With the new PCI DSS requirements around the corner it might be interesting to gather some SSL cipher statistics from your F5’s. If you have a syslog server this is a piece of cake using the HSL function in iRules.
To use the iRule below, first create a pool called syslog-514_pool, or simply replace the name with a pool containing your syslog server(s). Then, for each virtual server attach the following iRule:
when HTTP_REQUEST {
if { [info exists logged] && $logged == 1 }{
# Do nothing. Already logged for this session
} else {
set hsl [HSL::open -proto UDP -pool syslog-514_pool]
set host [HTTP::host]
set useragent [HTTP::header "User-Agent"]
set vs [virtual name]
set logged 1
HSL::send $hsl "[string map [list "\t \t" "\t-\t"]\
"<152>\t\
[info hostname]\t\
[IP::local_addr]\t\
[clock format [clock seconds] -format "%d/%m/%Y %H:%M:%S %z"]\t\
$host\t\
[IP::remote_addr]\t\
$useragent\t\
$vs\t\
[SSL::cipher name]\t\
[SSL::cipher version]\t\
[SSL::cipher bits]\t\
"]\n"
}
}
Essentially, what it does is to send a syslog message for every new SSL session established. This data could easily be indexed by Splunk or Elastic search to generate a report.
PS. If you have a Firewall between your loadbalancer and your syslog server you might want to verify that it’s open first.
Hey, Patrik,
I’ve been doing something similar with a iRule I found on devcentral, courtesy of David Holmes, that lets you show a page with a pie chart indicating client cipher usage. You don’t even need a syslog server – it uses iStats.
Cheers,
Joel