Trying to create audit logs with session variable from APM

Am trying to sort out logging for auditing purposes and have the following problem. Hoping somebody here might be able to provide some guidance.

 

 

Want to log the username (to start with) of each request when going through APM. The following iRule seems to cover most of what we need.

 

The problem is that when the users web browser session swaps between the different tmm processes only one seems to have the right information.

 

 

when CLIENT_ACCEPTED {

 

log local7. "Here"

 

set userip [IP::client_addr]

 

set username "unknown"

 

set sessionid "unknown"

 

}

 

 

when HTTP_REQUEST {

 

log local7. "$userip $username $sessionid [HTTP::uri]"

 

}

 

 

when ACCESS_ACL_ALLOWED {

 

log local7. "Here"

 

set username [ACCESS::session data get "session.logon.last.username"]

 

set sessionid [ACCESS::session data get "session.user.sessionid"]

 

}

 

 

What gets logged:

 

Dec 22 14:06:05 local/tmm2/laf5a003-int info tmm2[5557]: Rule log-request : 203.8.131.32 unknown unknown /f5-w-687474703a2f2f617473776562746573742e646d7a3a39303530$$/atsweb/images/url-link.gif?F5CH=I

 

Dec 22 14:06:05 local/tmm2/laf5a003-int info tmm2[5557]: Rule log-request : Here

 

Dec 22 14:06:05 local/tmm1/laf5a003-int info tmm1[5556]: Rule log-request : 203.8.131.32 wilsonjp 0250d3a1 /f5-w-687474703a2f2f617473776562746573742e646d7a3a39303530$$/atsweb/images/logo_line2.gif?F5CH=I

 

Dec 22 14:06:05 local/tmm1/laf5a003-int info tmm1[5556]: Rule log-request : Here

 

 

When using tmm2 it does not know the user, but with tmm1 it does.

 

Need to either store the variables in a global cache, or would some sort of session persistence be better to achieve this.

 

 

This is just go get started, also need to log request sizes, response sizes and timing information too.

 

 

Running with 10.2 HF2.

 

 

Thanks,

 

Jason