Forum Discussion
ASM send mail alert when request violation with iRule
Hi all
I have F5-ASM (11.3.0), when ASM have violation or blocking request, I want F5 notice me via email.
I have configed F5-ASM send email when have request blocking. But I want in body of email show more information detail about this request is blocked or violation like this: violation_type; status request; ip client source... all in one email
Currently when I recieved email i just know only one information is Support_id of violation. I using iRule to capture Support_id from ASM log, here is iRule i found on Devcentral:
log local3. "Support_id: [lindex [ASM::violation_data] 1]"
and modify in /config/user_alert.conf to send email:
alert ASM_MAIL "Support_id" {
email toaddress=""
body="The ASM Blocking"
==> this way work fine but with one information is "Support_id"
I have tried to insert other information in iRule :
log local3. "Support_id: [lindex [ASM::violation_data] 0]"
log local3. "Support_id: [lindex [ASM::violation_data] 1]"
log local3. "Support_id: [lindex [ASM::violation_data] 2]"
This way i can recieved 2 or 3 email every have request blocked or violation but these informations not stay same one email ??
So hope everyone help this issue ?
- Imtiyaz
Will this iRule send email notification?
I have SMPT configured and working on the ASM version 16.
- Zeeshan_Ahmad_1
You just need to add Support_id in the log as your custom alerts looks for this. Use the below iRule it will work
when ASM_REQUEST_VIOLATION { set x [ASM::violation_data] log local3. "Support_id: Request violations:=[lindex $x 0] Support id:=[lindex $x 1] web_application=[lindex $x 2] severity=[lindex $x 3] source ip:=[lindex $x 4] attack_type=[lindex $x 5] request_status=[lindex $x 6]" }
- Ahmed_Eissa_206
it didnt work with me ....
- Ahmed_Eissa_206
have it worked with you ??
- Zeeshan_Ahmad_1
You can use the below irule to print the entire detail in a single log entry and will receive a single email.
set x [ASM::violation_data] log local3. "Request violations:=[lindex $x 0] Support id:=[lindex $x 1] web_application=[lindex $x 2] severity=[lindex $x 3] source ip:=[lindex $x 4] attack_type=[lindex $x 5] request_status=[lindex $x 6]"
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on