Setup High Speed Logging on Client Auth iRule

Question

I have the below iRule and I would like to add high speed logging functionality instead of logging to the local0 LTM file. We have a splunk server where we stand all of our logs from the F5 when then come from an iRule setup with HSL. So basically, everywhere I have a log local0 command, I would rather send those logs to Splunk using HSL. Thoughts? &nbsp;
when CLIENTSSL_CLIENTCERT {
if { [SSL::cert count] == 0 } {
log local0. "No Certificate Provided"
drop
}
else {
log local0. "Client Certificate Recieved - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
if { [class match [X509::serial_number [SSL::cert 0]] equals ValidCertificates] } {
log local0. "Client Accepted - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
}
else {
log local0. "Client Rejected -IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
reject
}
}
}&nbsp;

niels_van_sluis · Answer

Something like this? Make sure you setup the syslog pool (hsl_syslog_pool).
when RULE_INIT {
     High speed logging setup - local7.info
    set static::bigip [info hostname]
    set static::facility &lt;190&gt;
    set static::hsl_prefix "$static::facility|host=$static::bigip"
}

when CLIENT_ACCEPTED {
     Open a connection for high speed logging to hsl_syslog_pool &amp; define log prefix
    set hsl [HSL::open -proto UDP -pool hsl_syslog_pool]
    set hsl_prefix "${static::hsl_prefix}|client=[IP::client_addr]:[TCP::client_port]"
}

when CLIENTSSL_CLIENTCERT {
    if { [SSL::cert count] == 0 } {
        set log_message "No Certificate Provided"
        HSL::send $hsl "$hsl_prefix|$log_message"
        drop
    }
    else {
        set log_message "Client Certificate Recieved - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
        HSL::send $hsl "$hsl_prefix|$log_message"

if { [class match [X509::serial_number [SSL::cert 0]] equals ValidCertificates] } {
            set log_message "Client Accepted - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]" 
            HSL::send $hsl "$hsl_prefix|$log_message"
        }
        else {
            set log_message "Client Rejected -IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
            HSL::send $hsl "$hsl_prefix|$log_message"
            reject
        }
    }
}

Forum Discussion

Setup High Speed Logging on Client Auth iRule

1 Reply

Recent Discussions

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

Related Content

How to Setup Shape Log Analysis in Fastly

Group based authorization + OAuth 2.0 client setup with APM

Log client to vip connections

ASM logs

ASM LOGS