Chris_Phillips
Sep 23, 2007Nimbostratus
tcp connection logging at maximum demarcation points
Hi,
following on from the general principles in this codeshare
http://devcentral.f5.com/wiki/default.aspx/iRules/LogHttpTcpUdpToSyslogng.html
how acan this be expanded further to include other details such as the volume of data transferred and how the connections are closed? As a network admin i'm always incorrectly blamed by our apps teams for having a dodgy network. i'd like to look at irules to create auditable logging for certain critical processes which could allow a good idea of what's actually happened to the connection and when it happened in order to even integrate the f5 logs with application logs via an application like splunk. i would want to log:
- when a connection starts
- when it's connected to a server
(both of which would be trivial)
- how much data is transferred in both directons
- how the connection is closed when it is. (has the f5 timed it out? has the server timed out? has it closed nicely?
it's these later details i'm struggling to find any real information on. i know when a connection closed from CLIENT_CLOSED but what else can I report from within that event callback?
[btw for areas like this we're having to fettle with syslog-ng.conf... are there any worthwhile feature requests to more intelligently control routing of log events? it surely isn't hard to and a webUI page to say that, for example, local4.notice and higher should be 1) logged to the ltm log and 2) forwarded to syslog server at a.b.c.d??? seems a rel shame to still have to manually tinker...]
Thanks
Chris