Forum Discussion

PowerShellDon_1's avatar
PowerShellDon_1
Icon for Nimbostratus rankNimbostratus
Jan 28, 2016

ASM - Proactive Bot Defense - No Logs?

Hi all I have a Virtual Server with an Application Security and DoS Profile applied to it. The DoS profile just contains Proactive Bot Defense, Always On. Other features of DoS profile are off.

 

I can see it working when turned on, by cURL'ing the site and seeing the JS response.

 

However these events aren't showing up in any logs, is that expected? It would be nice to be able to see blocked/denied requests to the site to ensure i haven't broken journeys for our customers.

 

Any help would be much appreciated

 

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    PowerShellDon,

     

    On the Virtual Server do you have a Log Profile assigned to it, if not try with log all requests? I believe it is a requirement to capture these logs.

     

    Rgds

     

    N

     

  • A second, related question... can i customise the response somehow? Rather than just 'Please enable JavaScript to view the page content'

     

    • Brandon_12607's avatar
      Brandon_12607
      Icon for Nimbostratus rankNimbostratus

      I am using v13.0 is there a folder in WINSCP i can find to the botdefense logs to download

       

  • You need to assign a Logging Profile to the virtual server, and make sure you have enabled DoS Logging. Then you should see activity in Event Logs: DoS: Application Events

     

  • Still running v12.1.2, can you confirm, that you are actually getting PBD logs natively in v13 without an irule? Does it actually work now or is it still a work in progress?

     

    TAC informed me it is not yet available v13, but this thread says different who is right?

     

    • Romani_2788's avatar
      Romani_2788
      Historic F5 Account

      Yes, you get it natively logged without an iRule in v13.x. Feel free to test this and if you have any questions, let us know.

       

    • jba3126's avatar
      jba3126
      Icon for Cirrus rankCirrus

      All, Does anyone have a working example of an BotDefense iRule that would log events to HSL?

       

      Regards,

       

      /jeff

       

  • Still running v12.1.2, can you confirm, that you are actually getting PBD logs natively in v13 without an irule? Does it actually work now or is it still a work in progress?

     

    TAC informed me it is not yet available v13, but this thread says different who is right?

     

    • Romani_2788's avatar
      Romani_2788
      Historic F5 Account

      Yes, you get it natively logged without an iRule in v13.x. Feel free to test this and if you have any questions, let us know.

       

    • jba3126's avatar
      jba3126
      Icon for Cirrus rankCirrus

      All, Does anyone have a working example of an BotDefense iRule that would log events to HSL?

       

      Regards,

       

      /jeff

       

  • I have the following iRule that at least the browser detection is working; however I'm uncertain as to how to test the tcp_rst action.

    when BOTDEFENSE_ACTION {
        if { [BOTDEFENSE::action] eq "browser_challenge" || [BOTDEFENSE::action] eq "tcp_rst" }  {
            set log "BOTDEFENSE:"
            set hsl [HSL::open -proto TCP -pool /Common/HSL-Syslog]
            append log " source [IP::remote_addr]"
            append log " vs [virtual]"
            append log " host [HTTP::host]"
            append log " uri [HTTP::uri]"
            append log " cs_possible [BOTDEFENSE::cs_possible]"
            append log " cs_allowed [BOTDEFENSE::cs_allowed]"
            append log " cs_attribute(device_id) [BOTDEFENSE::cs_attribute device_id]"
            append log " cookie_status [BOTDEFENSE::cookie_status]"
            append log " cookie_age [BOTDEFENSE::cookie_age]"
            append log " device_id [BOTDEFENSE::device_id]"
            append log " captcha_status [BOTDEFENSE::captcha_status]"
            append log " captcha_age [BOTDEFENSE::captcha_age]"
            append log " default action [BOTDEFENSE::action]"
            append log " reason \"[BOTDEFENSE::reason]\""
         Remove comment on line below if you want to see bot defense logs in /var/log/ltm
            log local0. $log
           HSL::send $hsl $log
           }
         }
    

    /jeff