Forum Discussion
PowerShellDon_1
Nimbostratus
NimbostratusASM - Proactive Bot Defense - No Logs?
Hi all I have a Virtual Server with an Application Security and DoS Profile applied to it. The DoS profile just contains Proactive Bot Defense, Always On. Other features of DoS profile are off.
I can see it working when turned on, by cURL'ing the site and seeing the JS response.
However these events aren't showing up in any logs, is that expected? It would be nice to be able to see blocked/denied requests to the site to ensure i haven't broken journeys for our customers.
Any help would be much appreciated
natheCirrocumulus
PowerShellDon,
On the Virtual Server do you have a Log Profile assigned to it, if not try with log all requests? I believe it is a requirement to capture these logs.
Rgds
N
PowerShellDon_1A second, related question... can i customise the response somehow? Rather than just 'Please enable JavaScript to view the page content'
- Brandon_12607
I am using v13.0 is there a folder in WINSCP i can find to the botdefense logs to download
- Matt_Dierick
Employee
PBD logs are not yet available. It will be implemented in v13.0.
- Erik_Novak
You need to assign a Logging Profile to the virtual server, and make sure you have enabled DoS Logging. Then you should see activity in Event Logs: DoS: Application Events
Dan_PachecoCirrus
Still running v12.1.2, can you confirm, that you are actually getting PBD logs natively in v13 without an irule? Does it actually work now or is it still a work in progress?
TAC informed me it is not yet available v13, but this thread says different who is right?
Yes, you get it natively logged without an iRule in v13.x. Feel free to test this and if you have any questions, let us know.
jba3126All, Does anyone have a working example of an BotDefense iRule that would log events to HSL?
Regards,
/jeff
I would think the page on the BOTDEFENSE_ACTION event would likely answer your questions.
Take a look.
- Dan_Pacheco_163
Still running v12.1.2, can you confirm, that you are actually getting PBD logs natively in v13 without an irule? Does it actually work now or is it still a work in progress?
TAC informed me it is not yet available v13, but this thread says different who is right?
Yes, you get it natively logged without an iRule in v13.x. Feel free to test this and if you have any questions, let us know.
- jba3126
All, Does anyone have a working example of an BotDefense iRule that would log events to HSL?
Regards,
/jeff
I would think the page on the BOTDEFENSE_ACTION event would likely answer your questions.
 
Take a look.
 
- jba3126
I have the following iRule that at least the browser detection is working; however I'm uncertain as to how to test the tcp_rst action.
when BOTDEFENSE_ACTION { if { [BOTDEFENSE::action] eq "browser_challenge" || [BOTDEFENSE::action] eq "tcp_rst" } { set log "BOTDEFENSE:" set hsl [HSL::open -proto TCP -pool /Common/HSL-Syslog] append log " source [IP::remote_addr]" append log " vs [virtual]" append log " host [HTTP::host]" append log " uri [HTTP::uri]" append log " cs_possible [BOTDEFENSE::cs_possible]" append log " cs_allowed [BOTDEFENSE::cs_allowed]" append log " cs_attribute(device_id) [BOTDEFENSE::cs_attribute device_id]" append log " cookie_status [BOTDEFENSE::cookie_status]" append log " cookie_age [BOTDEFENSE::cookie_age]" append log " device_id [BOTDEFENSE::device_id]" append log " captcha_status [BOTDEFENSE::captcha_status]" append log " captcha_age [BOTDEFENSE::captcha_age]" append log " default action [BOTDEFENSE::action]" append log " reason \"[BOTDEFENSE::reason]\"" Remove comment on line below if you want to see bot defense logs in /var/log/ltm log local0. $log HSL::send $hsl $log } }/jeff
