Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral


Questions and Answers

Loading... Loading...

Need assistance with writing an irule to log all traffic flow. Support suggested that this should be done versus making changes to the syslog-ng file. I've tried making changes to syslog-ng file with no luck. Please let me know if this is worth pursuing or should I go back to the syslog-ng file.

I'm looking to log source and destination IP addresses along with the corresponding ports.

Thanks

56 Answer(s):

Hi,

You can use iRules to log the requests and syslog-ng to parse them. Here are some example rules and syslog-ng changes:

=======================================================

1. HTTP logger rule:


when HTTP_REQUEST {
# set the URL here, log it on the response
set url [HTTP::header Host][HTTP::uri]
set vip [IP::local_addr]:[TCP::local_port]
}

when HTTP_RESPONSE {
set client [IP::client_addr]:[TCP::client_port]
set node [IP::server_addr]:[TCP::server_port]
set nodeResp [HTTP::status]

# log connection info
log local0.info "Client: $client -> VIP:$vip$url -> Node: $node with response $nodeResp"
}


=======================================================

2. TCP logger rule:


when CLIENT_ACCEPTED {
set vip [IP::local_addr]:[TCP::local_port]
}

when SERVER_CONNECTED {
set client "[IP::client_addr]:[TCP::client_port]"
set node "[IP::server_addr]:[TCP::server_port]"
}

when CLIENT_CLOSED {
# log connection info
log local0.info "Client $client -> VIP: $vip -> Node: $node"
}



=======================================================

3. UDP logger rule:


when CLIENT_ACCEPTED {
set vip [IP::local_addr]:[UDP::local_port]
}

when SERVER_CONNECTED {
set client "[IP::client_addr]:[UDP::client_port]"
set node "[IP::server_addr]:[UDP::server_port]"
}

when CLIENT_CLOSED {
# log connection info
log local0.info "Client $client -> VIP: $vip -> Node: $node"
}


=======================================================

Associate the TCP, UDP and HTTP rules with the respective virtual servers that you want to log connections for. You can enable a rule for a virtual server under the Resources tab for each virtual server. You will need to make sure that the rule matches the type for each virtual server. For example, you can use the TCP or HTTP rules on an HTTP virtual server. However, you cannot associate a UDP rule unless there is a UDP profile associated with the virtual server.

These rules will log to syslog-ng's local0 facility with the following format:

Mar 1 08:34:01 tmm tmm[730]: Rule HTTP_logger <HTTP_RESPONSE>: Client: 192.168.42.26:4746 VIP:172.25.2.12:80 to server: 172.25.2.233:80 for 172.25.2.12/ with response 200


You can then configure syslog-ng to parse local0.info entries that contain "logger" and send them to a remote syslog server by making the following changes to the /etc/syslog-ng/syslog-ng.conf file.

=======================================================


1. Add: local0.info filter, destination and log statements:


# local0.info send logger entries to remote syslog server
filter f_local0.info {
facility(local0) and level(info) and match("logger");
};

# destination can be a hostname or IP address
destination d_logger {
tcp("syslog.myhost.com" port (5000));
};

log {
source(local);
filter(f_local0.info);
destination(d_logger);
};


2. Add: and not match("logger") to local0.* to exclude the logger entries from being written to file


# local0.* /var/log/ltm
filter f_local0 {
facility(local0) and level(info..emerg) and not match("logger");
};

destination d_ltm {
file("/var/log/ltm" create_dirs(yes));
};

log {
source(local);
filter(f_local0);
destination(d_ltm);
};


For more complete documentation on syslog-ng, you can refer to their site:

http://www.balabit.com/products/support/syslog-ng/

Or here:

http://www.iso.port.ac.uk/docs/downloaded/syslog-ng.html/book1.html

Aaron
Thank you very much for the above information. I have been working on a way to gather some required metrics and the information you provided included exactly what I have been working on this week.
Good to hear. There's no reason to reinvent the wheel every time .

Aaron
Thanks for the info. I'm now receiving the logging that I needed. I've also discovered that when I'm sending this to a remote syslog server, it's not using the management interface. How do you designate which interface to use when making the connection to a remote syslog server?
Management routing is definitely outside the scope of the iRule forum and devcentral in general, but...

