Forum Discussion

hooleylist's avatar
hooleylist
Icon for Cirrostratus rankCirrostratus
Jul 06, 2006

Re: writing an irule to log all traffic

Hi,

You can use iRules to log the requests and syslog-ng to parse them. Here are some example rules and syslog-ng changes:

=======================================================

1. HTTP logger rule:


when HTTP_REQUEST {
    set the URL here, log it on the response
   set url [HTTP::header Host][HTTP::uri]
   set vip [IP::local_addr]:[TCP::local_port]
}
when HTTP_RESPONSE {
   set client [IP::client_addr]:[TCP::client_port]
   set node [IP::server_addr]:[TCP::server_port]
   set nodeResp [HTTP::status]
    log connection info
   log local0.info "Client: $client -> VIP:$vip$url -> Node: $node with response $nodeResp"
}

=======================================================

2. TCP logger rule:


when CLIENT_ACCEPTED {  
   set vip [IP::local_addr]:[TCP::local_port]
}
when SERVER_CONNECTED {  
   set client "[IP::client_addr]:[TCP::client_port]"
   set node "[IP::server_addr]:[TCP::server_port]"
}  
when CLIENT_CLOSED {  
    log connection info
   log local0.info "Client $client -> VIP: $vip -> Node: $node"  
}

=======================================================

3. UDP logger rule:


when CLIENT_ACCEPTED {  
   set vip [IP::local_addr]:[UDP::local_port]
}
when SERVER_CONNECTED {  
   set client "[IP::client_addr]:[UDP::client_port]"
   set node "[IP::server_addr]:[UDP::server_port]"
}  
when CLIENT_CLOSED {  
    log connection info
   log local0.info "Client $client -> VIP: $vip -> Node: $node"  
}

=======================================================

Associate the TCP, UDP and HTTP rules with the respective virtual servers that you want to log connections for. You can enable a rule for a virtual server under the Resources tab for each virtual server. You will need to make sure that the rule matches the type for each virtual server. For example, you can use the TCP or HTTP rules on an HTTP virtual server. However, you cannot associate a UDP rule unless there is a UDP profile associated with the virtual server.

These rules will log to syslog-ng's local0 facility with the following format:

Mar 1 08:34:01 tmm tmm[730]: Rule HTTP_logger : Client: 192.168.42.26:4746 VIP:172.25.2.12:80 to server: 172.25.2.233:80 for 172.25.2.12/ with response 200

You can then configure syslog-ng to parse local0.info entries that contain "logger" and send them to a remote syslog server by making the following changes to the /etc/syslog-ng/syslog-ng.conf file.

=======================================================

1. Add: local0.info filter, destination and log statements:


 local0.info                                   send logger entries to remote syslog server
filter f_local0.info {
   facility(local0) and level(info) and match("logger");
};
 destination can be a hostname or IP address
destination d_logger {
   tcp("syslog.myhost.com" port (5000));
};
log {
   source(local);
   filter(f_local0.info);
   destination(d_logger);
};

2. Add: and not match("logger") to local0.* to exclude the logger entries from being written to file


 local0.*                                      /var/log/ltm
filter f_local0 {
   facility(local0) and level(info..emerg) and not match("logger");
};
destination d_ltm {
   file("/var/log/ltm" create_dirs(yes));
};
log {
   source(local);
   filter(f_local0);
   destination(d_ltm);
};

For more complete documentation on syslog-ng, you can refer to their site:

http://www.balabit.com/products/support/syslog-ng/

Or here:

http://www.iso.port.ac.uk/docs/downloaded/syslog-ng.html/book1.html

Aaron
No RepliesBe the first to reply