Forum Discussion

Rodrigo_Mori_13's avatar
Oct 03, 2017
Solved

Configuring Syslog Server for a Specific Virtual Server

Hi, guys

 

I have an application in BIG IP, according to the image.

 

I need all the IPs that have accessed VS_APP1 to be registered on the syslog server.

 

Someone could help me set this up.

 

Thank you

 

  • Greetings,

    I haven't used the virtual server's Request Logging profile much, but was able to create a profile that logs the source IP address of the connecting client:

    https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-11-5-0/1.html

    In the Request profile Template section, I simply entered:

    Client IP is: ${CLIENT_IP}

    And it was sent to the remote syslog:

    14:10:53.969588 IP 10.12.23.120.48392 > 10.12.23.27.514: [|syslog]
            0x0000:  4500 0037 cb69 4000 ff11 6da1 0a0c 1778  E..7.i@...m....x
            0x0010:  0a0c 171b bd08 0202 0023 7989 436c 6965  .........y.Clie
            0x0020:  6e74 2049 5020 6973 3a20 3130 2e31 322e  nt.IP.is:.10.12.
            0x0030:  3235 302e 3133 30                        250.130
    

    Hope this is useful!

    Kevin

8 Replies

  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account

    Greetings,

    I haven't used the virtual server's Request Logging profile much, but was able to create a profile that logs the source IP address of the connecting client:

    https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-11-5-0/1.html

    In the Request profile Template section, I simply entered:

    Client IP is: ${CLIENT_IP}

    And it was sent to the remote syslog:

    14:10:53.969588 IP 10.12.23.120.48392 > 10.12.23.27.514: [|syslog]
            0x0000:  4500 0037 cb69 4000 ff11 6da1 0a0c 1778  E..7.i@...m....x
            0x0010:  0a0c 171b bd08 0202 0023 7989 436c 6965  .........y.Clie
            0x0020:  6e74 2049 5020 6973 3a20 3130 2e31 322e  nt.IP.is:.10.12.
            0x0030:  3235 302e 3133 30                        250.130
    

    Hope this is useful!

    Kevin

    • Rodrigo_Mori_13's avatar
      Rodrigo_Mori_13
      Icon for Cirrus rankCirrus

      In case, for me to send the log to the "Local 6" Syslog server, how can this be done?

       

    • Kevin_K_51432's avatar
      Kevin_K_51432
      Historic F5 Account

      Hi Rodrigo,

       

      In researching, it seems local0 to local7 are reserved for local use. So a custom application running on the server can log to it's own file. There's probably some simple way to hack remote message using local facility, but I wasn't able to come up with one.

       

      The best I could do was add the following line to my rsyslog config:

       

      if $fromhost-ip startswith '10.12.23.' then /var/log/local6.log

       

      tail -f /var/log/local6.log

       

      Oct 4 08:34:54 local6.notice Client IP is: 10.12.250.130

       

      Hope this is somewhat helpful, let us know if you come up with something!

       

      Thanks,

       

      Kevin

       

    • Rodrigo_Mori_13's avatar
      Rodrigo_Mori_13
      Icon for Cirrus rankCirrus

      Hi, kevin

       

      I configured the profile "request logging".

       

      The problem I'm having is that on the production ssyslog (Linux) server the access information does not appear.

       

      I installed a syslog program on my computer for testing (3CDaemon program) and in this case the access information appeared correctly.

       

      It seems that BIG-IP forwards this information to a "user.info" facility, and this facility is what does not appear on the production syslog server.

       

      You would have to see a way for this information to be routed to some "local (1-6) location on the production syslog server."

       

  • Snl's avatar
    Snl
    Icon for Cirrostratus rankCirrostratus

    one more option is to use HSL irule for this , create pool name POOL_SYSLOG

    refer below

    POOL_SYSLOG-create a pool with syslog server ip address
    
        when HTTP_REQUEST {
    
    set http_request_time [clock clicks -milliseconds]
    set timestamp [clock format [clock seconds] -format {%d/%b/%Y:%H:%M:%S %z}] 
    set remote [IP::remote_addr]
    set client [IP::client_addr]:[TCP::client_port]
    set url [HTTP::host][HTTP::uri]
    set referer [HTTP::header "Referer"]
    set vip [IP::local_addr]:[TCP::local_port]
    set httpMethod [HTTP::method]
    set httpVersion [HTTP::version]
    set xforwardfor [HTTP::header X-Forwarded-For]
    set url [string map " x" $url]
    set referer [string map " x" $referer] 
    set hsl [HSL::open -proto UDP -pool POOL_SYSLOG]
    
     Limit the url variable to 300 characters
    if {[string length $url] > 300} {
      set url "[string range $url 0 300]..."   
    }
    
     Limit the referer variable to 300 characters
    if {[string length $referer] > 300} {
      set referer "[string range $referer 0 300]..."   
    }
    
     Build the Request log line
    set request_log_line " $timestamp  [virtual name]  $client  $remote  $vip  $url  $referer  $httpMethod  $httpVersion" 
    log local0.info "Request - $request_log_line"
    }
    
    when HTTP_RESPONSE {
    
     VARIABLES
     Initialize local variables used in this rule
    
    set http_response_time [ clock clicks -milliseconds ]
    set client [IP::client_addr]:[TCP::client_port]
    set node [IP::server_addr]:[TCP::server_port]
    set nodeResp [HTTP::status]
    set payloadLength [HTTP::payload length]
    set responseTime [expr $http_response_time - $http_request_time]
    
      Build the Response log line
     set response_log_line "$client  $node  $nodeResp  $payloadLength  $responseTime  $http_request_time  $xforwardfor" 
    log local0.info "Response - $response_log_line"
    
     Write Request and Response log lines to the LTM log
    HSL::send $hsl "IRULE_COMMON_LOG : $request_log_line  -  $response_log_line"
     }
    }
    
  • It's all about the default syslog message format as it turns out.

     

    Here's what worked for me:

     

    • Request Logging Template = $DATE_MON $DATE_DD $TIME_HMS slot1/NNORM3-LB002V01 notice msg[HTTP-REQ-LOG] src-ip=$CLIENT_IP method=$HTTP_METHOD uri=$HTTP_URI* everything that is not preceded by $ (text in bold) is just simple text i entered that appears "as is" in logs
    • syslog-ng filter = host("NNORM3-LB002V01" ) and match("HTTP-REQ-LOG" value("MESSAGE"))
    • log message example = Jun 29 01:28:27 slot1/NNORM3-LB002V01 notice msg[HTTP-REQ-LOG] src-ip=10.250.158.188 method=GET uri=/dsa-claims

    Inspired by: https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/configuring-macros.html

     

    Enjoy