Forum Discussion

Rob_75767's avatar
Rob_75767
Icon for Nimbostratus rankNimbostratus
Nov 02, 2011

Logging registry lookup

Hi, please can anyone help?!

 

I have successfully created my policy to include a registry check to check for a specific software package we use. For audit purposes i would like to log/alert any clients that connect to the APM but do not have the registry entry. What is the best way to do this? I have looked at the logging option to log for session variables but im not sure where it logs to... ideally an irule that would take the result and output it and other session variables to a syslog server would be perfect.

 

 

 

 

  • For session variables, belwo are what you may be interested in logging

     

    - user name is "session.logon.last.username"

     

    - result of registry check is "session.windows_check_registrys.$name.result" where 0 - Failure, 1 - Success, -1 - Invalid check expression

     

     

    @ http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm_config_10_2_0/apm_config_sessionvars.html105003

     

     

    To view the access policy logs, view the /var/log/apm file from the BIG-IP command line.

     

     

    But do note the below

     

    http://support.f5.com/kb/en-us/solutions/public/11000/100/sol11124.html

     

     

    The default log level for the BIG-IP APM access policy log is Notice, which does not log session variables. Setting the access policy log level to Informational or Debug will cause the BIG-IP APM system to log session variables, but it will also add additional system overhead. If you need to log session variables on a production system, F5 Networks recommends setting the access policy log level to Informational temporarily while performing troubleshooting or debugging.