Forum Discussion
ASM - Proactive Bot Defense - No Logs?
Still running v12.1.2, can you confirm, that you are actually getting PBD logs natively in v13 without an irule? Does it actually work now or is it still a work in progress?
TAC informed me it is not yet available v13, but this thread says different who is right?
- Romani_2788Apr 15, 2018Historic F5 Account
Yes, you get it natively logged without an iRule in v13.x. Feel free to test this and if you have any questions, let us know.
- jba3126Jun 19, 2018Cirrus
All, Does anyone have a working example of an BotDefense iRule that would log events to HSL?
Regards,
/jeff
- Romani_2788Jun 19, 2018Historic F5 Account
I would think the page on the BOTDEFENSE_ACTION event would likely answer your questions.
Take a look.
- Dan_PachecoJun 19, 2018Cirrus
is this what you are looking for:
when HTTP_REQUEST { if { ( ( [IP::remote_addr] equals "204.101.196.7") || ( [IP::remote_addr] equals "24.101.196.10") || ( [IP::remote_addr] equals "14.150.21.243") || ( [IP::remote_addr] equals "14.150.21.242") ) } { } else { log local0. "source [IP::remote_addr] host [HTTP::host] uri [HTTP::uri]" } } when BOTDEFENSE_ACTION { if { [BOTDEFENSE::action] eq "tcp_rst" } { set log "BOTDEFENSE:" set hsl [HSL::open -proto TCP -pool /Common/nse_arcsight_pool] append log " source [IP::remote_addr]" append log " vs [virtual]" append log " host [HTTP::host]" append log " uri [HTTP::uri]" append log " cs_possible [BOTDEFENSE::cs_possible]" append log " cs_allowed [BOTDEFENSE::cs_allowed]" append log " cs_attribute(device_id) [BOTDEFENSE::cs_attribute device_id]" append log " cookie_status [BOTDEFENSE::cookie_status]" append log " cookie_age [BOTDEFENSE::cookie_age]" append log " device_id [BOTDEFENSE::device_id]" append log " captcha_status [BOTDEFENSE::captcha_status]" append log " captcha_age [BOTDEFENSE::captcha_age]" append log " default action [BOTDEFENSE::action]" append log " reason \"[BOTDEFENSE::reason]\"" Remove comment on line below if you want to see bot defense logs in /var/log/ltm log local0. $log HSL::send $hsl $log }
}
- jba3126Jun 19, 2018Cirrus
Dan, First off thank you for the response and sample iRule! I'm uncertain about the first part as we have connections from multiple source addresses, but it looks like you are excluding logging connections from two sources and logging everything else? The second part looks like something we are looking for. Do you run with the log local, HSL/Remote or both?
- Romani_2788Jun 19, 2018Historic F5 Account
Jeff,
The first part of the iRule can be event or conditions you want it to be. The second part of the irule is the BOTDEFENSE_ACTION is the part covered by the page on BOTDEFENSE_ACTION.
It might still be a good idea to review that page and get a better understanding and context.
- Dan_PachecoJun 19, 2018Cirrus
Hey Jeff, Your welcome. I typically run with the local logging commented out. Then when I need to troubleshoot, I remove the comments and see the logs on the CLI instead of accessing them from Arcsight.
- jba3126Jun 19, 2018Cirrus
Dan, Do you log all connecting IPs with exception of the excluded ones to your local log (when HTTP_REQUEST) or is that for troubleshooting as well?
/jeff
- Dan_PachecoJun 19, 2018Cirrus
Yes, I do. The exclude IPs are from Health Checking devices.
- jba3126Jun 19, 2018Cirrus
Dan, Thank you again for the response. I've applied this iRule to our Dev environment for testing and will share results. Last question :) Is the first part required where you capture the HTTP Request required for the BotDefense logging to work? They appear separate functions. Again thank you so much for taking the time to respond!
/jeff
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com