Hello Matthieu,
This is the irule I am using and this one is doing what I expect. Only putting the ip in the client variable
when HTTP_REQUEST {
set the URL here, log it on the response
set url [HTTP::header Host][HTTP::uri]
set vip [IP::local_addr]:[TCP::local_port]
set http_request_time [clock clicks -milliseconds]
}
when HTTP_RESPONSE {
set client [IP::client_addr]
set node [IP::server_addr]:[TCP::server_port]
set nodeResp [HTTP::status]
log connection info
log local0.info "Client:$client -> VIP:$vip $url -> Node:$node with response $nodeResp time_taken:[expr {[clock clicks -milliseconds] - $http_request_time}]"
}
So this puts multiple entries in the log where Client: always contains an ipaddress. (like xxx.xxx.xxx.xxx)
This is part of the F5 irule where it most often includes the source port.
when CLIENT_ACCEPTED {
set client [IP::client_addr]
}
when HTTP_REQUEST {
set vhost [HTTP::host]:[TCP::local_port]
set url [HTTP::uri]
set method [HTTP::method]
snap
when HTTP_RESPONSE {
set hsl [HSL::open -proto TCP -pool pool-splunk-logging]
set resp_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
set node [IP::server_addr]:[TCP::server_port]
set status [HTTP::status]
if { [HTTP::header Content-Length] > 0 } then {
set response_length [HTTP::header "Content-Length"]
} else {
set response_length 0
}
HSL::send $hsl "<190>|$vhost|device_product=Splunk Web Access iRule|$client|$method|\"$url\"|HTTP/$http_version|$user_agent|\"$referer\"|$req_start_time|$req_length|$req_elapsed_time|$node|$status|$resp_start_time|$response_length|$virtual_server\r\n"
}
When this is being send $client is like xxx.xxx.xxx.xxx:yyyyy where yyyyy is the source port.
As the applications is interpreting the $client field as a client the applications is logging 20-30 different clients for one page. While it should only be one client
Hope this make sense??
Danny