Forum Discussion

justin_westover's avatar
justin_westover
Icon for Nimbostratus rankNimbostratus
Aug 29, 2016

Setup High Speed Logging on Client Auth iRule

I have the below iRule and I would like to add high speed logging functionality instead of logging to the local0 LTM file. We have a splunk server where we stand all of our logs from the F5 when then...
devops
iRules
LTM
Niels_van_Sluis's avatar
Niels_van_Sluis
Icon for MVP rankMVP
Aug 29, 2016

Something like this? Make sure you setup the syslog pool (hsl_syslog_pool).

when RULE_INIT {
     High speed logging setup - local7.info
    set static::bigip [info hostname]
    set static::facility <190>
    set static::hsl_prefix "$static::facility|host=$static::bigip"
}

when CLIENT_ACCEPTED {
     Open a connection for high speed logging to hsl_syslog_pool & define log prefix
    set hsl [HSL::open -proto UDP -pool hsl_syslog_pool]
    set hsl_prefix "${static::hsl_prefix}|client=[IP::client_addr]:[TCP::client_port]"
}

when CLIENTSSL_CLIENTCERT {
    if { [SSL::cert count] == 0 } {
        set log_message "No Certificate Provided"
        HSL::send $hsl "$hsl_prefix|$log_message"
        drop
    }
    else {
        set log_message "Client Certificate Recieved - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
        HSL::send $hsl "$hsl_prefix|$log_message"

        if { [class match [X509::serial_number [SSL::cert 0]] equals ValidCertificates] } {
            set log_message "Client Accepted - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]" 
            HSL::send $hsl "$hsl_prefix|$log_message"
        }
        else {
            set log_message "Client Rejected -IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
            HSL::send $hsl "$hsl_prefix|$log_message"
            reject
        }
    }
}