With the new PCI DSS requirements around the corner it might be interesting to gather some SSL cipher statistics from your F5’s. If you have a syslog server this is a piece of cake using the HSL function in iRules.

To use the iRule below, first create a pool called syslog-514_pool, or simply replace the name with a pool containing your syslog server(s). Then, for each virtual server attach the following iRule:

when HTTP_REQUEST {

    if { [info exists logged] && $logged == 1 }{
        # Do nothing. Already logged for this session
    } else {
        set hsl [HSL::open -proto UDP -pool syslog-514_pool]
        set host [HTTP::host]
        set useragent [HTTP::header "User-Agent"]
        set vs [virtual name]
        set logged 1

        HSL::send $hsl "[string map [list "\t \t" "\t-\t"]\
        "<152>\t\
        [info hostname]\t\
        [IP::local_addr]\t\
        [clock format [clock seconds] -format "%d/%m/%Y %H:%M:%S %z"]\t\
        $host\t\
        [IP::remote_addr]\t\
        $useragent\t\
        $vs\t\
        [SSL::cipher name]\t\
        [SSL::cipher version]\t\
        [SSL::cipher bits]\t\
        "]\n"
    }
    
}

 

Essentially, what it does is to send a syslog message for every new SSL session established. This data could easily be indexed by Splunk or Elastic search to generate a report.

PS. If you have a Firewall between your loadbalancer and your syslog server you might want to verify that it’s open first.