Try searching on AskF5.com for 'management route' for LTM. You'll find a link to SOL3669 and the 9.x Network and Systems Mgmt guides which explain how to configure routing for the management interface.

If you have further questions on non-iRule topics, please contact support.

Aaron
Thanks again
Some big kudos to hoolio for all the recent posts helping folks out! It looks like citizen_elah may have some competition soon.

#Colin
I don't think I can keep up, he's on fire!

Hah... I have a long way to go to catch up to you guys. This forum is a great resource though and I get a lot from the posts here.
Group -
Thanks so much for this, it's about 95% of what I need <grin>
Is there any way to 'timestamp' this sort of connection info?

I've been requested to determine how much time is spent 'inside' the F5 for certain http(s) requests.

Thanks !
Here is an example of how you can use clock to get deltas between different points in the rule execution:


when CLIENT_ACCEPTED {
set tcp_start_time [clock clicks -milliseconds]
}
when HTTP_REQUEST {
set http_request_time [clock clicks -milliseconds]
}
when HTTP_RESPONSE {
set http_response_time [ clock clicks -milliseconds ]
}
when CLIENT_CLOSED {
set tcp_end_time [ clock clicks -milliseconds ]
log local0. "HTTP request/response difference: $http_response_time - $http_request_time = [expr $http_response_time - $http_request_time]"
log local0. "Total connection time: $tcp_end_time - $tcp_start_time = [expr ($tcp_end_time - $tcp_start_time)]"
}


Apparently, there was an issue with high CPU usage when using the clock command in versions prior to 9.2. I did some searching but couldn't find any relevant CR's. I would upgrade to 9.2.3+ to use the clock function and would make sure to test this rule during a maintenance window if you're applying it to every connection through the BIG-IP.

Aaron
Thanks, hoolio !
As always, this brings up another question.
Using this works great, but I'm getting some puzzling results from my testing.
Frequently, the BigIP says it took less time (between HTTP_REQUEST, and HTTP_RESPONSE) than IIS says it took to complete the request (as taken from the 'TimeTaken' field in the IIS logs.
Perhaps I don't fully understand the HTTP_RESPONSE - Could IIS still be sending data, and the F5 records the moment that it reads the header data, and not when the request is 'complete' ?

If so, is there a way to capture the completion of the request from the F5 perspective ?

Management suspicion is that the F5 is adding a high amount of overhead / latency to HTTP traffic, and I'm trying to refute this.

Thanks !
I suspect that you are correct in your assumption about it recording the moment of inital HTTP_RESPONSE but I'll defer to someone more authoritative on that.

The rest of my response is slightly off-topic since it's not directly related to the rule, but hopefully worth mentioning...

LTM is (out of the box) optimized for "real-world" traffic and as such, connections from the local LAN (ie, from benchmarking, testing, etc) can actually BE a little slower than, say, going directly to the server. However you have access with TCP profiles to tweak these settings to reach optimal conditions for your traffic. An example of a LAN-optimized profile:


profile tcp tcp-lan-optimized {
bandwidth delay disable
nagle disable
slow start disable
ack on push enable
proxy buffer low 98304
proxy buffer high 131072
send buffer 65535
recv window 65535
}


If you can actually match the real window size of your application even better.

I don't want to drift too far off topic but this might be worth some thought if your management is basing their opinion on testing the virtual server from the LAN.

(OK and make sure all your interfaces are negotiating full duplex I get bit by that occasionally)

Denny
I suppose you could use the HTTP_RESPONSE_DATA event to trigger the end time for the HTTP request/response delta, but that would require using HTTP::collect to trigger the HTTP_RESPONSE_DATA event. HTTP::collect buffers the HTTP response content. I'm not sure how much load this would add. I would guess that this might increase the latency enough to impact the accuracy of the time measurements.

Can anyone else comment on the best way to measure the delta between the HTTP request being received and when the BIG-IP sends the response back to the client?

