Logging based in IP

Question

There is a very useful irule in the codeshare section for logging tcp and http response information.  
&nbsp;  
&nbsp; when CLIENT_ACCEPTED { 
&nbsp;     Get time for start of TCP connection in milleseconds 
&nbsp;    set tcp_start_time [clock clicks -milliseconds] 
&nbsp;  
&nbsp;     Log the start of a new TCP connection 
&nbsp;    log "New TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port]" 
&nbsp; } 
&nbsp; when HTTP_REQUEST { 
&nbsp;     Get time for start of HTTP request 
&nbsp;    set http_request_time [clock clicks -milliseconds] 
&nbsp;  
&nbsp;     Log the start of a new HTTP request 
&nbsp;    set LogString "Client [IP::client_addr]:[TCP::client_port] -&gt; [HTTP::host][HTTP::uri]" 
&nbsp;    log local0. "$LogString (request)" 
&nbsp; } 
&nbsp;  
&nbsp; when HTTP_RESPONSE { 
&nbsp;     Received the response headers from the server.  Log the pool name, IP and port, status and time delta 
&nbsp;    log local0. "$LogString (response) - pool info: [LB::server] - status: [HTTP::status] (request/response delta: [expr [clock clicks -milliseconds] - $http_request_time]ms)" 
&nbsp; } 
&nbsp; when CLIENT_CLOSED { 
&nbsp;     Log the end time of the TCP connection 
&nbsp;    log "Closed TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port] (open for: [expr [clock clicks -milliseconds] - $tcp_start_time]ms)" 
&nbsp; } 
&nbsp;  
&nbsp;  
&nbsp;  
&nbsp; However you would get a lot of logging on a production site if you applied this rule on all client IP addresses.  I was wondering how I could incorporate a filter on IP address so that it only logs from a praticluar client IP.  Would using matchclass work? 
&nbsp;  
&nbsp;  if {([matchclass [IP::client_addr] equals $::filteredAddresses])}{  
&nbsp;  
&nbsp; Where would I put this in the exiting code.  I assume I would need to put it in multiple section? 
&nbsp;  
&nbsp; Thanks 
&nbsp;  
&nbsp; Jon

hooleylist · Answer

Hi Jon, 
  
 You could set a variable in CLIENT_ACCEPTED if the client IP check matches and then reference that variable in each subsequent event:

when CLIENT_ACCEPTED { 
  
     Add some logic for determining which clients to log for 
    if {[matchclass [IP::client_addr] equals $::filteredAddresses]}{ 
  
       set log_this_connection 1 
  
        Get time for start of TCP connection in milleseconds 
       set tcp_start_time [clock clicks -milliseconds] 
  
        Log the start of a new TCP connection 
       log "New TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port]" 
    } 
 } 
 when HTTP_REQUEST { 
  
     Check if we're logging this connection 
    if {$log_this_connection}{ 
  
        Get time for start of HTTP request 
       set http_request_time [clock clicks -milliseconds] 
  
        Log the start of a new HTTP request 
       set LogString "Client [IP::client_addr]:[TCP::client_port] -&gt; [HTTP::host][HTTP::uri]" 
       log local0. "$LogString (request)" 
    } 
 } 
 when HTTP_RESPONSE { 
  
     Check if we're logging this connection 
    if {$log_this_connection}{ 
  
        Received the response headers from the server. Log the pool name, IP and port, status and time delta 
       log local0. "$LogString (response) - pool info: [LB::server] - status: [HTTP::status] (request/response\ 
          delta: [expr [clock clicks -milliseconds] - $http_request_time]ms)" 
    } 
 } 
 when CLIENT_CLOSED { 
  
     Check if we're logging this connection 
    if {$log_this_connection}{ 
  
        Log the end time of the TCP connection 
       log "Closed TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port]\ 
          (open for: [expr [clock clicks -milliseconds] - $tcp_start_time]ms)" 
    } 
 }

If this is the only iRule you'll ever use on the VIP, you could use 'event disable all' in CLIENT_ACCEPTED:

when CLIENT_ACCEPTED { 
  
     Add some logic for determining which clients to log for 
    if {[matchclass [IP::client_addr] equals $::filteredAddresses}{ 
  
        Get time for start of TCP connection in milleseconds 
       set tcp_start_time [clock clicks -milliseconds] 
  
        Log the start of a new TCP connection 
       log "New TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port]" 
  
    } else { 
  
        Disable all events for this rule and any other rule for this connection 
       event disable all 
    } 
 } 
 when HTTP_REQUEST { 
     Get time for start of HTTP request 
    set http_request_time [clock clicks -milliseconds] 
  
     Log the start of a new HTTP request 
    set LogString "Client [IP::client_addr]:[TCP::client_port] -&gt; [HTTP::host][HTTP::uri]" 
    log local0. "$LogString (request)" 
 } 
 when HTTP_RESPONSE { 
     Received the response headers from the server. Log the pool name, IP and port, status and time delta 
    log local0. "$LogString (response) - pool info: [LB::server] - status: [HTTP::status] (request/response\ 
       delta: [expr [clock clicks -milliseconds] - $http_request_time]ms)" 
 } 
 when CLIENT_CLOSED { 
     Log the end time of the TCP connection 
    log "Closed TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port]\ 
    (open for: [expr [clock clicks -milliseconds] - $tcp_start_time]ms)" 
 }

Aaron

jondyke_46152 · Answer

Thanks for that 
&nbsp;  
&nbsp; I ended up adding the matchlass bit to each section and that seemed to work but your suggestions seem a bit slicker so I will try those.

hooleylist · Answer

The functionality is the same--it's just more efficient to use a variable versus re-running matchclass for each event. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Logging based in IP

3 Replies

Recent Discussions

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

Related Content

AFM text based logs?

Demystifying Time-based OTP

ASM logs

ASM LOGS

Logging DNS Requests