Forum Discussion
hooleylist
Dec 06, 2010Cirrostratus
Hi Brian,
In 10.1.0 or higher, you could use HSL to log directly to an external pool of syslog servers. You could do one log send in CLIENT_CLOSED with the client IP:port, SNAT IP:port, server IP:port:
From: http://devcentral.f5.com/wiki/default.aspx/iRules/HSL__send.html
when CLIENT_ACCEPTED {
set hsl [HSL::open -proto UDP -pool syslog_pool]
}
when SERVER_CONNECTED {
set log_line "[IP::client_addr]:[TCP::client_port] <-> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] [IP::local_addr]:[TCP::local_port] <-> [IP::server_addr]:[TCP::server_port]"
}
when CLIENT_CLOSED {
Log connection details as local7.info; see RFC 3164 Section 4.1.1 - "PRI Part" for more info
HSL::send $hsl "<190> $log_line"
}
In 9.4.0 - 10.0.x you could use 'log -remote' for this:
http://devcentral.f5.com/wiki/default.aspx/iRules/log
9.4.0 Added and parameters
Aaron