irule help to log a traffic to a VIP

Question

Hello, &nbsp;I need to log http request and response for a VIP using iRule. Was trying to follow below URL but i have some questions. &nbsp;https://support.f5.com/csp/article/K42210592&nbsp;1st what I should Put in the excel field. ?  And here it does not say to match VIP IP , so how it will know how to match which VIP or whatever VIP I call this iRule will be applied to that VIP Only  ?&gt;&nbsp;&nbsp;when HTTP_REQUEST {&nbsp;&nbsp;&nbsp; if {[IP::addr [IP::client_addr]]&nbsp;equals "10.10.10.10"} {&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;action&gt;&nbsp;&nbsp;&nbsp; }}

sajid · Answer

have look at F5 and Splunk integration&nbsp;&nbsp;iRule_http exampleiRuleirule_httpDescriptionThis rule collects and sends http(s) traffic data and lb_faild event data to the Splunk platform. A load balancing failure triggers this event.Example&nbsp; when CLIENT_ACCEPTED {    set client_address [IP::client_addr]    set vip [IP::local_addr]}when HTTP_REQUEST {    set http_host [HTTP::host]:[TCP::local_port]    set http_uri [HTTP::uri]    set http_url $http_host$http_uri    set http_method [HTTP::method]    set http_version [HTTP::version]    set http_user_agent [HTTP::header "User-Agent"]    set http_content_type [HTTP::header "Content-Type"]    set http_referrer [HTTP::header "Referer"]    set tcp_start_time [clock clicks -milliseconds]    set req_start_time [clock format [clock seconds] -format "%Y/%m/%d&nbsp;%H:%M:%S"]    set cookie [HTTP::cookie names]    set user [HTTP::username]    set virtual_server [LB::server]          if { [HTTP::header Content-Length] &gt; 0 } then {        set req_length [HTTP::header "Content-Length"]    } else {        set req_length 0    }}when HTTP_RESPONSE {    set res_start_time [clock format [clock seconds] -format "%Y/%m/%d&nbsp;%H:%M:%S"]    set node [IP::server_addr]    set node_port [TCP::server_port]    set http_status [HTTP::status]    set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]    if { [HTTP::header Content-Length] &gt; 0 } then {        set res_length [HTTP::header "Content-Length"]    } else {        set res_length 0    }    set hsl [HSL::open -proto UDP -pool Pool-syslog]    HSL::send $hsl "&lt;190&gt;,f5_irule=Splunk-iRule-HTTP,src_ip=$client_address,vip=$vip,http_method=$http_method,http_host=$http_host,http_uri=$http_uri,http_url=$http_url,http_version=$http_version,http_user_agent=\"$http_user_agent\",http_content_type=$http_content_type,http_referrer=\"$http_referrer\",req_start_time=$req_start_time,cookie=\"$cookie\",user=$user,virtual_server=\"$virtual_server\",bytes_in=$req_length,res_start_time=$res_start_time,node=$node,node_port=$node_port,http_status=$http_status,req_elapsed_time=$req_elapsed_time,bytes_out=$res_length
"}when LB_FAILED {    set hsl [HSL::open -proto UDP -pool Pool-syslog]    HSL::send $hsl "&lt;190&gt;,f5_irule=Splunk-iRule-LB_FAILED,src_ip=$client_address,vip=$vip,http_method=$http_method,http_host=$http_host,http_uri=$http_uri,http_url=$http_url,http_version=$http_version,http_user_agent=\"$http_user_agent\",http_content_type=$http_content_type,http_referrer=\"$http_referrer\",req_start_time=$req_start_time,cookie=\"$cookie\",user=$user,virtual_server=\"$virtual_server\",bytes_in=$req_length
"}&nbsp;Reference:https://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Setup&nbsp;

nikoolayy1 · Answer

For HTTP VIP better use the integraded F5 Request Logging profile if possible as the previous solutions that were provided to you need an iRule. Check if you can use Request Logging profile or the iRules that @ Sajid or @Dario Garrido provided.

https://support.f5.com/csp/article/K00847516

dario_garrido · Answer

Hello Subrun.First you need to provision this iRule in the resources section of one specific virtual server.After that, this iRule will be executed when the specific condition occurs, in your example (HTTP_REQUEST), when one HTTP resquest is received.Beside this, take into account that "&lt;action&gt;" will only be executed when source IP ([IP::client_addr]) matches "10.10.10.10". You can modify it appropriately.In your "action" section you can log anything (variables, text, etc.). An example:when HTTP_REQUEST {
    if {[IP::addr [IP::client_addr]] equals "10.10.10.10"} {
       log local0. "Traffic matches the iRule"
    }
}Another example:when HTTP_REQUEST {
    if {[IP::addr [IP::client_addr]] equals "10.10.10.10"} {
       log local0. "Traffic matches the iRule with source IP: [IP::client_addr]"
    }
}For logging traffic with responses, you should use HTTP_RESPONSE event.Regards,Dario.

jaikumar_f5 · Answer

&nbsp;&nbsp;You create the irule as per the article that you've shared. Then you have to bind (apply) that Irule to your VS. So only that VIP will process that Irule &amp; you'll get your loggings.&nbsp;I'm a fan of https://devcentral.f5.com/s/articles/ultimate-irule-debug-capture-and-investigate-1183 - this covers almost everything, but if its too much of info, you can simply go for https://devcentral.f5.com/s/articles/log-http-headers or go like &nbsp; said above. Thats too simple.

Forum Discussion

irule help to log a traffic to a VIP

4 Replies

Recent Discussions

Failed to convert character dclid=%EDclid!

ASM - Parent policy vs OWASPcompliance

Rewrite uri translation not working

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

APM OCSP Responder Issues

Related Content

iRule to log traffic details

fellow traffic

Block traffic

Routing traffic by URI using iRule

Traffic Intelligence in AFM