Forum Discussion
AltostratusUsing tmsh to Get a Specific ASM Chart
Hi,
We're running some F5s on 11.4.1 in our environment with the ASM module enabled for which I have some policies in place.
Via the web GUI I'm able to view a really useful chart by drilling down through the "Top violations with critical severity" pre-defined chart and I want to schedule this specific chart to run and dump out regularly (ideally as a .csv file to a network location but e-mail is also fine).
The chart in question is:
Severity: Critical >> Violation: Attack signature detected >> Security Policy: /my_partition/my_vs
Is there a way I can configure this using TMSH? I've had a read through the "Traffic Management Shell Reference Guide" but I can't seem to put the correct pieces together.
Appreciate any help/guidance please!
Thanks, Rich
7 Replies
- boneyard
MVP
don't think you can do that via tmsh, but you can schedule charts and email them via the GUI:
Security ›› Reporting : Application : Charts Scheduler
would that work for you?
richkingly_1410Thanks boneyard, I can get it to send out reports via the GUI (pre-defined ones and multi-level ones) but not that specific report unfortunately.
I was hoping I could use tmsh syntax along the lines of:
show analytics application-security report view-by violation drilldown { { entity severity values { Error } } }
But I can't quite work out how to put the syntax together for the specific chart I'm after
- boneyard
ok, got the hang of the syntax, this works for me:
root@(bigip-01)(cfg-sync Standalone)(Active)(/Common)(tmos) show analytics application-security report view-by violation drilldown { { entity severity values { Critical } } } -------------------------------------------------------------- Analytics query result -------------------------------------------------------------- Time range: 12/24/2014:13:10 (CET) ---> 12/24/2014:14:10 (CET) -------------------------------------------------------------- name | occurences -------------------------------------------------------------- Illegal meta character in URL | 1 Evasion technique detected | 1now what exactly do you want? still not 100% clear to me.
- richkingly_1410
Happy New Year - sorry for the late reply, I've been away for the winter break.
The exact report I'm trying to get via TMSH is:
For a given Policy (e.g "my_asm_policy") I want a chart of the Violations where "Attack Signature Detected" and the severity is "Critical"
Looking at your example above I'm wondering if I can specify a second entity of "Attack Signature Detected" - I'll have a play now.
- boneyardok, if you don't get further let me know, i might have another look then.
- richkingly_1410
Right, I know how to get the report that I need now and send it to myself by e-mail. I'll just work on how to schedule it next. Thanks for your help, here's the code that was required:
send-mail analytics application-security report view-by attack-type measures { } drilldown { { entity policy values { "/my_partition/vs-mysite" } } { entity severity values { Critical } } { entity violation values { "Attack signature detected" } } } range now-1w format pdf email-addresses { me@company.com }It produces something that shows the attack signatures detected against your virtual server over the past week:
I'm hoping to use the info, in csv format, to pump into our BI environment and trend over time.
- boneyardnice, thanks for posting the solution, be sure to flag your question as answered.
