Applies To:

Show Versions Show Versions

Manual Chapter: Logging
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview

There are a number of logging features you can implement as part of a BIG-IP system firewall configuration.

Logging server and profile setup

When configuring the BIG-IP system as a data center firewall, you might want to implement high-speed logging and define a group of remote Syslog servers. You can do this by creating a pool of servers, creating a custom request logging profile that determines log content and references the log server pool, and then assigning the profile to each virtual server that you create to process application traffic.

Specifying Syslog servers

Use this task to log messages to one or more remote Syslog servers.
  1. From the Main tab, click System > Logs.
  2. From the Configuration menu, choose Remote Logging.
  3. In the Remote IP field, type the IP address of the remote server to which the BIG-IP system will send the log messages.
  4. In the Remote Port field, retain the default port number or type a different port number.
  5. Optionally, in the Local IP field, type the IP address of the local BIG-IP system that is sending the log messages.
  6. Click Add.
  7. Repeat steps 3 through 6 for each remote logging server to which you want the BIG-IP system to send log messages.
  8. Click Update.
The remote Syslog servers are defined on the BIG-IP system.

Creating a pool of servers for high-speed logging

For the LTM firewall configuration, you can create a pool of remote servers for high-speed logging.
  1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens.
  2. Click Create. The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. For the Health Monitors setting, in the Available list, select a monitor type, and click << to move the monitor to the Active list.
    Tip: Hold the Shift or Ctrl key to select more than one monitor at a time.
  5. From the Load Balancing Method list, select how the system distributes traffic to members of this pool. The default is Round Robin.
  6. For the Priority Group Activation setting, specify how to handle priority groups:
    • Select Disabled to disable priority groups. This is the default option.
    • Select Less than, and in theAvailable Members field, type the minimum number of members that must remain available in each priority group in order for traffic to remain confined to that group.
  7. Using the New Members setting, add the IP address for each logging server that you want to include in the pool:
    1. Type an IP address in the Address field, or select a node address from the Node List.
    2. Type a service number in the Service Port field, or select a service name from the list.
    3. You may type a priority number in the Priority field.
    4. Click Add.
  8. Click Finished.
The new pool containing the remote Syslog servers appears in the Pools list.
After creating the pool, you must create a request logging profile and specify this pool name within the profile. This eliminates the need for you to assign this pool to a virtual server.

Configuring a profile for high-speed logging

You must have already created a pool that includes logging servers as pool members.
Many sites perform traffic analysis against the log files that their web servers generate. With a Request Logging profile, you can specify the data and the format for HTTP requests and responses that you want to include in a log file. If you prefer, you can tailor the information that appears in the logs so that the logs work seamlessly with whatever analysis tools you use for your origin web server’s HTTP log files. You can use a request logging profile to log specific data, and then use that information for analysis and troubleshooting.
  1. On the Main tab, click Local Traffic > Profiles > Other > Request Logging. The Request Logging profile list screen opens.
  2. Click Create. The New Request Logging Profile screen opens.
  3. From the Parent Profile list, select a profile from which the new profile inherits properties.
  4. Above the Request Settings area, select the Custom check box. This enables all settings in the Request Settings area, making them available for change.
  5. From the Request Logging list, select Enabled.
  6. In the Template field, type the request logging parameters for the entries that you want to include in the log file.
  7. From the HSL Protocol list, select a high-speed logging protocol.
  8. From the Pool Name list, select the pool that includes the logging server as a pool member.
  9. Optional: You can also configure the error response settings.
    1. From the Respond On Error list, select Enabled.
    2. In the Error Response field, type the error response strings that you want to include in the log file. These strings must be well-formed for the protocol serving the strings.
    3. Select the Close On Error check box to drop the request and close the connection if logging fails.
  10. Optional: You can also configure the logging request errors settings.
    1. From the Log Logging Errors list, select Enabled.
    2. In the Error Template field, type the request logging parameters for the entries that you want to include in the log file.
    3. From the HSL Error Protocol list, select a high-speed logging error protocol.
    4. From the Error Pool Name list, select a pool that includes the node for the error logging server as a pool member.
  11. Click Update.
This configures a request logging profile to log specified data for HTTP requests.

Request logging parameters

This table lists all available parameters from which you can create a custom logging profile. These are used to specify entries for the Template and Error Template settings For each parameter, the system writes to the log the information described in the right column.

