NimbostratusFolks, I am looking for some changes to an iRule while will log an output to a syslog server directly. My iRule check if the connection is on TLS1.0 and if yes logs the client IP address.
The change I need is to log this client IP to a syslog server.
Here is the iRule: when HTTP_REQUEST { if { [SSL::cipher version] eq "TLSv1" } { log local0. "Webmail Client Source IP: [IP::client_addr]" } }
Thanks!!!! N.
EmployeeYou want to use HSL - high-speed logging. You can do that either to a pool ( of log servers ) or via a publisher. Below is an example to a pool but i'm sure you can work out how to send it to a publisher.
when HTTP_REQUEST {
if { [SSL::cipher version] eq "TLSv1" } {
set hsl [HSL::open -proto UDP -pool syslog_server_pool]
HSL::send $hsl "Webmail Client Source IP: [IP::client_addr]"
}
}
Take a look here for details of the HSL commands
MVPHi N.,
you may take a look to the
[HSL]https://devcentral.f5.com/wiki/iRules.HSL.ashx
when CLIENT_ACCEPTED {
Open a UDP based SYSLOG connection to your syslog server pool.
set hsl [HSL::open -proto UDP -pool syslog_server_pool]
}
when HTTP_REQUEST {
if { [SSL::cipher version] eq "TLSv1" } then {
Log client IP as local7.info over the just created connection...
HSL::send $hsl "<190> Webmail Client Source IP: [IP::client_addr]"
}
}
Cheers, Kai