Forum Discussion

Altocumulus

7 months ago

Requests with 307 responses not logged (missing) in ASM events

Hello I have a vs named flane with waf policy and logging profile configured to log all requests. However, I've noticed that requests with HTTP 307 redirect responses are not being logged. To invest...

307

responses

Emil_Tr

Altocumulus

7 months ago

If t is not sent by server, where are the HTTP 307 logs in ltm log coming from?

Injeyan_Kostas

Nacreous

7 months ago

Good point, in which irule event do you log them?

Emil_Tr
Altocumulus
7 months ago
HTTP::RESPONSE of course

when HTTP_REQUEST {
set is_pelecard1 0
set path1var [HTTP::path]
set host1var [HTTP::host]
set cip1var [IP::client_addr]
if {($path1var contains "pelecard" )} {
set is_pelecard1 1
set uri1var [HTTP::uri]
set vs1var [IP::local_addr]
log local0. "client ip=$cip1var >> vs: $vs1var $host1var$uri1var [IP::client_addr] [IP::remote_addr] [IP::local_addr] "
}
}
when HTTP_RESPONSE {
if {(($is_pelecard1 == 1 ) or ($cip1var == "99.99.99.8"))} {
log local0. "HTTP Status = [HTTP::status] [IP::client_addr] [IP::remote_addr] [IP::local_addr] [IP::server_addr]"
}
}

LTM log:
May 21 07:41:19 f5_ASM01 info tmm2[10293]: Rule /Common/_Troubleshoot-iRule <HTTP_RESPONSE>: HTTP Status = 307 99.99.99.8 10.20.3.36 51.51.51.50 10.20.3.36
- Injeyan_Kostas
  Nacreous
  7 months ago
  In that case, 307 is definetely coming from server
  
  But ASM is logging only security event logs by default
  307 is not considered security event
  Have you adjust logging to log all requests?
  - Emil_Tr
    Altocumulus
    7 months ago
    As I mentioned at the beginning: "logging profile configured to log all requests"