F5 Request Logging Profile

It is a short note how to log all http requests/responses from your virtual server using Request Logging Profile.

Configure pool

Configure a pool with a member which points into your syslog server (the syslog server is in my Internal VLAN – if it was in management VLAN probably you would have to play with routing). I named the pool MySyslog.

Syslog Pool

Syslog Pool

Configure request logging profile

It is a test – so I configured all accessible variables (variables must begin with dollar sign).

Request Logging Profile

Request Logging Profile

Apply profile to VS

In the end apply the profile to your Virtual Server (my profile name is mylog)

Virtual Server

Virtual Server

Test

I have tested it with Visual Syslog Server installed on my Windows machine (it is simple syslog server with GUI) [https://sourceforge.net/projects/syslogserverwindows/].

It is a screenshot from the application:

Visual Syslog Server

Visual Syslog Server

Result

I made two tests – the first test used NO NAT in VS settings; the second test used  VS with SNAT AUTOMAP.

Client IP is: 192.168.0.101
Virtual Server IP (external VLAN): 192.168.1.121
AutoMap IP: 10.0.2.253
Server (pool member) IP: 10.0.2.102

Here is the list of all possible variables which you can log in requestes/responses:

$BIGIP_BLADE_ID $BIGIP_CACHED $BIGIP_HOSTNAME $CLIENT_IP $CLIENT_PORT $DATE_D $DATE_DAY $DATE_DD $DATE_DY $DATE_HTTP $DATE_MM $DATE_MON $DATE_MONTH $DATE_NCSA $DATE_YY $DATE_YYYY $HTTP_CLASS $HTTP_KEEPALIVE $HTTP_METHOD $HTTP_PATH $HTTP_QUERY $HTTP_REQUEST $HTTP_STATCODE $HTTP_STATUS $HTTP_URI $HTTP_VERSION $NCSA_COMBINED $NCSA_COMMON $RESPONSE_MSECS $RESPONSE_SIZE $RESPONSE_USECS $SERVER_IP $SERVER_PORT $SNAT_IP $SNAT_PORT $TIME_AMPM $TIME_H12 $TIME_HRS $TIME_HH12 $TIME_HMS $TIME_HH24 $TIME_MM $TIME_MSECS $TIME_OFFSET $TIME_SS $TIME_UNIX $TIME_USECS $TIME_ZONE $VIRTUAL_IP $VIRTUAL_NAME $VIRTUAL_POOL_NAME $VIRTUAL_PORT $VIRTUAL_SNATPOOL_NAME $WAM_APPLICATION_NAM $WAM_X_WA_INFO $NULL

The following table shows all variable values which were sent to syslog.

