Forum Discussion
jnowlin_44976
Nimbostratus
Nimbostratussyslog APM VPN log in and log outs
we have the need to be notified when users log in and log out of the APM vpn.
is this possibly? looking at the events the syslog sends now i do not see the information we need.
Hamish
Cirrocumulus
CirrocumulusI found the default logs for apm are a bit sparse. You CAN get additional info, but at the expense of things like putting apm into debug mode. Which gets a bit too voluminous.
I went the path of creating custom events from APM (Drop them in place in the VPE), which then call an iRule that logs the appropriate message. e.g. (This iRule I called log-auth-result). A better implementation would use a datagroup/class for the actual log messages
when CLIENT_ACCEPTED {
set larHSL [HSL::open -proto UDP -pool hsl-log-01]
set larLogPrefix "<190>[virtual]:lar-1.02:[IP::client_addr]:[TCP::client_port]:"
}
when ACCESS_POLICY_AGENT_EVENT {
set user [ACCESS::session data get "session.logon.last.username"]
set method [ACCESS::session data get "session.custom.logmethod"]
if { [ACCESS::policy agent_id] eq "logSuccess" } {
HSL::send $larHSL "$larLogPrefix: LOGON:success $user:${method}:ssid [ACCESS::session sid]"
} elseif { [ACCESS::policy agent_id] eq "logFail" } {
HSL::send $larHSL "$larLogPrefix: LOGON:failed $user:${method}:"
}
ACCESS::session data set session.custom.virtual [virtual]
ACCESS::session data set session.custom.clientip [IP::client_addr]
ACCESS::session data set session.custom.clientport [TCP::client_port]
ACCESS::session data set session.custom.sid [ACCESS::session sid]
}
when ACCESS_SESSION_CLOSED {
set larHSL [HSL::open -proto UDP -pool hsl-log-01]
set sessionIP [ACCESS::session data get "session.custom.clientip"]
set sessionclPort [ACCESS::session data get "session.custom.clientport"]
set sessionSID [ACCESS::session data get "session.custom.sid"]
set sessionvirt [ACCESS::session data get "session.custom.virtual"]
set larLogPrefix "<190>${sessionvirt}:lar-1.02:${sessionIP}:${sessionclPort}:"
set user [ACCESS::session data get "session.logon.last.username"]
HSL::send $larHSL "$larLogPrefix: LOGOF:success ${user}:ssid ${sessionSID}:"
}
It probably wants a trailing } else {} as well to log something when an invalid message type is passed from the VPE... But you can alter as you like.
Oh, and it's session based. Not necessarily at time of network access open/close. But actual session.
H