80% CPU0 and 10% on the other cores sounds like the issue might be that the VIP was demoted from CMP (using all available cores -
Click here). Was there a global variable in the iRule--or was it literally what you posted? I don't think anything in the rule you posted would prevent CMP from working. Unless maybe alertd and/or syslog-ng are only running on CPU0 and that's what was using the CPU cycles on CPU0 while logging was enabled.
You could enable timing on the iRule (
Click here) and compare the results with and without the log statement.
Also, you could use a switch statement for more efficient evaluation of the host header value:
when HTTP_REQUEST priority 50 {
if {[HTTP::header exists Host]} {
switch [string tolower [HTTP::host]] {
"admin.xx.com" -
"tool.xx.com" {
log local0. "Potential header manipulation detected. Request for [HTTP::host] from [IP::client_addr]"
HTTP::header replace Host www.xx.com
}
}
}
}
Aaron