :when HTTP_REQUEST { log local0. "HTTP Method = [HTTP::method]" log local0. "HTTP URI = [HTTP::uri]" log local0. "HTTP Path = [HTTP::path]" log local0. "HTTP Query = [HTTP::query]" log local0. "HTTP Version = [HTTP::version]" log local0. "HTTP Host Header = [HTTP::host]" log local0. "HTTP User Agent Header = [HTTP::header value "user-agent"]" } when HTTP_RESPONSE { log local0. "HTTP Status = [HTTP::status]" log local0. "HTTP version = [HTTP::version]" log local0. "HTTP Content Length Header = [HTTP::header value "content-length"]" }- you can remove any info you don't want to log it.
refer to this Link to find our more : https://my.f5.com/manage/s/article/K42210592
I haven't tested this irule , but it should work.
By the way : you can use High speed logging ( HSL ), it's pretty good to use :
https://my.f5.com/manage/s/article/K00847516
I hope this helps u 🙂Thanks Mohamed_Ahmed_Kansoh
I modified and made a single log entry to achieve my goal. But thanks a lot for the direction.
8 Replies
Hi yadgayan ,
U can use this :when HTTP_REQUEST { log local0. "HTTP Method = [HTTP::method]" log local0. "HTTP URI = [HTTP::uri]" log local0. "HTTP Path = [HTTP::path]" log local0. "HTTP Query = [HTTP::query]" log local0. "HTTP Version = [HTTP::version]" log local0. "HTTP Host Header = [HTTP::host]" log local0. "HTTP User Agent Header = [HTTP::header value "user-agent"]" } when HTTP_RESPONSE { log local0. "HTTP Status = [HTTP::status]" log local0. "HTTP version = [HTTP::version]" log local0. "HTTP Content Length Header = [HTTP::header value "content-length"]" }- you can remove any info you don't want to log it.
refer to this Link to find our more : https://my.f5.com/manage/s/article/K42210592
I haven't tested this irule , but it should work.
By the way : you can use High speed logging ( HSL ), it's pretty good to use :
https://my.f5.com/manage/s/article/K00847516
I hope this helps u 🙂- yadgayan
i added all into single.
when HTTP_REQUEST {
log local0. "HTTP Method = [HTTP::method] Client = [IP::client_addr] HTTP URI = [HTTP::uri] HTTP Path = [HTTP::path] HTTP Query = [HTTP::query] HTTP Version = [HTTP::version] HTTP Host Header = [HTTP::host] HTTP User Agent Header = [HTTP::header value "user-agent"] Session_ID=[ACCESS::session data get session.user.sessionid] Assigned PPP Dynamic IPv4: [ACCESS::session data get session.assigned.clientip] NA Resource: [ACCESS::session data get session.assigned.resources.na] Client IP: [ACCESS::session data get session.user.clientip]"
}
when HTTP_RESPONSE {
log local0. "HTTP Status = [HTTP::status] HTTP version = [HTTP::version] HTTP Content Length Header = [HTTP::header value "content-length"]"
}
will this cover all?
yadgayan ,
yes all in same irule , this will be good.
but monitor your system resources utilization ( CPU , Memory )
Go to Statistics >>> Performance report >>>> then have a look in CPU & memory graphs and curves after adding this irule.
it's recommended to monitor that because irules consumes cpu cycles .
- yadgayan
its working but how i log meta of a session (e.g. cookie, transaction)?
yadgayan ,
you can log cookie info by this way in the following article :
https://community.f5.com/t5/technical-forum/log-the-http-cookie-name-value-and-path-using-irule/td-p/112783
I don't understand what do you mean by transaction ?
Transaction means >>>> HTTP request and u already log ( methods , headers , cookies , ips , .... )
so what is the transaction do you want to log ?
- LiefZimmerman
Admin
yadgayan - If your post was solved it would be helpful to the community to select Accept As Solution.
Thanks for joining and being part of our community. - yadgayan
Thanks Mohamed_Ahmed_Kansoh
I modified and made a single log entry to achieve my goal. But thanks a lot for the direction.
- LiefZimmerman
Since there was a bit of modification on the original suggestion I've also accepted your clarification as part of the solution.
Thanks for following up.
