Forum Discussion

Danny_Arroyo's avatar
Danny_Arroyo
Icon for Cirrus rankCirrus
Feb 05, 2015

How to view logs with source and destination ip address.

We are running Bigip v11.4.1 Build 647.0 Hotfix HF4. We have some VIPs that we want to decommission. We need to know which ip address' are still trying to connect to these VIPs. I created an irule that logs ([serverside {TCP::local_port}] dst [IP::server_addr]:[TCP::server_port]) and assigned it to these VIPs. This works and I am able to view the source ip alongside the destination ip address.

 

However, anytime I am asked to do this, I have to assign the irule to a specific VIP and wait for the VIP to get hit. Does the F5 log this information somewhere by default? Or is there a setting to enable this logging for all VIPs? I'm thinking that doing this would cause performance issues on the F5. If not, please let me know how I can enable this.

 

However, if this is not a good idea, can someone advise me on how I can get history (1 day/week/month, etc) of source/destination ip address' that connected to any VIP? Without having to apply an irule and wait for the data to collect?

 

Please note. I have remote logging enabled to our syslog server.

 

APM
application delivery
LTM
management
security
TMSH

3 Replies

Sort By
  • Amit_Karnik's avatar
    Amit_Karnik
    Icon for Nimbostratus rankNimbostratus
    Feb 05, 2015

    There is no direct way to log all the client IPs. What you are doing is correct.

     

    But what I will recommend you is that instead of using "log" statement which logs through the local syslog process and then gets forwarded to your remote syslog server.

     

    Use HSL::send to directly send logs to the remote syslog server. The processing for HSL happens within TMOS and hence faster and much more optimized.

     

    If your concern is that you dont want logging on all the time on all the virtuals. You could include your iRule to lookup a datagroup and check logging should be done for that virtual or no.

     

    So to turn it on, you just add the virtual name in a generic datagroup.

     

    Best

     

  • Danny_Arroyo's avatar
    Danny_Arroyo
    Icon for Cirrus rankCirrus
    Feb 05, 2015

    Thanks for the info Amit. I will try the HSL::send option.

     

    My concern really was to be able to respond more quickly to this type of request. My boss will ask for history of VIPs every now and then. I would like to be able ask for a time frame and simply grep through an existing log and pull source ip information to fill the request.

     

    However, it seems like I have to assign an irule to the VIP and sit back and wait for a while for clients to hit the VIP. It means I can't provide a speedy response to this type of request because I have to wait for data to be collected. Additionally, if I wait 1 or two weeks, it wont mean I have caught all or most of the client connections.

     

    If this is how it works, then Ill continue using the method I described. However i will incorporate your suggestions to see how they work.

     

    Thanks.

     

  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    Feb 06, 2015

    Hi Amit,

     

    did you consider to use the AVR feature (analytics)?

     

    Be aware, that this feature requires additional resources (storage, memory and CPU cycles) on your BIG-IP.

     

    Thanks, Stephan