Hello, I have the following iRule for logging all traffic: when CLIENT_ACCEPTED { set vip [IP::local_addr]:[TCP::local_port] } when SERVER_CONNECTED { set client "[IP::client_addr]:[TCP::client_port]" set node "[IP::server_addr]:[TCP::server_port]" set snat "[IP::local_addr]:[TCP::local_port]" } when CLIENT_CLOSED { log connection info log local0.info "Client $client -> VIP: $vip -> SNAT: $snat -> Node: $node" } I have tested this on a virtual F5 which worked fine, however for some reason on a production LTM, I get the following error in the logs: TCL error: /Common/Source_IP_Logging - can't read "client": no such variable while executing "log local0.info "Client $client -> VIP: $vip -> SNAT: $snat -> Node: $node"" From time to time it works fine on the production one as well. 1. Should I try to move my client variable definition to "when CLIENT_ACCEPTED" section? 2. Should I use double quotes for variable definition, or make all of them like the "vip" one? Regards Mariusz

SERVER_CONNECTED is an event that's fired when the LTM makes a connection to the backend node, so if the client connects and disconnects before the LTM ever makes a connection to the backend, you won't have those variables. I'd recommend moving at least the client and snat variables to the CLIENT_ACCEPTED event. The node won't be available until the server connects, but you could initialize the variable in the client accepted event to some default value and then update it's value when the server connect happens.

Hi Michael J, Would you mind checking the above and let us know if the above example is suitable please? Thanks.

Syntactically I think it looks good. I'm not near a device to check it, but it looks good to me.

Hi Michael, Great, thanks for giving it a look over. :)

Logging all traffic iRule.

12 Replies

Michael_Jenkins
Cirrostratus
Feb 09, 2015
SERVER_CONNECTED is an event that's fired when the LTM makes a connection to the backend node, so if the client connects and disconnects before the LTM ever makes a connection to the backend, you won't have those variables.

I'd recommend moving at least the
client
and
snat
variables to the CLIENT_ACCEPTED event. The
node
won't be available until the server connects, but you could initialize the variable in the client accepted event to some default value and then update it's value when the server connect happens.

Mariusz_B

Nimbostratus

Feb 10, 2015

Thank you Michael.

I have done something like this, and I am about to test it in next few days:

when CLIENT_ACCEPTED {
   set client "[IP::client_addr]:[TCP::client_port]"
   set vip "[IP::local_addr]:[TCP::local_port]"
   set snat "unknown"
   set node "unknown"
}

when SERVER_CONNECTED {
   set snat "[IP::local_addr]:[TCP::local_port]"
   set node "[IP::server_addr]:[TCP::server_port]"
}

when CLIENT_CLOSED {
    log connection info
   log local0.info "Client $client -> VIP: $vip -> SNAT: $snat -> Node: $node"
}

Snl

Cirrostratus

Aug 24, 2017

I have a similar requirement , were customer is using automap and want to enable logging for specific virtual server to capture all sessions , its not working since unknown keyword matching in snat & node side , also virtual server is running on port smtp so i cannot add http profile

Code

when CLIENT_ACCEPTED {
   set client "[IP::client_addr]:[TCP::client_port]"
      set vip "[IP::local_addr]:[TCP::local_port]"
         set snat "unknown"
            set node "unknown"
            }
   when SERVER_CONNECTED {  
     set snat "[IP::local_addr]:[TCP::local_port]"
      set node "[IP::server_addr]:[TCP::server_port]"
                }
    when CLIENT_CLOSED {
        log connection info
          log local0.info "Client $client -> VIP: $vip -> SNAT: $snat -> Node: $node"
          }

any help appreciated

/snl

boneyard
MVP
Aug 24, 2017
i think it is wiser to start a new question.

and explain what you mean with unknown is matching, if unknown is shown that is for a reason then those fields aren't known yet when the log occurs.

also you don't need a HTTP profile for any of these irule statements, it is all TCP or lower.

Rich_T_187288
Nimbostratus
Feb 13, 2015
Hi Michael J,

Would you mind checking the above and let us know if the above example is suitable please?

Thanks.
- Michael_Jenkins
  Cirrostratus
  Feb 13, 2015
  Syntactically I think it looks good. I'm not near a device to check it, but it looks good to me.
- Rich_T_187288
  Nimbostratus
  Feb 13, 2015
  Hi Michael, Great, thanks for giving it a look over. :)
YossiV
Nimbostratus
Aug 24, 2017
i have tested your irule on my Virtual F5 and my 4000 , it passed fine.
- Nithin1
  Nimbostratus
  Dec 30, 2019
  Can i Have the Exact Irule for this ?
BIBEK
Nimbostratus
Dec 31, 2019
What is the irule for log header only from one IP.
Greasy_Pretzel
Ret. Employee
Dec 31, 2019
Unless this is for debugging purposes, log your traffic but it is not the best approach. Better option is taking a capture. If you have to use the iRule, then after debugging, please comment the log local.0 or remove the iRule from the virtual server. You don't want to fill up your LTM logs that are meant for system logs.
Greasy_Pretzel
Ret. Employee
Dec 31, 2019
to add 'add http profile' you will need to add when HTTP_REQUEST event.

Forum Discussion

Logging all traffic iRule.

12 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

iRule to log traffic details

irule logging question

fellow traffic

ASM logs

Logging DNS Requests