Forum Discussion
Kevin_Davies
Oct 13, 2017MVP
If you add this iRule to your SSH virtual server...
when LB_SELECTED {
log local0.info [LB::server addr] "Client [IP::client_addr] connected to [LB::server addr]"
}
Then on your SSH servers allow incoming syslog from the F5 and update your syslog configuration file /etc/syslogd.conf by adding the following line. This will send incoming logs from the iRule to the same log file that logs SSH authentication in Ubuntu at least. The actual file will vary depending on OS.
local0.info /var/log/auth.log
So everytime someone uses SSH to your virtual server they will get two log entries in auth.log on the linux system. One with the connection details showing the original IP address and another showing the login from the local SSH daemon.