Hi,
I wrote this irule (based on codes I found on devcentral) to log on /var/log/ltm unknown device id in the expected format of external data group.
when CLIENT_ACCEPTED {
set ASDeviceId ""
set ASUser ""
set activesyncCheck 1
}
when ACCESS_SESSION_STARTED {
if { [ACCESS::session data get session.server.landinguri] starts_with "/Microsoft-Server-ActiveSync" } {
if { [class match [ACCESS::session data get session.user.activesync.device-id] contains devices]} {
ACCESS::session data set session.user.activesync.device-id-result "allow"
} else {
ACCESS::session data set session.user.activesync.device-id-result "deny"
log local0. "Activesync error [ACCESS::session data get session.user.activesync.device-id]"
}
}
}
when ACCESS_POLICY_COMPLETED {
if { ([ACCESS::session data get session.user.activesync.device-id-result] equals "deny")} {
log local0.info "Activesync_Failed:\"[ACCESS::session data get session.user.activesync.device-id]\" := \"[ACCESS::session data get session.logon.last.username]\","
}
}
Use this event to create external data group
grep "ACCESS_ACL_ALLOWED" /var/log/ltm | awk -F "Activesync:" '{print $2}' | sort -fu
when ACCESS_ACL_ALLOWED {
if {[HTTP::path] == "/Microsoft-Server-ActiveSync" } {
if { $ASDeviceId ne ""} {
log local0.info "Activesync:\"$ASDeviceId\" := \"$ASUser\","
} else {
set ASDeviceId [ACCESS::session data get session.user.activesync.device-id]
set ASUser [ACCESS::session data get session.logon.last.username]
log local0.info "Activesync:\"$ASDeviceId\" := \"$ASUser\","
}
}
}
you can then use the following command to extract lines from /var/log/ltm
grep "ACCESS_ACL_ALLOWED" /var/log/ltm | awk -F "Activesync:" '{print $2}' | sort -fu