Beginner : How to create an iRule to monitor SSL traffic ?

For a start, just a simple logging would be enough :

 

 

How can I log successul SSL connections ?

 

How can I log failed connections ?

 

 

I've tried some code to log HTTP connection which is working fine :

 

 

when CLIENT_ACCEPTED {

 

log local0. "client: [IP::remote_addr]:[TCP::remote_port] -> dest: [IP::local_addr]:[TCP::local_port]"

 

}

 

 

But I use HTTP only for testing purpose. When setup will be complete I will have to monitor SSL connections only.

 

 

Second problem : As far as I known logging to local0.* is written in /etc/var/tmm. We'll have thousand of connections going to that bigip and I wouldn't like to have not enough disk space. Instead I use a remote syslog server with this part of code inside syslog-ng.conf :

 

 

Send messages to localhost through udp port 514

 

destination d_remoteLogTunnel {

 

udp ("x.x.x.x" port (514));

 

};

 

 

Performing logging

 

log {

 

source (local);

 

filter (f_catchall);

 

destination (d_remoteLogTunnel);

 

};

 

 

How can I send connections logging only to remote server ?

In the syslog-ng.conf you can specify in your filter which events you want logged to which destination (local or remote) using 'match' and 'not match'.

 

 

Take a look at this post from Tungstent as well as the overall thread for some additional info: (Click here).

 

 

Aaron

Ok,

 

 

I've managed to setup logging for successful connections.

 

 

How about the failed connections ? As far as I known there is no event in iRules which could trigger an event when for example a SSL connection has failed ? (As a reminder I use a speciic TCP protocol, no HTTP here).

 

 

Thanks in advance for your help