Thanks,
Aaron
Thanks for this guys, looks like it'll help me a lot. we need to find a way to maintain a log of XML SOAP transactions for a certain app using a certain VIP. I'm assuming that we can simply log HTTP::payload for both the HTTP_REQUEST and the HTTP_RESPONSE in a single event to have a nice simple logging mechanism... does this make sense? something like splunk would seem like a good choice of destination server if anyone has any experience of this?

my other question is why the hell developers can't write stuff like this into their app in the first place!!
Hi Adrian, some question

If I created 2 logger for logging two different virtual pools, how can I perform logging to 2 different files rather than logging them into the ltm log file?

below is what I have done, but only loggerA can be logged, can we also do the same to loggerB?


- I created 2 HTTP logger iRule with name "http_A_logger" and "http_B_logger"

- change the following in the /etc/syslog-ng/syslog-ng.conf file. How can we also do for loggerB which logs to /var/Blogger? Thanks in advance.


# local0.info /var/log/Alogger
filter f_local0.info {
facility(local0) and level(info) and match("http_A_logger");
};

destination d_Alogger {
file("/var/log/Alogger" create_dirs(yes));
};

log {
source(local);
filter(f_local0.info);
destination(d_Alogger);
};


# local0.* /var/log/ltm
filter f_local0 {
facility(local0) and level(info..emerg) and not match("http_A_logger");
};

destination d_ltm {
file("/var/log/ltm" create_dirs(yes));
};

log {
source(local);
filter(f_local0);
destination(d_ltm);
};


You should be able to add another set of statements (filter, destination and log) for "Blogger" events:


# local0.info /var/log/Blogger
filter f_local0.info {
facility(local0) and level(info) and match("http_B_logger");
};

destination d_Blogger {
file("/var/log/Blogger" create_dirs(yes));
};

log {
source(local);
filter(f_local0.info);
destination(d_Blogger);
};


I haven't tested this, but I think it should work with what you have already.

Aaron
Hum... I have create another set of filter,destination, log and the exclude.

Seems like now the ltm log consists of Alog,
Alog not logging
Blog as per normal

kind of confuse, euh?!
Actually, I would expect the filter names in syslog-ng.conf need to be unique. Can you try something like this?


filter f_local0_http_A_logger {
facility(local0) and level(info) and match("http_A_logger");
};

filter f_local0_http_B_logger {
facility(local0) and level(info) and match("http_B_logger");
};


Aaron
manage to solve the problem, it lies on the excluding part
I have added as below.

Now both logger log to their respective file and exclude them in the ltm

once again, thanks for the help

===============================================================================
# local0.* /var/log/ltm
filter f_local0 {
facility(local0) and level(info..emerg) and not match("http_A_logger") and not match("http_B_logger");
};

destination d_ltm {
file("/var/log/ltm" create_dirs(yes));
};

log {
source(local);
filter(f_local0);
destination(d_ltm);
};

=================================================================================
Nice catch. Good to hear you got it working.

Aaron
Can anybody provide the steps to configure / integrate F5 LTM & Firepass with Splunk.

Hi Kris,

I had a customer try to configure ASM and Splunk together with little success. You might try contacting an F5 presales engineer or your account manager to get help with this. But I would guess that the bulk of the work is in configuring Splunk once you have the F5 syslogging remotely. So contacting Splunk might be a good idea as well.

If you get this working, can you reply back here with the process?

Thanks,
Aaron
Please allow me to take this question one step further. I have a need to log whenever someone uses the FTP APPEND command. My thought was that I do a TCP::collect in the client_accepted, then a switch statement in the client_data event. I cannot seem to get the order of the TCP::collect and TCP::release right as when I connect with the iRUle, I do not get anything past the connection. It is as if the iRule is waiting on a server response. I know that tcp::collect and release are slightly different than the http counterparts, but does anyone have a hint on how I can monitor basic data without affecting the flow of data between the client and server?
Hi Thomas,

I believe the problem is that the client waits for the server to send a message first. So there isn't any client data to collect initially. Spark described an option to use the skip_bytes flag on TCP::collect to handle this sort of scenario:

https://devcentral.f5.com/Forums/tabid/1082223/asg/50/showtab/groupforums/aff/5/aft/24911/afv/topic/Default.aspx#25028

However, there might be a simpler option if all you want to do is look for APPEND in the request payloads. You might be better off using a blank stream profile and iRule which applies the stream filter only on requests and logs in the STREAM_MATCHED event. You could try enabling the stream filter using STREAM::enable in CLIENT_ACCEPTED and then disabling it in LB_SELECTED or SERVER_CONNECTED.

https://devcentral.f5.com/wiki/default.aspx/iRules/stream

Aaron
Posted By tungsten on 04/26/2007 09:09 PM
manage to solve the problem, it lies on the excluding part
I have added as below.

