Forum Discussion

Marissa_Kato_10's avatar
Marissa_Kato_10
Icon for Nimbostratus rankNimbostratus
Jul 14, 2006

irule that logs source IP address on BigIp OR server

I have found a solution(see below) on the askf5.com page that gives me the syntax for this request (i.e. SOL2530; however, I am fairly new at coding and am not sure what variables I need to input( for example what would I enter for "bgz").

 

 

OR, is it possible to record the actual source ip addresses on the server logs instead of the server logging the BigIP address, and if so, how would I code the irule for that? And would it consume an excess amount of resource on the BigIP?

 

 

In advance, any help would be greatly appreciated.

 

 

Thanks,

 

 

Rule given to log on the BigIP-SOL2530:

 

 

rule log_me {

 

if (http_uri matches_regex "bgz") {

 

log "client " + client_addr + ":" + client_port

 

use pool web

 

}

 

else {

 

log "client " + client_addr + ":" + client_port

 

use pool web

 

}

 

}

 

 

 

The output string for this sample rule will appear in the /var/log/bigip file as follows:

 

 

May 2 11:39:33 bigip1 kernel: RULE log_me - client 192.168.21.48:1431

 

Logging rule syntax from prior versions of BIG-IP still functions the same in BIG-IP version 4.5 PTF-04 and later, as long as the total character length is less than 64 characters.

 

 

 

 

application delivery
dev
devops
iRules
v4

1 Reply

Sort By
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Jul 17, 2006
    You don't necessarily need a rule to do what you are requesting...I'm assuming from your description that there is a SNAT enabled on BIG-IP that is changing the client source IP (this is required if BIG-IP is not the default gateway of the servers).

     

     

    You can insert an X-Forwaded-For header (or a custom header) in the HTTP headers that BIG-IP sends to the server in the request, and if the servers are configured to log that as well then you can see the client IP's in the server logs that way. See the manual section on custom headers Click here

     

     

    For IIS, there is an ISAPI filter posted here on DevCentral to allow it to replace the client IP logged with the X-Forwarded-For header address. Click here

     

     

    I'm not sure how to configure other servers to log X-Forwarded-For though.

     

     

    The "bgz" in the example rule is just to show how to log if the URI contains "bgz"....if you are wanting to log everything then you don't need the conditional match. But beware that logging everything could be a performance hog.

     

     

    Hope this helps,

     

    Denny