PARAMETER NAME Test 1 – REQUEST with NO NAT Test 1 – RESPONSE with NO NAT Test 2 – REQUEST with AUTONAT Test 2 – RESPONSE with AUTONAT
$BIGIP_BLADE_ID 0 0 0 0
$BIGIP_CACHED    
$BIGIP_HOSTNAME f5-3.local f5-3.local f5-3.local f5-3.local
$CLIENT_IP 192.168.0.101 192.168.0.101 192.168.0.101 192.168.0.101
$CLIENT_PORT 64424 64424 64518 64518
$DATE_D 19 19 19 19
$DATE_DAY Saturday Saturday Saturday Saturday
$DATE_DD 19 19 19 19
$DATE_DY Sat Sat Sat Sat
$DATE_HTTP Sat, 19 May 2018 18:34:22 GMT Sat, 19 May 2018 18:34:22 GMT Sat, 19 May 2018 18:41:24 GMT Sat, 19 May 2018 18:41:24 GMT
$DATE_MM 5 5 5 5
$DATE_MON May May May May
$DATE_MONTH May May May May
$DATE_NCSA [19/May/2018:20:34:22 +0200] [19/May/2018:20:34:22 +0200] [19/May/2018:20:41:24 +0200] [19/May/2018:20:41:24 +0200]
$DATE_YY 18 18 18 18
$DATE_YYYY 2018 2018 2018 2018
$HTTP_CLASS    
$HTTP_KEEPALIVE Y Y Y Y
$HTTP_METHOD GET GET GET GET
$HTTP_PATH /mytest /mytest /mytest /mytest
$HTTP_QUERY    
$HTTP_REQUEST GET /mytest HTTP/1.1 GET /mytest HTTP/1.1 GET /mytest HTTP/1.1 GET /mytest HTTP/1.1
$HTTP_STATCODE   404 404
$HTTP_STATUS   404 Not Found 404 Not Found
$HTTP_URI /mytest /mytest /mytest /mytest
$HTTP_VERSION HTTP/1.1 HTTP/1.1 HTTP/1.1 HTTP/1.1
$NCSA_COMBINED 192.168.0.101 – – [19/May/2018:20:34:22 +0200] “GET /mytest HTTP/1.1” – 192.168.0.101 – – [19/May/2018:20:34:22 +0200] “GET /mytest HTTP/1.1” 404 204 “-” “Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0” “BIGipServerWebHello=1711407114.20480.0000” 192.168.0.101 – – [19/May/2018:20:41:24 +0200] “GET /mytest HTTP/1.1” – 192.168.0.101 – – [19/May/2018:20:41:24 +0200] “GET /mytest HTTP/1.1” 404 204 “-” “Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0” “BIGipServerWebHello=1711407114.20480.0000”
$NCSA_COMMON 192.168.0.101 – – [19/May/2018:20:34:22 +0200] “GET /mytest HTTP/1.1” – 192.168.0.101 – – [19/May/2018:20:34:22 +0200] “GET /mytest HTTP/1.1” 404 204 192.168.0.101 – – [19/May/2018:20:41:24 +0200] “GET /mytest HTTP/1.1” – 192.168.0.101 – – [19/May/2018:20:41:24 +0200] “GET /mytest HTTP/1.1” 404 204
$RESPONSE_MSECS   9 16
$RESPONSE_SIZE   204 204
$RESPONSE_USECS   9610 16146
$SERVER_IP 10.0.2.102 10.0.2.102 10.0.2.102 10.0.2.102
$SERVER_PORT 80 80 80 80
$SNAT_IP   192.168.0.101 10.0.2.253
$SNAT_PORT   64424 64518
$TIME_AMPM PM PM PM PM
$TIME_H12 8 8 8 8
$TIME_HRS 20:00:00 20:00:00 20:00:00 20:00:00
$TIME_HH12 8 8 8 8
$TIME_HMS 20:34:22 20:34:22 20:41:24 20:41:24
$TIME_HH24 20 20 20 20
$TIME_MM 34 34 41 41
$TIME_MSECS 1526754862830 1526754862830 1526755284607 1526755284607
$TIME_OFFSET 200 200 200 200
$TIME_SS 22 22 24 24
$TIME_UNIX 1526754862 1526754862 1526755284 1526755284
$TIME_USECS 1526754862830195 1526754862830195 1526755284607699 1526755284607699
$TIME_ZONE CEST CEST CEST CEST
$VIRTUAL_IP 192.168.1.121 192.168.1.121 192.168.1.121 192.168.1.121
$VIRTUAL_NAME /Common/WebHello /Common/WebHello /Common/WebHello /Common/WebHello
$VIRTUAL_POOL_NAME /Common/WebHello /Common/WebHello /Common/WebHello /Common/WebHello
$VIRTUAL_PORT 80 80 80 80
$VIRTUAL_SNATPOOL_NAME     snat_automap[0] snat_automap[0]
$WAM_APPLICATION_NAM    
$WAM_X_WA_INFO    
$NULL        

Sources

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-12-0-0/3.html

Leave a Reply

Your email address will not be published. Required fields are marked *