Forum Discussion
Michael_Saleem1
Mar 01, 2019Cirrus
You could make use of High Speed Logging (HSL) to send SSL connection information to a syslog server
1) Create a pool containing the syslog server
tmsh create ltm pool HSL-POOL-514 members add { :514 }
2) Create an iRule which uses HSL to send SSL connection information to a syslog server
when CLIENT_ACCEPTED {
set hsl [HSL::open -proto UDP -pool HSL-POOL-514]
}
when HTTP_REQUEST {
set HOST [HTTP::host]
set METHOD [HTTP::method]
set URI [HTTP::uri]
set HTTP_VERSION [HTTP::version]
}
when CLIENTSSL_HANDSHAKE {
set SSL_VERSION [SSL::cipher version]
set SSL_CIPHER [SSL::cipher name]
}
when HTTP_RESPONSE {
HSL::send $hsl "<190> SSL Version: $SSL_VERSION, SSL Cipher: $SSL_CIPHER, Source: [IP::client_addr]:[TCP::client_port], Destination: [clientside {IP::local_addr}]:[clientside {TCP::local_port}], Pool Member: [IP::server_addr]:[TCP::server_port], Host: $HOST, $METHOD $URI HTTP/$HTTP_VERSION, Status: [HTTP::status]"
}
An example of a log line you will see:
11-13-2017 21:47:38 Local7.Info 192.168.1.252 SSL Version: TLSv1.2, SSL Cipher: DHE-RSA-AES256-GCM-SHA384, Source: 192.168.1.124:45886, Destination: 192.168.1.100:443, Pool Member: 172.24.32.11:80, Host: www.example.com, GET /index.html HTTP/1.1, Status: 200