Now both logger log to their respective file and exclude them in the ltm

once again, thanks for the help

===============================================================================
# local0.* /var/log/ltm
filter f_local0 {
facility(local0) and level(info..emerg) and not match("http_A_logger") and not match("http_B_logger");
};

destination d_ltm {
file("/var/log/ltm" create_dirs(yes));
};

log {
source(local);
filter(f_local0);
destination(d_ltm);
};

=================================================================================

How can i modify this rule to log http and tcp traffic for a particular virtual server or pool?

I take it this will write the logs to seperate files and not the standard log files?


I basically want to capture the logs for perfomance to a aprticular virtual server which is having a load test done it so to capture repsonse times etc
Shoudl something like this work combining the two rules?

i guess i would need one to log http traffic under http_mx_log and one for tcp under tcp_mx_log?


 when HTTP_REQUEST {
   # set the URL here, log it on the response
   set url [HTTP::header Host][HTTP::uri]
   set vip [IP::local_addr]:[TCP::local_port]
}

when HTTP_RESPONSE {
   set client [IP::client_addr]:[TCP::client_port]
   set node [IP::server_addr]:[TCP::server_port]
   set nodeResp [HTTP::status]

    # local0.* /var/log/ltm
filter f_local0 {
facility(local0) and level(info..emerg) and not match("http_mxa_log") and not match("http_mxb_log");
};

destination d_ltm {
file("/var/log/ltm" create_dirs(yes));
};

log {
source(local);
filter(f_local0);
destination(d_ltm);
}
[root@iris:Active] config # b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.17.33:http
   ip protocol tcp
   rules myrule
}
[root@iris:Active] config # b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
        log local0. "[IP::client_addr]:[TCP::client_port]"
}
}

[root@iris:Active] config # b syslog include
SYSLOG - Include Data:

filter f_local0 {
   facility(local0) and
   not match("myrule");
};
log {
   source(s_syslog_pipe);
   filter(f_local0);
   filter(f_no_audit);
   destination(d_ltm);
};

filter f_myrule {
   match("myrule");
};
destination d_myrule {
   file("/var/log/myrule" create_dirs(yes));
};
log {
   source(s_syslog_pipe);
   filter(f_myrule);
   destination(d_myrule);
};

[root@iris:Active] config # cat /var/log/ltm

[root@iris:Active] config # cat /var/log/myrule
Oct 18 22:19:40 local/tmm info tmm[4601]: Rule myrule <CLIENT_ACCEPTED>: 192.168.206.102:53447
Oct 18 22:19:42 local/tmm info tmm[4601]: Rule myrule <CLIENT_ACCEPTED>: 192.168.206.102:53449
Oct 18 22:19:45 local/tmm info tmm[4601]: Rule myrule <CLIENT_ACCEPTED>: 192.168.206.102:53450
Oct 18 22:20:10 local/iris notice b[28110]: 012e0045:5: AUDIT - user root - rule myrule list



hope this helps.
I now have another question is it possible to log traffic based on the cookie value of the traffic going to a particular host?

e.g. we are using an external provider for a search which we want tomonitor response times too and the http requests to that external source use a particular cookie value if that could just be logged then that would give us the info we need?
I now have another question is it possible to log traffic based on the cookie value of the traffic going to a particular host?
yes, it's possible. you may check if cookie exists and then log response time for the request/response.

