Forum Discussion
6 Replies
- Kevin_StewartEmployee
At the very least:
when CLIENT_ACCEPTED { log local0. "Request for service at port [TCP::local_port] from [IP::client_addr]" }
That should log the client source address for any incoming TCP session, but it will not log the usernames/passwords in the SSH sessions.
- AbuAhmadNimbostratus
How can I send the logs to remote server? and can this be run on the GTM?
- Kevin_StewartEmployee
Take a look at the HSL:: commands for remote logging:
https://devcentral.f5.com/wiki/iRules.HSL__send.ashx
I would also add that the above only works for SSH traffic passing through the BIG-IP (via a virtual server), not for SSH traffic to the BIG-IP (management). And since SSH traffic wouldn't normally pass through a GTM, this iRule wouldn't really make sense. I probably should have asked, but are you trying to log SSH to the BIG-IP, or through it?
- AbuAhmadNimbostratus
Thank you Kevin for your help, my knowledge with iRules is very little. Here is what I need to do: I have a farm that has http, https, and SSH virtual servers. (X-Forward-For can work with http/https but not SSH). 1- I need to log all clients IPs that tries to access those VS to another server so it will not over loading the local drive on the BIG-IP. 2- If the IP of the remote server is 192.168.xx.xx how the iRule will look like, I tried this!! >> when CLIENT_ACCEPTED {
3- On the remote server, where can the logs be found? 4- Do I need any tools to reed the logs or it will be in a txt file? If a tool needed can you suggest one please. Thanks again Kevin.
- kunjanNimbostratus
You can do as below
when CLIENT_ACCEPTED { log 192.168.xx.xx local0.info "Request for service at port [TCP::local_port] from [IP::client_addr]" }
The logs will be in text format. The file location will be defined in /etc/syslog.conf(assuming *nix system) in the remote syslog server
On the remote syslog server, you have to enable remote syslog for the syslog clients, in this case bigip IP address.
http://www.freebsd.org/doc/handbook/network-syslogd.html
You can test it using 'logger' cmd from bigip, before testing with iRule.
logger -h 192.168.xx.xx -p local0.info "Testing"
- Kevin_StewartEmployee
If I may add, Kunjan is absolutely correct. The log statement in iRules sends traffic to a Syslog server. Without an IP address specified, it sends the message to the local Syslog server. You need a remote server that is running a Syslog instance and is configured to capture messages for the facilities that you're sending (ie. local0.info). Setting up a Syslog server isn't overly difficult, but can be different depending on your environment.
I would also add that HSL is a WAY better option here. Using the Log command will work, but 1) there's generally a limit to how many of those you can send out, and 2) the syslog traffic must pass through the management plane of the BIG-IP, which can induce some CPU spikes. HSL (high speed logging) is processed completely within the data plane and doesn't have the same limitations.