So do you want to log which server the 400 response was received from--regardless of which one it was? If so, this example will log the client and server IP's and the requested URI for all 400 responses. If that's not what you're after, can you clarify again?
when HTTP_REQUEST {
save the URI to log if the response is a 400
set uri [HTTP::uri]
}
when HTTP_RESPONSE {
check if HTTP response status is a 400
if {[HTTP::status] == 400}{
Log the client and server IP addresses and the URI
log local0. "[IP::client_addr] -> [IP::server_addr] for $uri generated 400 response"
}
}
Aaron