syslog APM VPN log in and log outs

I found the default logs for apm are a bit sparse. You CAN get additional info, but at the expense of things like putting apm into debug mode. Which gets a bit too voluminous.

I went the path of creating custom events from APM (Drop them in place in the VPE), which then call an iRule that logs the appropriate message. e.g. (This iRule I called log-auth-result). A better implementation would use a datagroup/class for the actual log messages

when CLIENT_ACCEPTED {
  set larHSL        [HSL::open -proto UDP -pool hsl-log-01]
  set larLogPrefix "<190>[virtual]:lar-1.02:[IP::client_addr]:[TCP::client_port]:"
}

when ACCESS_POLICY_AGENT_EVENT {
  set user   [ACCESS::session data get "session.logon.last.username"]
  set method [ACCESS::session data get "session.custom.logmethod"]

  if { [ACCESS::policy agent_id] eq "logSuccess" } {
    HSL::send $larHSL "$larLogPrefix: LOGON:success $user:${method}:ssid [ACCESS::session sid]"
  } elseif { [ACCESS::policy agent_id] eq "logFail" } {
    HSL::send $larHSL "$larLogPrefix: LOGON:failed $user:${method}:"
  }  

  ACCESS::session data set session.custom.virtual [virtual]
  ACCESS::session data set session.custom.clientip [IP::client_addr]
  ACCESS::session data set session.custom.clientport [TCP::client_port]
  ACCESS::session data set session.custom.sid [ACCESS::session sid]

}

when ACCESS_SESSION_CLOSED {
  set larHSL         [HSL::open -proto UDP -pool hsl-log-01]
  set sessionIP      [ACCESS::session data get "session.custom.clientip"]
  set sessionclPort  [ACCESS::session data get "session.custom.clientport"]
  set sessionSID     [ACCESS::session data get "session.custom.sid"]
  set sessionvirt    [ACCESS::session data get "session.custom.virtual"]

  set larLogPrefix "<190>${sessionvirt}:lar-1.02:${sessionIP}:${sessionclPort}:"

  set user [ACCESS::session data get "session.logon.last.username"]

  HSL::send $larHSL "$larLogPrefix: LOGOF:success ${user}:ssid ${sessionSID}:"
}

It probably wants a trailing } else {} as well to log something when an invalid message type is passed from the VPE... But you can alter as you like.

Oh, and it's session based. Not necessarily at time of network access open/close. But actual session.

H

this looks like what im looking for but im not sure where in VPE i would put these? i dont see anywhere i can drop an irule for a session ending event? sorry if that doesnt make sense.

thanks

Attache the iRule to the VS. Then use the iRule event object in the VPE.

H

irule attached to VS. im cant find any detail on how to add the irule event object in the VPE. if i add it after the authentication in VPE what do i enter for the Custom iRule Event Agent ID?

The Agent_ID is passed in the [ACCESS::policy agent_id] variable. It's the test in the iRule that goes

if { [ACCESS::policy agent_id] eq "logSuccess" } {
  HSL::send $larHSL "$larLogPrefix: LOGON:success $user:${method}:said  [ACCESS::session sid]"

}

so to log the message you'd pass logSuccess as the agentID

oh that explained it perfectly. its now working. question: 1. can i include the VPN ip address given out 2. can the session ID be displayed as the true session id instead of what appears to be a hash?

thanks again

You can display anything you can get a variable for or SET a variable for within your VPE policy...

H

i am trying to add the client browser type to the log i assume i would add: when HTTP_REQUEST { set browser [HTTP::header User-Agent] }

then in the HSL::send command i can add the $browser variable to display it but everytime i add this variable it breaks vpn login