For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Hamish's avatar
Hamish
Icon for Cirrocumulus rankCirrocumulus
Oct 30, 2013

Request Logging Other (APM) Information

Does anyone know if there's a (undocumented presumably since I haven't managed to find one yet) way to get the request logging profile to add in information from modules such as APM?   It would be...
BIG-IP Access Policy Manager (APM)
security
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Sep 02, 2015

Hi,

 

I had the same need and the first solution I found was to configure ACL with log "packet" and create a log filter to send cal log to HSL pool.

 

the problem with ACL log is there is no username information but session ID and I needed to create a correlation tool to match username / session ID / ACL.

 

After reading the Kevin's irule, I modified it to log RESPONSE instead of REQUEST to get response code.

 

The new irule is :

 

when CLIENT_ACCEPTED {
    set user "-"
}

when ACCESS_ACL_ALLOWED {
    set user [ACCESS::session data get session.logon.last.username]
}

when HTTP_RESPONSE {
    HTTP::header insert "USER" $user
}

when HTTP_RESPONSE_RELEASE {
    HTTP::header remove "USER"
}

The "-" default value is to replace username by - if request is not authenticated. I configured RESPONSE Template with:

 

$CLIENT_IP - ${USER} $DATE_NCSA $HTTP_REQUEST $HTTP_STATCODE $RESPONSE_SIZE $Referer 0 $Cookie

This is the NCSA_COMBINED template with the second "-" replaced by ${USER}