ASM send mail alert when request violation with iRule

Question

Hi all&nbsp;
I have F5-ASM (11.3.0), when ASM have violation or blocking request, I want F5 notice me via email.&nbsp;
I have configed F5-ASM send email when have request blocking. But I want in body of email show more information detail about this request is blocked or violation like this:  violation_type; status request; ip client source... all in one email&nbsp;
Currently when I recieved email i just know only one information is Support_id of violation. I using iRule to capture Support_id from ASM log, here is iRule i found on Devcentral:&nbsp;
when ASM_REQUEST_VIOLATION {&nbsp;
 &nbsp;
log local3. "Support_id: [lindex [ASM::violation_data] 1]"&nbsp;
}&nbsp;
and modify in /config/user_alert.conf to send email:&nbsp;
alert ASM_MAIL "Support_id" {&nbsp;
        email toaddress="abc@company.com"&nbsp;
        fromaddress="monitor"&nbsp;
        body="The ASM Blocking" &nbsp;
} &nbsp;
==&gt; this way work fine but with one information is "Support_id"&nbsp;
=======================&nbsp;
I have tried to insert other information in iRule :&nbsp;
when ASM_REQUEST_VIOLATION {&nbsp;
 &nbsp;
log local3. "Support_id: [lindex [ASM::violation_data] 0]"&nbsp;
log local3. "Support_id: [lindex [ASM::violation_data] 1]"&nbsp;
log local3. "Support_id: [lindex [ASM::violation_data] 2]"&nbsp;
.......&nbsp;
}&nbsp;
This way i can recieved 2 or 3 email every have request blocked or violation but these informations not stay same one email ??&nbsp;
So hope everyone help this issue ?&nbsp;
Thanks&nbsp;

zeeshan_ahmad_1 · Answer

You can use the below irule to print the entire detail in a single log entry and will receive a single email.&nbsp;
when ASM_REQUEST_VIOLATION { &nbsp;
set x [ASM::violation_data]
log local3. "Request violations:=[lindex $x 0]   Support id:=[lindex $x 1]  web_application=[lindex $x 2]  severity=[lindex $x 3] source ip:=[lindex $x 4] attack_type=[lindex $x 5] request_status=[lindex $x 6]" &nbsp;
}&nbsp;

ahmed_eissa_206 · Answer

have it worked with you ??&nbsp;

ahmed_eissa_206 · Answer

it didnt work with me ....&nbsp;

zeeshan_ahmad_1 · Answer

You just need to add Support_id in the log as your custom alerts looks for this. Use the below iRule it will work
when ASM_REQUEST_VIOLATION {

set x [ASM::violation_data] 
log local3. "Support_id: Request violations:=[lindex $x 0] Support id:=[lindex $x 1] web_application=[lindex $x 2] severity=[lindex $x 3] source ip:=[lindex $x 4] attack_type=[lindex $x 5] request_status=[lindex $x 6]"

}

imtiyaz · Answer

Hello,Will this iRule send email notification?I have SMPT configured and working on the ASM version 16.Thanks

Forum Discussion

ASM send mail alert when request violation with iRule

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Certificate Expiry Email alert configuration

Rate limiting GraphQL API query using iRule and Advanced WAF Violation

Separating False Positives from Legitimate Violations

AWAF - Do not log Geolocation violations from the Event Log

Logging of DNS Requests and Responses without a DNS license

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS