Log Http Tcp Udp To Syslogng¶

Description¶

You can use iRules to log a summary of each request and its response, and send the data to a remote syslog server using BIG-IP’s syslog-ng daemon. Here are some example rules based from posts in the 9.x forum, and corresponding syslog-ng changes which can be used to send a summary of each request and response to a remote syslog server:

iRule Source¶

1. HTTP logging rule:

when HTTP_REQUEST {
   # set the URL here, log it on the response
   set url [HTTP::host][HTTP::uri]
   set vip [IP::local_addr]:[TCP::local_port]
}

when HTTP_RESPONSE {
   set client [IP::client_addr]:[TCP::client_port]
   set node [IP::server_addr]:[TCP::server_port]
   set nodeResp [HTTP::status]

   # log connection info
   log local0.info "Client: $client -> VIP:$vip$url -> Node: $node with response $nodeResp"
}

2. TCP logging rule:

when CLIENT_ACCEPTED {
   set vip [IP::local_addr]:[TCP::local_port]
}

when SERVER_CONNECTED {
   set client "[IP::client_addr]:[TCP::client_port]"
   set node "[IP::server_addr]:[TCP::server_port]"
}

when CLIENT_CLOSED {
   # log connection info
   log local0.info "Client $client -> VIP: $vip -> Node: $node"
}

3. UDP logging rule:

when CLIENT_ACCEPTED {
   set vip [IP::local_addr]:[UDP::local_port]
}

when SERVER_CONNECTED {
   set client "[IP::client_addr]:[UDP::client_port]"
   set node "[IP::server_addr]:[UDP::server_port]"
}

when CLIENT_CLOSED {
   # log connection info
   log local0.info "Client $client -> VIP: $vip -> Node: $node"
}

Associate the TCP, UDP and HTTP rules with the respective virtual
servers that you want to log connections for. You can enable a rule
for a virtual server under the Resources tab for each virtual server.
You will need to make sure that the rule matches the type for each
virtual server. For example, you can use the TCP or HTTP rules on an
HTTP virtual server. However, you cannot associate a UDP rule unless
there is a UDP profile associated with the virtual server.
These rules will log to syslog-ng’s local0 facility with the following
format:

Mar  1 08:34:01 tmm tmm[730]: Rule HTTP_logging <HTTP_RESPONSE>: Client: 192.168.42.26:4746 VIP:172.25.2.12:80 to server: 172.25.2.233:80 for 172.25.2.12/ with response 200

You can then configure syslog-ng to parse local0.info entries that
contain “logging” and send them to a remote syslog server by making
the following changes to the /etc/syslog-ng/syslog-ng.conf file.
1. Add: local0.info filter, destination and log statements:

# local0.info                                   send logging entries to remote syslog server
filter f_local0.info {
   facility(local0) and level(info) and match("logging");
};

# destination can be a hostname or IP address
destination d_logging {
   tcp("syslog.myhost.com" port (5000));
};

log {
   source(local);
   filter(f_local0.info);
   destination(d_logging);
};

2. Add: and not match(“logging”) to local0.* to exclude the logging entries from being written to file

# local0.*                                      /var/log/ltm
filter f_local0 {
   facility(local0) and level(info..emerg) and not match("logging");
};

destination d_ltm {
   file("/var/log/ltm" create_dirs(yes));
};

log {
   source(local);
   filter(f_local0);
   destination(d_ltm);
};

3. Restart syslog-ng to initialize the changes:

bigstart restart syslog-ng

For more complete documentation on syslog-ng, you can refer to their site:

http://www.balabit.com/products/support/syslog-ng/

Or here:

http://www.iso.port.ac.uk/docs/downloaded/syslog-ng.html/book1.html

–Aaron

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.