Forum Discussion
NimbostratusAPM Anomaly
Hello DevCentral Community,
I'm facing an issue with APM logging through an iRule Event. When the AD auth fails i have the fallback path with the iRule Event (AD max logon attempts: 2 )
In the iRule i'm trying to log with HSL with the following method:
but i can see that the logs were generated only at the second "wrong" attempt. I will expect a log for each failed login :
when CLIENT_ACCEPTED { set hsl [HSL::open -proto UDP -pool hslpool] }
when ACCESS_POLICY_AGENT_EVENT {
log local0. "iRule Logging" set hsl [HSL::open -proto UDP -pool hslpool] set timestamp [clock format [clock seconds] -format "%d/%b/%Y %H:%M:%S %z"] set user [ACCESS::session data get session.logon.last.username] HSL::send $hsl "$timestamp; result=\"Login failed, User=\"$user \n"
if {[ACCESS::policy agent_id] eq "splunk"} { set timestamp [clock format [clock seconds] -format "%d/%b/%Y %H:%M:%S %z"] set user [ACCESS::session data get session.logon.last.username]
HSL::send $hsl "$timestamp; result=\"Login failed, User=\"$user \n"
} }
1 Reply
kunjanYou can configure a macro with loop count 3
So the macro with
AD Auth (Max Logon Attempts 1) ->Failed -> Logging -> Loop(3)
