Forum Discussion

NetworkTeam_178's avatar
NetworkTeam_178
Icon for Nimbostratus rankNimbostratus
Nov 04, 2016

Logging for iRule isn't working?

Hello,

 

I want to output rejections for this iRule to a syslog server. My syntax is

 

when HTTP_REQUEST { if { !(([HTTP::host] starts_with "website.co.uk") or ([HTTP::host] starts_with ";) or ([HTTP::host] starts_with "backup.mywebsite.co.uk") or ([HTTP::host] starts_with ";)) } { discard } {log local0. "blocked [HTTP::header "User-Agent"] requesting [HTTP::host][HTTP::uri]"} }

 

I tried the following as well;

 

when HTTP_REQUEST { if { !(([HTTP::host] starts_with "website.co.uk") or ([HTTP::host] starts_with ";) or ([HTTP::host] starts_with "backup.mywebsite.co.uk") or ([HTTP::host] starts_with ";)) } { discard } log local0. "blocked [HTTP::header "User-Agent"] requesting [HTTP::host][HTTP::uri]" }

 

Which DID log but didn't show correctly in syslog.

 

Basically I want the syslog message to use the keyword 'blocked' to make searching easier.

 

Thanks

 

9 Replies

  • Hi, What about doing this way?

    when HTTP_REQUEST { 
        switch -glob [string tolower [HTTP::host]] {
            "website.co.uk*" -
            "www.website.co.uk*" -
            "backup.mywebsite.co.uk*" -
            "www.backup.mywebsite.co.uk*" {
                nothing to do
            }
            default {
                log local0. "blocked [HTTP::header "User-Agent"] requesting [HTTP::host][HTTP::uri]"
                discard
            }
        }
    }
    

    It works for you? I hope so.

    Regards.
  • Do you really mean

    starts_with
    in these cases? Since .uk is a top-level domain, I assume you are not expecting Host header entries for something like "website.co.uk.foo.bar.baz.com". I ask because dropping the glob matching (and the asterisks at the end of the hostnames) makes the rule a bit faster, and I presume, more correct.

    Also,

    log
    delivers to the local syslog facility on the BIG-IP, which (unless you changed the syslog.conf) means it is going to a local file on the BIG-IP. If you want remote syslog, the best avenue is to use High Speed Logging from within your iRule:

    • cjunior's avatar
      cjunior
      Icon for Nacreous rankNacreous

      For sure that for non-standard port, the "starts_with" is relevant to him.

       

  • Vernon_97235's avatar
    Vernon_97235
    Historic F5 Account

    Do you really mean

    starts_with
    in these cases? Since .uk is a top-level domain, I assume you are not expecting Host header entries for something like "website.co.uk.foo.bar.baz.com". I ask because dropping the glob matching (and the asterisks at the end of the hostnames) makes the rule a bit faster, and I presume, more correct.

    Also,

    log
    delivers to the local syslog facility on the BIG-IP, which (unless you changed the syslog.conf) means it is going to a local file on the BIG-IP. If you want remote syslog, the best avenue is to use High Speed Logging from within your iRule:

    • cjunior's avatar
      cjunior
      Icon for Nacreous rankNacreous

      For sure that for non-standard port, the "starts_with" is relevant to him.

       

  • Have you tried, the below, where User-Agent is without quotes and has value?

    when HTTP_REQUEST {
        if { !(([HTTP::host] starts_with "website.co.uk") or ([HTTP::host] starts_with "www.website.co.uk";) or ([HTTP::host] starts_with "backup.mywebsite.co.uk") or ([HTTP::host] starts_with "www.backup.mywebsite.co.uk";)) } { 
            log local0. "blocked [HTTP::header value User-Agent] requesting [HTTP::host][HTTP::uri]" 
            discard 
        } 
    }
    
    • cjunior's avatar
      cjunior
      Icon for Nacreous rankNacreous

      So, the "log" command out of "if" statement, will register log even that is not blocked, am I wrong?

       

      Respectfully.

       

    • someguy_126006's avatar
      someguy_126006
      Icon for Nimbostratus rankNimbostratus

      Was a copy paste from the rule above, but yes, that is correct. I moved it up in though.