HTTP::cookie
https://devcentral.f5.com/wiki/iRules.HTTP__cookie.ashx

Log Tcp And Http Request Response Info by Aaron
https://devcentral.f5.com/wiki/iRules.LogTcpAndHttpRequestResponseInfo.ashx

hope this helps.
So something like this


when CLIENT_ACCEPTED {
# Get time for start of TCP connection in milleseconds
if { [HTTP::cookie exists "testcookie"]  } {
set tcp_start_time [clock clicks -milliseconds]
	 
# Log the start of a new TCP connection
log "New TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port]"
}
when HTTP_REQUEST {
# Get time for start of HTTP request
set http_request_time [clock clicks -milliseconds]
 
# Log the start of a new HTTP request
set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]"
log local0. "$LogString (request)"
}
	 
when HTTP_RESPONSE {
# Received the response headers from the server.  Log the pool name, IP and port, status and time delta
log local0. "$LogString (response) - pool info: [LB::server] - status: [HTTP::status] (request/response delta: [expr [clock clicks -milliseconds] - $http_request_time]ms)"
}
when CLIENT_CLOSED {
# Log the end time of the TCP connection
log "Closed TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port] (open for: [expr [clock clicks -milliseconds] - $tcp_start_time]ms)"
}


Will this just log the requests that contain that cookie value and give the response times? and does this just write the info to the standard log file?


Thanks for your help


Pav
HTTP::cookie is not valid in CLIENT_ACCEPTED.

HTTP::cookie wiki
https://devcentral.f5.com/wiki/iRules.HTTP__cookie.ashx

[root@iris:Active] config # b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.17.33:http
   ip protocol tcp
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}
[root@iris:Active] config # b rule myrule list
rule myrule {
   when HTTP_REQUEST {
   set flag 0
   if {[HTTP::cookie exists "testcookie"]} {
      set flag 1
      set http_request_time [clock clicks -milliseconds]
      set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]"
   }
}

when HTTP_RESPONSE {
   if {$flag} {
     log local0. "$LogString (response) - pool info: [LB::server] - status: [HTTP::status] (request/response delta: [expr [clock clicks -milliseconds] - $http_request_time]ms)"
   }
}
}

GET / is not shown in log since testcookie has not been presented at the first request (it is set by pool member in the first response). log is written in /var/log/ltm file. if you want to write to another file, you can customize syslog-ng config.

[root@iris:Active] config # tail -f /var/log/ltm
Oct 19 17:59:17 local/tmm info tmm[4601]: Rule myrule <HTTP_RESPONSE>: Client 192.168.206.102:63807 -> 172.28.17.33/dog.gif (response) - pool info: foo 10.10.70.110 80 - status: 200 (request/response delta: 1ms)
Oct 19 17:59:17 local/tmm info tmm[4601]: Rule myrule <HTTP_RESPONSE>: Client 192.168.206.102:63807 -> 172.28.17.33/favicon.ico (response) - pool info: foo 10.10.70.110 80 - status: 404 (request/response delta: 2ms)
Oct 19 17:59:17 local/tmm info tmm[4601]: Rule myrule <HTTP_RESPONSE>: Client 192.168.206.102:63807 -> 172.28.17.33/favicon.ico (response) - pool info: foo 10.10.70.110 80 - status: 404 (request/response delta: 2ms)

Thanks Nitass

I've added the following irule to the VS i want to log the traffic from

 
  when HTTP_REQUEST {
   set flag 0
   if {[HTTP::cookie exists "mxdata"]} {
      set flag 1
      set http_request_time [clock clicks -milliseconds]
      set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]"
   }
}

when HTTP_RESPONSE {
   if {$flag} {
     log local0. "$LogString (response) - pool info: [LB::server] - status: [HTTP::status] (request/response delta: [expr [clock clicks -milliseconds] - $http_request_time]ms)"
   }
}




It doesnt seem to be logging anything in the ltm file?
is mxdata cookie really existing? can you try to remove if condition first just for testing?

sorry for duplicated message.

it does exist as searchprovider = mxdata although we know the ip address of the destination where the search is being called from so could just specify that instead of trying to use the cookie i guess?

could this just be done with a simple if {[HTTP::host] == "X.X.X.X"]} {?

could this just be done with a simple if {[HTTP::host] == "X.X.X.X"]} {?
that's fine. by the way, using equals instead of == may be better.

