Forum Discussion

southern_shredd's avatar
Feb 01, 2023

Stream matched rewrite irule statistics

We have a rewrite irule that uses stream match to rewrite hostnames etc. For decomissioning purposes we woud like to generate a report showing which requests (urls) are using the irule and the results of rewrite. The report should have columns like

matched, replacewith, fromURI, count 

 

when ACCESS_ACL_ALLOWED {
#STREAM::disable
#HTTP::header remove "Accept-Encoding"
#log local0. "[IP::client_addr] is accessing and we are removing Accept-Encoding"
}
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events enable
}
when HTTP_REQUEST {
STREAM::disable
HTTP::header remove "Accept-Encoding"
set http_uri "https://[HTTP::host][HTTP::uri]"
}
when HTTP_RESPONSE {
# Check if response type is text
if {([HTTP::header value Content-Type] contains "text") || ([HTTP::header value Content-Type] contains "json")}{
STREAM::expression {@https?:\/\/([^\/\"]*\.)*city\.council\.com@replace_me@}

# Enable the stream filter for this response only
STREAM::enable
}
}

when STREAM_MATCHED {

#log local0. "Debug1: STREAM_MATCHED"

set CHECK [class match -value [string tolower [STREAM::match]] starts_with URI_department.city.council.com_no_rewrite]
if { $CHECK == "1" } {
#log local0. "found exception for [STREAM::match]"
STREAM::replace [STREAM::match]
} else {
set RE {https:\/\/([^\/\"]*\.)*city\.council\.com}
set STRING "[string map {http:// https://} [STREAM::match]]"
set SUBST "https://\\1department.city.council.com
if {! ($STRING contains "intranett") } {
# we need to insert intranett
set STRING "[regsub -all $RE $STRING $SUBST ]"
}
#log local3. "[IP::client_addr]:[TCP::local_port]: matched: '[STREAM::match]', replaced with: '$STRING', from URI: $http_uri"
STREAM::replace $STRING
#if { ! ($STRING == [STREAM::match]) } {
# }
}
}

  • If you have a SIEM like Splunk or ELK maybe you can use Stats/iStats in the iRule and then with the API to access this info or just forward it to the SIEM with the logs and make the report. Have note  done this myself.

     

    https://support.f5.com/csp/article/K17283308

     

    https://clouddocs.f5.com/api/irules/STATS.html

    https://clouddocs.f5.com/api/irules/ISTATS.html

     

     

    Also Telemetry Streaming can be used to stream Virtual server/pool statistics to Systlog/SIEM and  you can create as I mentioned your own custom stats with STATS/iSTATS.

     

    https://clouddocs.f5.com/products/extensions/f5-telemetry-streaming/latest/

     

  • Understood, can you give an example of a log line that could be added that would return perhaps "hostname matches" or "hits by hostname"

    • Paulius's avatar
      Paulius
      Icon for MVP rankMVP

      southern_shredd you should be able to put the following in the the third line in the section of "when HTTP_REQUEST" but this really depends on when you would like the logging to occur.

      log local0. "Client Connected, IP: [IP::client_addr] for Host: [HTTP::host]"
  • southern_shredd I don't believe a report exists on the BIG-IP that would do this for you. You will have add some logging lines to your iRule to log the specifics that you want and then use something else to count the entries in the logging destination or directly from the BIG-IPs. Please keep in mind that logs are rotated after a certain time or size so it is possible that you could miss some statistics if you BIG-IP creates a significant amount of log entries so it's best to send these logs to a logging device.