Log to syslogserver in reporting-ready format

Hi,

 

 

There have been a few similar requests in the iRule forum (before this section was created). Try searching for 'log all connections' or similar key words in the iRule 9.x forum to find the related posts. Check the Codeshare for an example of how to use a rule to log connection details and configure syslog-ng to send the log entries to a remote syslog server.

 

 

Log HTTP, TCP, UDP connection details to syslog:

 

http://devcentral.f5.com/wiki/default.aspx/iRules/LogHttpTcpUdpToSyslogng.html

 

 

If you're using the RAM cache module, you'd need to add additional logic to the rule(s) using the CACHE:: commands and events to log the details for responses from cache. For more info on this, you can check the wiki pages:

 

 

CACHE:: commands:

 

http://devcentral.f5.com/wiki/default.aspx/iRules/cache

 

 

With that said, there is a limitation to what you can log with iRules regarding the processing time taken. The examples rules in the Codeshare link log the delta between when the HTTP request headers from the client are parsed and when the HTTP response headers from the server are parsed. There isn't a simple way of measuring the delta between when LTM receives the full request (including the payload) from the client and when it finishes sending the response back to the client. You can do this, but you end up having to collect the data before sending it. This collection adds latency to the process and would therefore not make sense to do.

 

 

Reply if you have any questions on this or want help writing a rule to handle cached and non-cache logging.

 

 

Aaron

A few more information about the logging

 

 

since v9.4.4 you can send straight from an iRule to a remote syslog server:

 

 

Note: it assumes 10.1.1.1 is a remote syslog server that is routable using a TMM VLAN:

 

 

when HTTP_REQUEST {

 

HTTP::collect 4096

 

}

 

 

when HTTP_REQUEST_DATA {

 

 

log 10.1.1.1 local0.info puts "HTTP POST data is [HTTP::payload]“}

 

}

 

 

The thing is by default you may end with messager larger than 1KB. They added a new db variable that allow larger messages: tmm.maxremoteloglength

 

 

Now doing everything from iRules may not always be the best for performance. I'm not sure about if it takes more processes or less to do it straight from an iRule

 

 

One more thing if you decide to go through syslog-ng since you said you have a high traffic application:

 

 

There is a significant behavioral difference when the optional . is specified. When iRule logs messages without the facility and/or level, they are rate-limited as a class and subsequently logged messages within the rate-limit period may be suppressed even though they are textually different. However, when the and/or are specified, the log messages are not rate-limited (though syslog-ng will still perform suppression of repeated duplicates).”

 

 

So use the log . when doing your job

 

 

Thank you both guys,

 

The 2 answers combined answered my question.

 

 

As I installed the 9.4.4 I can do the direct logging to the syslog server, time will tell if the box will suffer from it. They are 2 6800's with 4 GB memory so they can have some load 8-)