additionally, you may capture packet to see how it is going.
# tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap port 80
I did try a tcpdump but there is too much data ultimatley we just want to find out how long the transfer time to and from this external host is

I modified the rule to this:

  when HTTP_REQUEST {
   set flag 0
   if { [HTTP::host] eq "78.42.24.X"  } {
      set flag 1
      set http_request_time [clock clicks -milliseconds]
      set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]"
   }
}

when HTTP_RESPONSE {
   if {$flag} {
     log local0. "$LogString (response) - pool info: [LB::server] - status: [HTTP::status] (request/response delta: [expr [clock clicks -milliseconds] - $http_request_time]ms)"
   }
}
 



and in the ltm file got the following:

Oct 19 14:02:33 sys-bip-01 mcpd[1726]: 01070151:3: Rule [Data_Cookie_Log] error: line 3: [wrong # args] [HTTP::host equals "78.42.24.X"] line 12: [use curly braces to avoid double substitution] [[clock clicks -milliseconds]]
this is time. can you double check square bracket of HTTP::host? i think your irule is correct.

when HTTP_REQUEST {
   set flag 0
   if {[HTTP::host] eq "172.28.17.33"} {
      set flag 1
      set http_request_time [clock clicks -milliseconds]
      set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]"
   }
}

when HTTP_RESPONSE {
   if {$flag} {
      log local0. "$LogString (response) - pool info: [LB::server] - status: [HTTP::status] (request/response delta: [expr [clock clicks -milliseconds] - $http_request_time]ms)"
   }
}

Oct 19 21:15:07 local/tmm info tmm[4601]: Rule myrule <HTTP_RESPONSE>: Client 192.168.206.102:65430 -> 172.28.17.33/ (response) - pool info: foo 10.10.70.110 80 - status: 200 (request/response delta: 3ms)
Oct 19 21:15:07 local/tmm info tmm[4601]: Rule myrule <HTTP_RESPONSE>: Client 192.168.206.102:65430 -> 172.28.17.33/dog.gif (response) - pool info: foo 10.10.70.110 80 - status: 200 (request/response delta: 1ms)

ok the ltm file hasnt been updated yet and i've changed it to this:

when HTTP_REQUEST {
   set flag 0
   if {[HTTP::host] eq "78.42.24.X" or [HTTP::cookie exists "mxdata"] } {
      set flag 1
      set http_request_time [clock clicks -milliseconds]
      set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]"
   }
}

when HTTP_RESPONSE {
   if {$flag} {
      log local0. "$LogString (response) - pool info: [LB::server] - status: [HTTP::status] (request/response delta: [expr [clock clicks -milliseconds] - $http_request_time]ms)"
   }
} 
OK i've checked after about an hour and the ltm file doesnt seem to be getting any info logged from the irule?

this particular VS is making an external request to this host so i'm asuming it should be logged?
also does it make any difference if the virtual server is using the one connect profile or not?
Hi Pav,

If you are not getting anything logged it is because you are not getting any matching events.

This is probably why. The ".X" is not a valid Wildcard.

if {[HTTP::host] eq "78.42.24.X" or [HTTP::cookie exists "mxdata"] } {


You will either need to replace it with a valid wildcard for this situation or change the matching qualifier to a subnet value instead (78.42.24.0/24).

The OneConnect Profile should not matter. It only directs a deeper investigation of all incoming connections to see if they qualify for connection re-use or to better identify individual clients that may be NAT'ed behind a single IP Address.

Hope this helps.
I've changed it to a host name now

if {[HTTP::host] eq "test.search.co.uk" or [HTTP::cookie exists "searchdata"] } {

this irule is attached to a VS and i've been accessing the individual pool members and using the search function which calls to this external request which i'm trying to log the response times too i've even try usingt he following to log any traffic and im not getting anything either:

when CLIENT_ACCEPTED {
# Get time for start of TCP connection in milleseconds
set tcp_start_time [clock clicks -milliseconds]

# Log the start of a new TCP connection
log "New TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port]"
}
when HTTP_REQUEST {
# Get time for start of HTTP request
set http_request_time [clock clicks -milliseconds]

