Forum Discussion
TJ_Vreugdenhil
Cirrus
Thanks Kevin - I ended up using the following and believe it's working.
From: W3C Extended Log File Examples (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ffdd7079-47be-4277-921f-7a3a6e610dcb.mspx?mfr=true
Fields: date time c-ip cs-username s-ip cs-method cs-uri-stem cs-uri-query sc-status sc-bytes cs-bytes time-taken cs-version cs(User-Agent) cs(Cookie) cs(Referrer)
This iRule will open up to connections to two syslog pools. The desire is to put one syslog server in each pool, so you can send the same syslog data to two pools.
when CLIENT_ACCEPTED {
Open a new high speed logging connection to the syslog pool named syslog_server_pool
set hsl1 [HSL::open -proto UDP -pool syslog_server_pool]
set hsl2 [HSL::open -proto UDP -pool syslog_server_pool2]
}
when HTTP_REQUEST priority 999 {
Save request variables that are not accessible in HTTP_RESPONSE, like the URI, request method, etc
set req_start [clock clicks -milliseconds]
set cs_username [HTTP::username]
set cs_uri_stem [HTTP::path]
set cs_uri_query [HTTP::query]
set cs_bytes [HTTP::header Content-Length]
set ua [HTTP::header User-Agent]
set cookies [HTTP::header values Cookie]
set referer [HTTP::header Referer]
}
when HTTP_RESPONSE {
Send the syslog message with a syslog facility of 134 (local0.info)
See the HSL wiki page for details on the facilties:
https://devcentral.f5.com/wiki/iRules.HSL__send.ashx
Replace null values with a hyphen:
Use string map to replace a "tab space tab" with "tab hyphen tab"
HSL::send $hsl1 "[string map [list "\t \t" "\t-\t"]\
"<134>\t\
[info hostname]\t\
[IP::local_addr]\t\
[clock format [clock seconds] -format "%d/%m/%Y %H:%M:%S %z"]\t\
[IP::client_addr]\t\
$cs_username\t\
[clientside {IP::local_addr}]\t\
$cs_uri_stem\t\
$cs_uri_query\t\
[HTTP::status]\t\
[HTTP::header Content-Length]\t\
[expr {[clock clicks -milliseconds] - $req_start}]\t\
[HTTP::version]\t\
\"$ua\"\t\
$cookies\t\
$referer\
"]\n"
HSL::send $hsl2 "[string map [list "\t \t" "\t-\t"]\
"<134>\t\
[info hostname]\t\
[IP::local_addr]\t\
[clock format [clock seconds] -format "%d/%m/%Y %H:%M:%S %z"]\t\
[IP::client_addr]\t\
$cs_username\t\
[clientside {IP::local_addr}]\t\
$cs_uri_stem\t\
$cs_uri_query\t\
[HTTP::status]\t\
[HTTP::header Content-Length]\t\
[expr {[clock clicks -milliseconds] - $req_start}]\t\
[HTTP::version]\t\
\"$ua\"\t\
$cookies\t\
$referer\
"]\n"
}
Marvin
Nov 11, 2014Cirrocumulus
What kind of syslog server did you use?? I installed Kiwi syslog server, all logs are being sent to the server but nothing is displayed on the server. What syslog server do you recommend for the W3C logs?
Thanks