Forum Discussion

DannyvanWijk's avatar
DannyvanWijk
Icon for Nimbostratus rankNimbostratus
Dec 04, 2013

[IP::client_addr] contains source port....

Hello,

 

I have an iRule that sets the variable client in HTTP_RESPONSE with the following command "set client [IP::client_addr]". When I use this variable ($client) it is always only the client ipaddress. I also use the irule provided with Splunk for F5 networks and this iRule set the same client variable but in CLIENT_ACCEPTED and when you use this variable it almost always includes the source port number.

 

Is this something that is expected or did I found bug??

 

Danny

 

application delivery
devops
iRules

3 Replies

Sort By
  • Matt_Dierick's avatar
    Matt_Dierick
    Icon for Employee rankEmployee
    Dec 04, 2013

    Hi Danny,

     

    Can you clarify what do you expect ?

     

    IP::client_addr is client side IP address only and we use to implementing it in CLIENT_ACCEPTED. When client connection is set, variable is set.

     

  • DannyvanWijk's avatar
    DannyvanWijk
    Icon for Nimbostratus rankNimbostratus
    Dec 04, 2013

    Hello Matthieu,

    This is the irule I am using and this one is doing what I expect. Only putting the ip in the client variable

    when HTTP_REQUEST { set the URL here, log it on the response set url [HTTP::header Host][HTTP::uri] set vip [IP::local_addr]:[TCP::local_port] set http_request_time [clock clicks -milliseconds] }

    when HTTP_RESPONSE { set client [IP::client_addr] set node [IP::server_addr]:[TCP::server_port] set nodeResp [HTTP::status]

    log connection info log local0.info "Client:$client -> VIP:$vip $url -> Node:$node with response $nodeResp time_taken:[expr {[clock clicks -milliseconds] - $http_request_time}]" }

    So this puts multiple entries in the log where Client: always contains an ipaddress. (like xxx.xxx.xxx.xxx)

    This is part of the F5 irule where it most often includes the source port.

    when CLIENT_ACCEPTED { set client [IP::client_addr] }

    when HTTP_REQUEST { set vhost [HTTP::host]:[TCP::local_port] set url [HTTP::uri] set method [HTTP::method]

    snap

    when HTTP_RESPONSE { set hsl [HSL::open -proto TCP -pool pool-splunk-logging] set resp_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"] set node [IP::server_addr]:[TCP::server_port] set status [HTTP::status]

    if { [HTTP::header Content-Length] > 0 } then {
    set response_length [HTTP::header "Content-Length"]
} else {
    set response_length 0
}

HSL::send $hsl "<190>|$vhost|device_product=Splunk Web Access iRule|$client|$method|\"$url\"|HTTP/$http_version|$user_agent|\"$referer\"|$req_start_time|$req_length|$req_elapsed_time|$node|$status|$resp_start_time|$response_length|$virtual_server\r\n"

    }

    When this is being send $client is like xxx.xxx.xxx.xxx:yyyyy where yyyyy is the source port.

    As the applications is interpreting the $client field as a client the applications is logging 20-30 different clients for one page. While it should only be one client Hope this make sense??

    Danny

  • Matt_Dierick's avatar
    Matt_Dierick
    Icon for Employee rankEmployee
    Dec 04, 2013

    Hi, I do not understand why you have client_IP:client_port. I do not see any command like that :

    set client [IP::client_addr]:[TCP::client_port]

    Are you sure you are seeing client IP and port ?

    If yes, you can remove :yyyy from the variable with string command.