Forum Discussion
Brad_Parker
Oct 20, 2015Cirrus
Don't write to the local
log
with the log command. Use HSL, https://devcentral.f5.com/wiki/iRules.HSL.ashx
when SERVER_CONNECTED {
set hsl [HSL::open -proto UDP -pool ]
HSL::send $hsl "[IP::client_addr], [IP::local_addr], [IP::server_addr]"
}
when SERVER_CLOSED {
HSL::send $hsl "[IP::local_addr], [IP::server_addr]"
}
- adam_rothschildOct 20, 2015NimbostratusIs there any dependency for the syslog server set in the pool above to accept HSL? Reason I ask is that I see my irule taking hits in statistics, but never see the log in syslog.
- Brad_ParkerOct 20, 2015CirrusYour syslog pool should contain a syslog server that is setup to receive syslogs on the configured port with the proto in HSL::open(UDP or TCP). Also, TMM needs to have a route or L2 access to that syslog server.
- adam_rothschildOct 20, 2015NimbostratusOk, i have a mgmt route and i see the connection. It doesnt feel correct being that the soruorce (10.32.92.6) is a self IP of the device and not sure about the any6.any. Maybe I'm not correct about that. any6.any any6.any 10.32.92.6:39519 10.17.56.14:514 udp 11 (slot/tmm: 1/1) none sys management-route 10.17.56.14/32 { gateway 10.32.92.1 network 10.17.56.14/32 }
- Brad_ParkerOct 20, 2015CirrusYou see the source from a self-IP because it is coming from TMM not the mgmt. It just happens to be routing through your mgmt interface. I would create a traffic route in TMM rather than routing this through your management interface. HSL actually is sending the logs from TMM not syslog-ng like the management linux kernel. You can have a route in both routing tables if you are planning on sending syslogs from both the system and your iRule.
- adam_rothschildOct 21, 2015NimbostratusAwesome, I am almost there. Last step is i need a few extra fields to appear in the log sent via HSL. Currently HSL sends just this info in the syslog message "10.222.146.177, 10.62.239.11, 10.62.234.30", which i need. When I was logging to local0. I also got this syslog message "Oct 15 16:42:38 slot1/F5-DEVICE-NAME-1 info tmm1[25855]: Rule /Common/snatmatch : 10.222.146.177, 10.62.239.11, 10.62.234.30" I am now looking for the field names to match up to the other parts of the syslog message and add then into the HSL fields. I have not found a reference guide just yet.
- Brad_ParkerOct 21, 2015CirrusWhat you will probably want to do is to play with creating a log publisher, remote syslog destination, which forwards to a remote High-Speed Log destination. That should help get the format you are wanting, then you can tweak your message as you see fit. Then you can use your created publisher in your HSL::open command. https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-11-5-0/2.html