Forum Discussion

John_Lennon_457's avatar
John_Lennon_457
Icon for Nimbostratus rankNimbostratus
Oct 07, 2010

ProxyPass and common logging

I'm in the process of converting a few sites from other technologies to F5 LTM using ProxyPass v10 on TMOS 10.2. Currently each site relies on the Reverse Proxy logs to be collected for analysis and provide statistical usage. Each virtual site has its own sets of logs and there are 2 RP per site (for load balancing and fail over).

 

 

On the LTM with ProxyPass I haven't found an equivalent method for logging. I see it's possible to create an iRule to log however everything will be in /var/log/ltm and it could get messy. I investigated the option of using a syslog server but there are a few issues with it:

 

- the LTM would log to an external server, with unencrypted traffic and this may not be acceptable for all cases;

 

- if the remote syslog server is restarted (i.e. applying security patches) the new activity until the server is restarted is lost.

 

 

I understand it could be possible to use a couple of servers for this and use a pool on the LTM, however this starts to get complex to manage if we consider we need to separate logs per virtual server, issues with encryption, etc. when the goal of moving to LTM is to simplify and reduce TCO.

 

 

Ideally I'd like to be able to write a log per virtual server directly on the LTM - space shouldn't be an issue as I don't think we'd need more than 10 GB / month, which can be logrotated and encrypted to reduce the size even further.

 

 

Do you have any suggestion?

 

 

Thank you in advance for your help.
application delivery
dev
devops
iRules

1 Reply

Sort By
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Oct 19, 2010
    Have you considered HSL (Click Here)? This logs on the wire to a pool defined locally on the LTM so you can have a log farm to handle the load in the event you lose a single server. Alternatively, you can create special log files if you have a particular string in the log message for syslog to key off of and send to alternate file. You could use the virtual name command to specific the appropriate virtual server in the log message from the iRule, then create your files in syslog as such (virtualserver1 as an example):

     

     

    
tmsh modify sys syslog include '"
filter f_local0 {
    facility(local0) and not match(\": virtualserver1-\");
};
 
filter f_local0_virtualserver1 {
    facility(local0) and match(\": virtualserver1-\");
};
 
destination d_virtualserver1 {
    file(\"/var/log/virtualserver1\" create_dirs(yes));
};
 
log {
    source(local);
    filter(f_local0_virtualserver1);
    destination(d_virtualserver1);
};
"'

tmsh save / sys config
tmsh restart sys service syslog-ng

     

     

    Just in case the code gets garbled above, smp wrote a tech tip on custom syslog files and rotation: http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1084377/Writing-to-and-rotating-custom-log-files.aspx Click Here

     

     

    HTH....Jason