NimbostratusI need to capture original IP addresses for HTTP traffic that passes through an F5 LTM then get's NAT'd. I've read several posts but I am not exactly sure where to begin. I am running 10.2.4.
NoctilucentWe do something similar. I'm sure it could be optimized, but it works:
when SERVER_CONNECTED {
set client_remote "[IP::client_addr]:[TCP::client_port]"
set client_local "[IP::local_addr clientside]:[TCP::local_port clientside]"
set server_local "[IP::local_addr]:[TCP::local_port]"
set server_remote "[IP::server_addr]:[TCP::server_port]"
log local0. "Got connection: Client($client_remote)<->($client_local)LTM($server_local)<->($server_remote)Server"
}
NimbostratusThanks Cory. I'm going to give this a try.
AltocumulusIn the HTTP profile you can also enable the injection of response header "X-FORWADED-FOR" which the backend server can then log too.
EmployeeI take it you're looking for a logging function - sending the data to Splunk. The X-Forwarded-For option is for inserting an HTTP header in the request to the application server. You can certainly use the [IP::client_addr] command in mostly any of the client side events (ie. CLIENT_ACCEPTED, HTTP_REQUEST, etc.), and you'll most likely also want to do this with High Speed Logging in lieu of standard "log local" functions:
https://devcentral.f5.com/wiki/iRules.HSL__send.ashx
If you can move up to (at least) 11.1, you can also just build a request logging profile and completely skip the iRules: