Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

iRule to log an output to syslog server.

Folks, I am looking for some changes to an iRule while will log an output to a syslog server directly. My iRule check if the connection is on TLS1.0 and if yes logs the client IP address.

The change I need is to log this client IP to a syslog server.

Here is the iRule: when HTTP_REQUEST { if { [SSL::cipher version] eq "TLSv1" } { log local0. "Webmail Client Source IP: [IP::client_addr]" } }

Thanks!!!! N.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You want to use HSL - high-speed logging. You can do that either to a pool ( of log servers ) or via a publisher. Below is an example to a pool but i'm sure you can work out how to send it to a publisher.

when HTTP_REQUEST { 
    if { [SSL::cipher version] eq "TLSv1" } { 
        set hsl [HSL::open -proto UDP -pool syslog_server_pool]
        HSL::send $hsl "Webmail Client Source IP: [IP::client_addr]" 
    } 
}

Take a look here for details of the HSL commands

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi N.,

you may take a look to the [HSL] (High Speed Logging) iRule command. The command will bypass the local SYSLOG-NG environment and directly open a connection to your SYSLOG out of an iRule...

https://devcentral.f5.com/wiki/iRules.HSL.ashx

when CLIENT_ACCEPTED {
    # Open a UDP based SYSLOG connection to your syslog server pool.
    set hsl [HSL::open -proto UDP -pool syslog_server_pool]
}
when HTTP_REQUEST { 
    if { [SSL::cipher version] eq "TLSv1" } then {
        # Log client IP as local7.info over the just created connection...
        HSL::send $hsl "<190> Webmail Client Source IP: [IP::client_addr]" 
    } 
}

Cheers, Kai

0
Comments on this Answer
Comment made 6 days ago by N. 249

Hi Kai, what does the <190> stand for?

0
Comment made 6 days ago by Kai Wilke 6661

Hi N.,

the <190> is a number indicating the Syslog message facility and severity. You may check the SYSLOG RFC for further information...

https://tools.ietf.org/html/rfc3164#section-4.1.1

Cheers, Kai

0