Table 1. Request logging parameters
Parameter Log file entry description
BIGIP_BLADE_ID An entry for the slot number of the blade that handled the request.
BIGIP_CACHED An entry of Cached status: true, if the response came from BIG-IP® cache, or Cached status: false, if the response came from the server.
BIGIP_HOSTNAME An entry for the configured host name of the unit or chassis.
CLIENT_IP An entry for the IP address of a client, for example, 192.168.74.164.
CLIENT_PORT An entry for the port of a client, for example, 80.
DATE_D A two-character entry for the day of the month, ranging from 1 (note the leading space) through 31.
DATE_DAY An entry that spells out the name of the day.
DATE_DD A two-digit entry for the day of the month, ranging from 01 through 31.
DATE_DY A three-letter entry for the day, for example, Mon.
DATE_HTTP A date and time entry in an HTTP format, for example, Tue, 5 Apr 2011 02:15:31 GMT.
DATE_MM A two-digit month entry, ranging from 01 through 12.
DATE_MON A three-letter abbreviation for a month entry, for example, APR.
DATE_MONTH An entry that spells out the name of the month.
DATE_NCSA A date and time entry in an NCSA format, for example, dd/mm/yy:hh:mm:ss ZNE.
DATE_YY A two-digit year entry, ranging from 00 through 99.
DATE_YYYY A four-digit year entry.
HTTP_CLASS The name of the httpclass profile that matched the request, or an empty entry if a profile name is not associated with the request.
HTTP_KEEPALIVE A flag summarizing the HTTP1.1 keep-alive status for the request:: aY if the HTTP1.1 keep-alive header was sent, or an empty entry if not.
HTTP_METHOD An entry that defines the HTTP method, for example, GET, PUT, HEAD, POST, DELETE, TRACE, or CONNECT.
HTTP_PATH An entry that defines the HTTP path.
HTTP_QUERY The text following the first ? in the URI.
HTTP_REQUEST The complete text of the request, for example, $METHOD $URI $VERSION.
HTTP_STATCODE The numerical response status code, that is, the status response code excluding subsequent text.
HTTP_STATUS The complete status response, that is, the number appended with any subsequent text.
HTTP_URI An entry for the URI of the request.
HTTP_VERSION An entry that defines the HTTP version.
NCSA_COMBINED An NCSA Combined formatted log string, for example, $NCSA_COMMON $Referer ${User-agent} $Cookie.
NCSA_COMMON An NCSA Common formatted log string, for example, $CLIENT_IP - - $DATE_NCSA $HTTP_REQUEST $HTTP_STATCODE $RESPONSE_SIZE.
RESPONSE_MSECS The elapsed time in milliseconds (ms) between receiving the request and sending the response.
RESPONSE_SIZE An entry for the size of response in bytes.
RESPONSE_USECS The elapsed time in microseconds (µs) between receiving the request and sending the response.
SERVER_IP An entry for the IP address of a server, for example, 10.10.0.1.
SERVER_PORT An entry for the port of a server, for example, 80.
SNAT_IP An entry for the self IP address of the BIG-IP-originated connection to the server when SNAT is enabled, or an entry for the client IP address when SNAT is not enabled.
SNAT_PORT An entry for the port of the BIG-IP-originated connection to the server when SNAT is enabled, or an entry for the client port when SNAT is not enabled.
TIME_AMPM A twelve-hour request-time qualifier, for example, AM or PM.
TIME_H12 A compact twelve-hour time entry for request-time hours, ranging from 1 through 12.
TIME_HRS A twelve-hour time entry for hours, for example, 12 AM.
TIME_HH12 A twelve hour entry for request-time hours, ranging from 01 through 12.
TIME_HMS An entry for a compact request time of H:M:S, for example, 12:10:49.
TIME_HH24 A twenty-four hour entry for request-time hours, ranging from 00 through 23.
TIME_MM A two-digit entry for minutes, ranging from 00 through 59.
TIME_MSECS An entry for the request-time fraction in milliseconds (ms).
TIME_OFFSET An entry for the time zone, offset in hours from GMT, for example, -11.
TIME_SS A two-digit entry for seconds, ranging from 00 through 59.
TIME_UNIX A UNIX time entry for the number of seconds since the UNIX epoch, for example, 00:00:00 UTC, January 1st, 1970.
TIME_USECS An entry for the request-time fraction in microseconds (µs).
TIME_ZONE An entry for the current Olson database or tz database three-character time zone, for example, PDT.
VIRTUAL_IP An entry for the IP address of a virtual server, for example, 192.168.10.1.
VIRTUAL_NAME An entry for the name of a virtual server.
VIRTUAL_POOL_NAME An entry for the name of the pool containing the responding server.
VIRTUAL_PORT An entry for the port of a virtual server, for example, 80.
VIRTUAL_SNATPOOL_NAME The name of the Secure Network Address Translation pool associated with the virtual server.
NULL Undelineated strings return the value of the respective header.

Standard log formats

Log headers appear in the lines at the top of a log file. You can use log headers to identify the type and order of the information written to each line in the log file. Some log analysis software also uses log headers to determine how to parse a log file.

There are three common conventions for log headers shown here.

Convention Description
No header line Apache™ web servers use this option. By default, Apache web servers write access logs in a format that is identical to the NCSA Common format.
NCSA Common or Combined headers Netscape® servers, and their descendants (such as the iPlanet™ Enterprise Server) write a log header line that is unique to this family of servers. These servers generally use either the NCSA Common or Combined log format, and the log header lines are composed of keywords. For example: #format=%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] ....
W3C headers Most Microsoft® Internet Information Services (IIS) web servers write log files in the extended log file format, which is defined by a W3C working draft.

The logging information that is commonly used by origin web servers consists of the following conventions:

  • NCSA Common (no log header)
  • NCSA Common (Netscape log header)
  • NCSA Combined (no log header)
  • NCSA Combined (Netscape log header)
  • W3C Extended

NCSA Common log format example

This is the NCSA Common log format syntax:

host rfc931 username [date:time UTC_offset] "method URI?query_parameters protocol" status bytes

Here is an example that uses this syntax:

125.125.125.2 - - [03/Apr/2011:23:44:03 -0600] "GET /apps/example.jsp?sessionID=34h76 HTTP/1.1" 200 3045
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)