[BIG-IP] How to send logs to the Syslog server using iRules

Work environment

• BIG-IP Virtual Edition
  • version 15.x.x

Sending access logs using iRules

BIG-IP can be configured to use iRules to send logs to the Syslog server.

Since the contents to be included in the log can be set arbitrarily, it is possible to include the following information in the log and send it to the Syslog server as an access log.

• Client IP, server IP, server Port
• HTTP header information, URI, path, status code
• Times of Day
• and so on

[Preparation] Setting of destination Syslog server

Set the Syslog server to send the log to.

Syslog server pool settings

Click Create from the [Local Traffic> Pools: Pool List] screen.

Enter the pool name, enter the Syslog server IP address and service port (typically 514) in the New Members field, and click Add.

Confirm that the Syslog server information has been added to the list and click Finished.

Log Destinations settings

Click Create on the [System> Logs> Configuration> Log Destinations] screen.

On the screen that appears, make the following settings and click Finished.

• Name: Arbitrary setting Distinguished name
• Type: Remote High-Speed Log
• Pool Name: The name of the Syslog server pool created above
• Protocol: Select TCP or UDP according to Syslog server specifications

Then click Create again on the [System> Logs> Configuration> Log Destinations] screen.

On the screen that appears, make the following settings and click Finished.

• Name：Arbitrary setting Distinguished name
• Type：Remote Syslog
• Forward To：The name of the Remote High-Speed Log setting created above

Log Publishers settings

Click Create on the [System> Logs> Configuration> Log Publishers] screen.

On the screen that appears, make the following settings and click Finished.

• Name：Arbitrary setting Distinguished name
• Destinations：
  • Click to select the name of the Remote Syslog setting you set above from the Available list, then click [<<]
  • Confirm that it has been added to the Selected list

This completes the Syslog server settings.

Log transmission settings in iRules

Click Create on the [Local Traffic> iRules> iRule List] screen.

The following screen will be displayed, so write the code on this screen.

IRules syntax for sending logs

Open the bundle for high-speed log communication (specify Syslog server)

• HSL::open -publisher <publisher>
  • Open and return the handle of the log publisher’s high-speed log communication set in [System> Logs> Configuration> Log Publishers]
  • The <publisher> part is described in the form of “/Common/<Log Publisher setting name>“
  • Describe in the form of set <variable> [HSL :: open ...], and store the handle that is the return value in the variable and use it.

Send specified data in high-speed log (log transmission)

• HSL::send <handle> <data>
  • For <handle>, specify the variable that stores the return value of HSL :: open
  • Specify the character string to be sent as a log in the part of <data>

Timing to send logs

iRules is triggered by a specific event. If you want to send the log when BIG-IP receives the response from the server, describe the process to send the log in the process of HTTP_RESPONSE event. Normally, I think that the log will be sent at this timing.

Collecting information to include in logs

When sending a log at the time of HTTP_RESPONSE event, you may want to include the information that can be acquired only at the time of HTTP_REQUEST event in the log.

For example, [HTTP :: method] [HTTP :: host] [HTTP :: uri] can only be retrieved during the HTTP_REQUEST event.

In this case, by storing the required value in the variable in the processing at the time of HTTP_REQUEST event, it is possible to refer to the value of the variable in the processing at the time of HTTP_RESPONSE event.

Applying iRules to virtual servers

On the Resources tab screen of the virtual server settings edit screen, click Manage in the iRules column.

The following screen will be displayed. Click the iRule you want to apply from the Available list to select it, and then click [<<]. Then confirm that the iRule has been added to the Enabled field and click Finished.

An example of iRules that sends access logs

Assume the following configuration.

The iRule applied to the virtual server is as follows.

when HTTP_REQUEST {
    set reqTime [clock format [clock seconds] -format {%Y/%m/%d %H:%M:%S}]
    set reqSrcip [IP::client_addr]
    set reqDstip [IP::local_addr]
    set reqDstport [TCP::local_port]
    set reqMethod [HTTP::method]
    set reqHost [HTTP::host]
    set reqUri [HTTP::uri]
    set reqVersion [HTTP::version]

    set hslHandle [HSL::open -publisher /Common/Pub_Syslog]
}

when HTTP_RESPONSE {
    set resServerip [IP::server_addr]
    set resServerport [TCP::server_port]
    set resStatus [HTTP::status]
    
    HSL::send $hslHandle "$reqTime $reqSrcip $reqDstip $reqDstport $reqMethod $reqUri $reqVersion $resStatus $reqHost $resServerip $resServerport"
}

The logs sent to the Syslog server when the client accesses the Web server (virtual server) are as follows.

2021/10/28 14:28:17 192.168.75.1 192.168.75.11 443 GET / 1.1 403 192.168.75.11 192.168.75.134 443

References

iRules Home

clouddocs.f5.com

HSL::open

clouddocs.f5.com

HSL::send

clouddocs.f5.com

BIG-IP configuration information summary

How to use BIG-IP for free Test the server authentication operation of Server SSL profile How to send logs to the Syslo...

network-knowledge.work

2021.11.01