For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Rob_75767's avatar
Rob_75767
Icon for Nimbostratus rankNimbostratus
Nov 02, 2011

Logging registry lookup

Hi, please can anyone help?!   I have successfully created my policy to include a registry check to check for a specific software package we use. For audit purposes i would like to log/alert any c...
BIG-IP Access Policy Manager (APM)
remote access
security
BT_90520's avatar
BT_90520
Icon for Nimbostratus rankNimbostratus
Nov 02, 2011
For session variables, belwo are what you may be interested in logging

 

- user name is "session.logon.last.username"

 

- result of registry check is "session.windows_check_registrys.$name.result" where 0 - Failure, 1 - Success, -1 - Invalid check expression

 

 

@ http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm_config_10_2_0/apm_config_sessionvars.html105003

 

 

To view the access policy logs, view the /var/log/apm file from the BIG-IP command line.

 

 

But do note the below

 

http://support.f5.com/kb/en-us/solutions/public/11000/100/sol11124.html

 

 

The default log level for the BIG-IP APM access policy log is Notice, which does not log session variables. Setting the access policy log level to Informational or Debug will cause the BIG-IP APM system to log session variables, but it will also add additional system overhead. If you need to log session variables on a production system, F5 Networks recommends setting the access policy log level to Informational temporarily while performing troubleshooting or debugging.