Here's a logging iRule. You'll need a HSL syslog pool to log too. Various bits gathered from other posts on DevCentral. Sharing in case there is interest.
Referenced DevCentral Question
We log to Splunk rsyslogd. If you do too, make sure your rsyslogd is setup to use the newer syslog format like RFC-3339 including milliseconds and timezone info.
Sidenote: it sure would be nice if native F5 logging would include milliseconds and timezone. :)
Now updated to include Country (co) and to log individual request times for each request on a HTTP/1.1 connection.
Uses upvar and proc. I've tested on 11.6.0 - 18.104.22.168
Add this iRule to whatever virtual hosts you desire. I always add it as the first rule. If you have a rule that sets headers you want to track, you may want this after the rule that sets headers.
Interesting Splunk queries can be created like:
index=* perflog | timechart avg(cpu_5sec) by host limit=10
to show load across multiple F5s.
index=* perflog| timechart max(upstream_time) by http_host limit=10
to show long request times by http_host
so usefull iRulse , Thank you very much!
and I suggest make some change to help us to understanding:
total_time ----> total_http_time
tcp_time ----> total_tcp_time
Thanks for the suggestions! I renamed total_time to http_time as that's what it represents. I've also added logging of some relevant headers from both the request (req-) and response (res-). We add a few more to that list that are relevant inside our networks.
I updated the iRule here with my changes.
I added logging the co (country) of the upstream request using the f5 whereis IP geo tables.
Moved the HSL pool name to a static to avoid marking the virtual server up based on hsl pool status