Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
code share

Logging iRule

Problem this snippet solves:

Here's a logging iRule. You'll need a HSL syslog pool to log too. Various bits gathered from other posts on DevCentral. Sharing in case there is interest.

Referenced DevCentral Question

We log to Splunk rsyslogd. If you do too, make sure your rsyslogd is setup to use the newer syslog format like RFC-3339 including milliseconds and timezone info.

Sidenote: it sure would be nice if native F5 logging would include milliseconds and timezone. :)

Now updated to include Country (co) and to log individual request times for each request on a HTTP/1.1 connection.

Uses upvar and proc. I've tested on 11.6.0 - 13.1.0.8

How to use this snippet:

Add this iRule to whatever virtual hosts you desire. I always add it as the first rule. If you have a rule that sets headers you want to track, you may want this after the rule that sets headers.

Interesting Splunk queries can be created like:

index=* perflog | timechart avg(cpu_5sec) by host limit=10

to show load across multiple F5s.

index=* perflog| timechart max(upstream_time) by http_host limit=10

to show long request times by http_host

Tested on Version:
13.0
Comments on this Snippet
Comment made 1 month ago by H.W.Huang 0

so usefull iRulse , Thank you very much!

and I suggest make some change to help us to understanding:

total_time ----> total_http_time

tcp_time ----> total_tcp_time

0
Comment made 1 month ago by TimRiker 19

Thanks for the suggestions! I renamed total_time to http_time as that's what it represents. I've also added logging of some relevant headers from both the request (req-) and response (res-). We add a few more to that list that are relevant inside our networks.

I updated the iRule here with my changes.

I added logging the co (country) of the upstream request using the f5 whereis IP geo tables.

0
Comment made 2 weeks ago by TimRiker 19

Moved the HSL pool name to a static to avoid marking the virtual server up based on hsl pool status

https://support.f5.com/csp/article/K14505

0