Forum Discussion
cmedalis_299270
Nimbostratus
NimbostratusStream Logging Efficiency - iRule question
I have an iRule that utilizes stream matching and header capture to pull a Client IP, a posted Username, and a response from the web application (webapp is ADFS in this case).
I am not sure if this is the most efficient method to gather and log this data; the iRule works well in our dev environment, but I am concerned that it will be hog on prod.
FWIW - I know this could be done more efficiently with APM but I'm constrained to an iRule for this at the moment.
Any advice to improve the rule would be appreciated!
-- %< --
when HTTP_REQUEST {
Snag the Remote Client address
set int [IP::remote_addr]
Insert MS Proxy info for ADFS to know we are external
HTTP::header insert "X-MS-Proxy" "F5-LTM-PROD"
Insert MS Proxy info for ADFS Logging
HTTP::header insert X-MS-Forwarded-Client-IP [IP::client_addr]
if {[HTTP::method] eq "POST"}{
Trigger collection for up to 1MB of data
if {[HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048576}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 1048576
}
Check if $content_length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
}
}
when HTTP_REQUEST_DATA {
foreach X [split [string tolower [HTTP::payload]] "&"] {
if { $X starts_with "username" } {
set USER $X
}
}
}
when HTTP_RESPONSE {
if { [HTTP::header value Content-Type] contains "text/html"}
{
STREAM::expression @Incorrect@
STREAM::enable
}
}
when STREAM_MATCHED {
log local0. "ADFS FAILED Login attempt for user $USER From Client $int"
log local0. "ADFS FAILED Login attempt for user $USER From Client $int"
log local0.info "ADFS FAILED Login attempt for user $USER From Client $int"
}
cjuniorNacreous
Hi dude, I maybe do it like the this:
when HTTP_REQUEST { If is not the logon page, nothing to do now and then You must change to your real logon page address if { [string tolower [HTTP::path]] ne "/adfs/ls/idpinitiatedsignon.aspx" } { event HTTP_RESPONSE disable return } event HTTP_RESPONSE enable Snag the Remote Client address set int [IP::client_addr] Insert MS Proxy info for ADFS to know we are external HTTP::header insert "X-MS-Proxy" "F5-LTM-PROD" Insert MS Proxy info for ADFS Logging HTTP::header insert X-MS-Forwarded-Client-IP $int if {[HTTP::method] eq "POST"}{ Trigger collection for up to 1MB of data if { [HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] ne "" } { if { [HTTP::header "Content-Length"] <= 1048576 } { set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } Check if $content_length is not set to 0 if { $content_length > 0 } { HTTP::collect $content_length } } } } when HTTP_REQUEST_DATA { Search for username=theName set USER [findstr [string tolower [HTTP::payload]] "username=" 9 "&"] } when HTTP_RESPONSE { if { [info exists USER] && [HTTP::header value Content-Type] contains "text/html" } { if { [HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048576 } { set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } if { $content_length > 0 } { HTTP::collect $content_length } } } when HTTP_RESPONSE_DATA { if { [string match "*Incorrect*" [HTTP::payload]] } { log local0. "ADFS FAILED Login attempt for user $USER From Client $int" log local0. "ADFS FAILED Login attempt for user $USER From Client $int" log local0. "ADFS FAILED Login attempt for user $USER From Client $int" } }Feel free to check the performance and comment the code.
Respectfully