Forum Discussion
You'll have to customise the rule below to add the events you are interested in, but you can use the format as a guide;
Notes: This presumes you have created a "MyThreeIps" DataGroup in the /Common partition that includes the three client addresses you are interested in.
It also presumes that you have added a pool in /Common that consists of one or more syslog servers for use with HSL. IF not, then comment out the hsl lines and uncomment the "log local" lines
when CLIENT_ACCEPTED { set hsl [HSL::open -proto UDP -pool /Common/syslog] log local0. "HSLocal $hsl"
}
when SERVER_CONNECTED { if { ([class match [IP::client_addr] equals /Common/MyThreeIps]) } { set FrontEnd "[IP::client_addr]:[TCP::client_port] <-> [clientside {IP::local_addr}]:[clientside {TCP::local_port}]" set BackEnd "[IP::local_addr]:[TCP::local_port] <-> [serverside {IP::remote_addr}]:[TCP::server_port]" Log connection details as local7.info; see RFC 3164 Section 4.1.1 - "PRI Part" for more info HSL::send $hsl "<190> LDAP HSL: $FrontEnd | $BackEnd" test by logging locally log local0. "$FrontEnd $BackEnd" log local0. "$hsl"
} }