Forum Discussion
2 Replies
Hi Samyool,
you can't read locally stored file streams using iRules. The required TCL commands to open and read such are disabled by the developers.
The only chance I see for you, is to open a [SIDEBAND] connection to the REST-API, execute a tail /var/log/ltm command via the /mgmt/tm/util/bash endpoint, parse the REST response and finally display the output on your debugging page.
API Request:
POST /mgmt/tm/util/bash HTTP/1.1 Host: yourbox.domain.de Content-Type: application/json Authorization: Basic YourBase64Creds content-length: 56 Connection: close {"command":"run","utilCmdArgs":"-c 'tail -n 50 /var/log/ltm'"}
Note: Let me know if you need further assitence to implement such a [SIDEBAND] connection to query REST within iRules.
Cheers, Kai
Hi Samyool,
I've recycled some older code for you to get a PoC up and running within a few minutes. Here we go...
Configure a Layer4 VS:80 that points to the MGMT-ETH:443 of your F5
1.) Execute the following command on TMSH
load sys config merge from-terminal
2.) Paste the following config into TMSH
ltm pool Pool_F5-MGMT-ETH { members { Node_F5-MGMT-ETH:https { address x.x.x.x%1 session monitor-enabled state up } } monitor gateway_icmp } ltm virtual VS_F5-MGMT-ETH { destination 1.1.1.1%1:http ip-protocol tcp mask 255.255.255.255 pool Pool_F5-MGMT-ETH profiles { serverssl { context serverside } tcp { } } source 0.0.0.0%1/0 source-address-translation { type automap } translate-address enabled translate-port enabled }
Note: You have to change the node IP address to match the MGMT-IP of your LTM. The IP of the Virtual Server can be keept, since its just used for internal communication.
3.) Hit CRTL+D to save the config change
Write a TCL procedure to trigger a SIDEBAND connection towards your Layer4 VS:80 (aka. your REST-API) to execute [tail] and finally download X lines of logfile Y.
1.) Add the following procedure to your existing iRule
proc get_logfiles { virtual basic_creds logfile lines } { set tcp_conn [connect -timeout 2000 -idle 2000 -status tcp_conn_status $virtual] if { $tcp_conn_status equals "connected" } then { set http_request_body "\{\"command\":\"run\",\"utilCmdArgs\":\"-c 'tail -n $lines $logfile'\"\}" set http_request "POST /mgmt/tm/util/bash HTTP/1.0\r\nAuthorization: Basic $basic_creds\r\nContent-Length: [string length $http_request_body]\r\n\r\n$http_request_body" send -timeout 2000 -status tcp_sent_status $tcp_conn $http_request if { $tcp_sent_status equals "sent" } then { set http_response [recv -timeout 5000 $tcp_conn] if { $http_response starts_with "HTTP/1.1 200" } then { return [getfield $http_response {commandResult":"} 2] } elseif { $http_response equals "" } then { return "Error: Receive Timeout" } else { return "Error: API Response = $http_response" } } else { return "Error: Send Status = $tcp_sent_status" } } else { return "Error: Connection Status = $tcp_conn_status" } }
Call the TCL procedure within your iRule
set log_lines [call YOUR_IRULE_NAME::get_logfiles "VS_F5-MGMT-ETH" [b64encode "admin:password"] "/var/log/ltm" 50]
Cheers, Kai