Forum Discussion
CirrusAdding logging to APM per-request policy without SWG license
bigip working as web proxy using APM per-request policy. All that it utilizes is custom user category for allowed fqdn/uri. Nothing fancy. URL filtering works without SWG licen$e. Client still sees APM block screen and allowed to go to destination that are in custom user category. But, you will not see url request log. I have tried adding an logging agent to the per-request policy with following code;
An HTTPS request was made to this host %{perflow.category_lookup.result.hostname}; the per-request policy set SSL bypass to %{perflow.ssl_bypass_set}.but, nothing in the log. Looks like without SWG license APM logging won't be possible.
I have tried adding irule event; but, I am NOT having luck. Not seeing hit for ACCESS_POLICY_AGENT_EVENT. I see ACCESS_PER_REQUEST_AGENT_EVENT stat is incrementing. But, nothing in the ltm log. Is that because of licen$e or I'm doing something wrong?
when ACCESS_POLICY_AGENT_EVENT {
set session_id [ACCESS::session data get "session.id"]
if {[ACCESS::policy agent_id] eq "logAllow_iRule" } {
set client_ip [IP::client_addr]
set requested_uri [HTTP::uri]
log local0. "ALLOW: APM Session: $session_id, Client IP: $client_ip, Requested URI: $requested_uri"
} elseif {[ACCESS::policy agent_id] eq "logReject_iRule" } {
set client_ip [IP::client_addr]
set requested_uri [HTTP::uri]
log local0. "REJECT: APM Session: $session_id, Client IP: $client_ip, Requested URI: $requested_uri"
} else {
log local0. "APM Session ID: $session_id"
}
}
when ACCESS_PER_REQUEST_AGENT_EVENT {
set session_id [ACCESS::session data get "session.id"]
ACCESS::log accesscontrol.notice "ACCESS_PER_REQUEST_AGENT_EVENT: [ACCESS::perflow get perflow.irule_agent_id]"
log local0. "APM Session ID: $session_id"
}1 Reply
- MoFaz
Moderator
Hi iamsajjad , I read your query and I'll try my best to provide a solution.
How to use the iRule Event Agent in a Per-Request Access Policy? When using a Per-Request Access Policy, you must use ACCESS_PER_REQUEST_AGENT_EVENT instead of ACCESS_POLICY_AGENT_EVENT.
- Per-Session Policy uses: ACCESS_POLICY_AGENT_EVENT with ACCESS::policy agent_id
- Per-Request Policy uses: ACCESS_PER_REQUEST_AGENT_EVENT with ACCESS::perflow get perflow.irule_agent_id
This is why you're not seeing hits for ACCESS_POLICY_AGENT_EVENT but seeing the ACCESS_PER_REQUEST_AGENT_EVENT stat incrementing.
Your iRule Code Issue
Looking at your ACCESS_PER_REQUEST_AGENT_EVENT section:
when ACCESS_PER_REQUEST_AGENT_EVENT {
set session_id [ACCESS::session data get "session.id"]
ACCESS::log accesscontrol.notice "ACCESS_PER_REQUEST_AGENT_EVENT: [ACCESS::perflow get perflow.irule_agent_id]"
log local0. "APM Session ID: $session_id"
}
The problem: You're trying to retrieve the iRule agent ID but not comparing it to your specific agent IDs (logAllow_iRule or logReject_iRule) that you defined in your per-request policy.
Corrected iRule Code
Here's the corrected version (hopefully it works), remove the ACCESS_POLICY_AGENT_EVENT part, and input below.
when ACCESS_PER_REQUEST_AGENT_EVENT {set session_id [ACCESS::session data get "session.id"]
set agent_id [ACCESS::perflow get perflow.irule_agent_id]
if { $agent_id eq "logAllow_iRule" } {
set client_ip [IP::client_addr]
set requested_uri [HTTP::uri]
log local0. "ALLOW: APM Session: $session_id, Client IP: $client_ip, Requested URI: $requested_uri"
} elseif { $agent_id eq "logReject_iRule" } {
set client_ip [IP::client_addr]
set requested_uri [HTTP::uri]
log local0. "REJECT: APM Session: $session_id, Client IP: $client_ip, Requested URI: $requested_uri"
} else {
log local0. "APM Session ID: $session_id, Agent ID: $agent_id"
}
}
Give the above a go and let us know if it works.Cheers,
Mo
