How to capture source IP address(clientIP) on F5 LTM .

Question

Hi All , &nbsp;
Is there any way to check clients IP(Source addresses) who is accessing F5 virtual server . I need to check clients IP(Source addresses) and confirm to my customer that they accessed our portals for any specific time or not ..&nbsp;
Need your help !!&nbsp;
mdanish101@gmail.com&nbsp;

sheigh_65772 · Answer

Short answer is yes, the how depends on what data you want logged.
If you need only the IP you can do this:
when CLIENT_ACCEPTED {
   log local0. "clientIP:[IP::client_addr] accessed"
}

If you also need other data such as resources you can use one of the other events such as HTTP_REQUEST:
when HTTP_REQUEST {
    log local0. "clientIP:[IP::client_addr] accessed [HTTP::host][HTTP::uri]"
}

logs will be within your /var/log/ltm

danish202_17040 · Answer

Thanks a lot ..quite useful reply :)) Could you tell me the risk when I generate logs with your second rule ...Can I fix the resource or memory used for these logs ? or is there any implicit mechanisim to avoid disaster incase logs are too much ...

sheigh_65772 · Answer

The generic answer is every system is different so it really depends on what kind of data your looking to log. If you want lots of logs you could look into combining a remote syslog server with either a Request Logging Profile or High Speed Logging, there some good reference posts on those already.
You could also take the two I listed above and combine them for something like this:
when CLIENT_ACCEPTED {
   set userlogged 0
}

when HTTP_REQUEST {
    if { $userlogged == 0 } {
        log local0. "clientIP:[IP::client_addr] accessed [HTTP::host][HTTP::uri]"
        set userlogged 1
    }
}

The first part will initialize the userlogged variable when the client first connects, and then once the HTTP_REQUEST event is triggered it will log only the first request by the user as userlogged is then set to 1.

sheigh_65772 · Answer

You could also trigger at on a certain uri:
when HTTP_REQUEST {
    if { [string tolower [HTTP::uri]] equals "/loginpage.aspx" } {
        log local0. "clientIP:[IP::client_addr] accessed [HTTP::host][HTTP::uri]"
    }
}

danish202_17040 · Answer

I was going through Insert X-Forwarded-For feature.... Can you little bit explain about it too ..What are the requirements from server side ..&nbsp;
Thanks in advance !!&nbsp;

Forum Discussion

How to capture source IP address(clientIP) on F5 LTM .

8 Replies

Recent Discussions

iRule condition - request contains more than 10000 parameters

Citrix XenServer Big-IP Upgrade help

Hi All, We have viprion 4300 with 4450 blades with 6 blades all blades having same configuration

BWC iRule

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

Decrypting BIG-IP Packet Captures without iRules

Decrypting BIG-IP Packet Captures Automatically

DevCentral Connects hosts Capture the Flag!

Automating Packet Captures on BIG-IP

Capturing source IP addresses for VIP