# Log the start of a new HTTP request
set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]"
log local0. "$LogString (request)"
}

when HTTP_RESPONSE {
# Received the response headers from the server. Log the pool name, IP and port, status and time delta
log local0. "$LogString (response) - pool info: [LB::server] - status: [HTTP::status] (request/response delta: [expr [clock clicks -milliseconds] - $http_request_time]ms)"
}
when CLIENT_CLOSED {
# Log the end time of the TCP connection
log "Closed TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port] (open for: [expr [clock clicks -milliseconds] - $tcp_start_time]ms)"
}
This is strange that that Aarons rule to log tcp and http requests isnt working either as surely this shoudl log all requests made by this particular VS?
Hi All,

I have a ques regarding the IRULE for HTTP. We are running 9.4.7 version in our network and I have configure the syslog-ng file to log the logs for that particular Virtual Server into different file. But that file is not rotating on daily basis as LTM file. Can someone please help.

Regards,

Ganesh
I'm getting a parsing error when configuring syslog-ng:

b syslog include "
>
> # local0.info send logger entries to remote syslog server
> filter f_local0.info {
> facility(local0) and level(info) and match("logger");
> };
>
> # destination can be a hostname or IP address
> destination d_logger {
> udp("10.160.161.253" port (1026));
> };
>
> log {
> source(local);
> filter(f_local0.info);
> destination(d_logger);
> };"
BIGpipe parsing error:
012e0008:3: The requested command (filter f_local0.info {) is invalid


remove the "." from the filter name

Did that and still having issues. Thanks for your help

b syslog include "
>
> # local0info send logger entries to remote syslog server
> filter f_local0info {
> facility(local0) and level(info) and match("logger");
> };
>
> # destination can be a hostname or IP address
> destination d_logger {
> udp("10.160.161.253" port (1026));
> };
>
> log {
> source(local);
> filter(f_local0info);
> destination(d_logger);
> };"
BIGpipe parsing error:
012e0008:3: The requested command (filter f_local0info {) is invalid
opers13

Try this:

include " 
filter f_local0.info { 
facility(local0) and level(info) and match("logger"); 
}; 
 
destination d_logger { 
udp(\"10.160.161.253\" port (1026)); 
}; 
 
log { 
source(local); 
filter(f_local0.info); 
destination(d_logger); 
};"
 


Note the escaping backslashes. See this article: https://devcentral.f5.com/tutorials/tech-tips/ltm-942-custom-syslog-configuration

Hope this helps,
N
Still getting parsing error:

b syslog include "
>
> filter f_local0.info {
> facility(local0) and level(info) and match("logger");
> };
>
> destination d_logger {
> udp(\"10.160.161.253\" port (1026));
> };
>
> log {
> source(local);
> filter(f_local0.info);
> destination(d_logger);
> };"
BIGpipe parsing error:
012e0008:3: The requested command (filter f_local0.info {) is invalid

Apologies. I copied your original post, rather than the amended one, as recommended by acidkewpie, and left in the "." - can you remove this and try again please?

Rdgs
N
And I've noticed more " to escape:

match(\"logger\"); 


N
same issue:

b syslog include "
>
> filter f_local0info {
> facility(local0) and level(info) and match(\"logger\");
> };
>
> destination d_logger {
> udp(\"10.160.161.253\" port (1026));
> };
>
> log {
> source(local);
> filter(f_local0info);
> destination(d_logger);
> };"
BIGpipe parsing error:
012e0008:3: The requested command (filter f_local0info {) is invalid
What LTM version are you running? My v10 works with this:

syslog include " 
filter f_local0_info { 
facility(local0) and level(info) and match(\"logger\"); 
}; 
 
destination d_logger { 
udp(\"10.160.161.253\" port (1026)); 
}; 
 
log { 
source(local); 
filter(f_local0_info); 
destination(d_logger); 
};"
 


bpsh < syslog.inc

bP syslog include

SYSLOG - Include Data:

filter f_local0_info { facility(local0) and level(info) and match("logger"); }; destination d_logger { udp("10.160.161.253" port (1026)); }; log { source(local); filter(f_local0_info); destination(d_logger); };

Rgds
N
9.4.8

Your answer:

You must be logged in to reply. You can login here.