Forum Discussion
richkingly_1410
Altostratus
AltostratusUsing tmsh to Get a Specific ASM Chart
Hi,
We're running some F5s on 11.4.1 in our environment with the ASM module enabled for which I have some policies in place.
Via the web GUI I'm able to view a really useful chart by drilling down through the "Top violations with critical severity" pre-defined chart and I want to schedule this specific chart to run and dump out regularly (ideally as a .csv file to a network location but e-mail is also fine).
The chart in question is:
Severity: Critical >> Violation: Attack signature detected >> Security Policy: /my_partition/my_vs
Is there a way I can configure this using TMSH? I've had a read through the "Traffic Management Shell Reference Guide" but I can't seem to put the correct pieces together.
Appreciate any help/guidance please!
Thanks, Rich
richkingly_1410Right, I know how to get the report that I need now and send it to myself by e-mail. I'll just work on how to schedule it next. Thanks for your help, here's the code that was required:
send-mail analytics application-security report view-by attack-type measures { } drilldown { { entity policy values { "/my_partition/vs-mysite" } } { entity severity values { Critical } } { entity violation values { "Attack signature detected" } } } range now-1w format pdf email-addresses { me@company.com }It produces something that shows the attack signatures detected against your virtual server over the past week:
I'm hoping to use the info, in csv format, to pump into our BI environment and trend over time.
boneyardMVP
nice, thanks for posting the solution, be sure to flag your question as answered.
- boneyard
don't think you can do that via tmsh, but you can schedule charts and email them via the GUI:
Security ›› Reporting : Application : Charts Scheduler
would that work for you?
- richkingly_1410
Thanks boneyard, I can get it to send out reports via the GUI (pre-defined ones and multi-level ones) but not that specific report unfortunately.
I was hoping I could use tmsh syntax along the lines of:
show analytics application-security report view-by violation drilldown { { entity severity values { Error } } }
But I can't quite work out how to put the syntax together for the specific chart I'm after
- boneyard
ok, got the hang of the syntax, this works for me:
root@(bigip-01)(cfg-sync Standalone)(Active)(/Common)(tmos) show analytics application-security report view-by violation drilldown { { entity severity values { Critical } } } -------------------------------------------------------------- Analytics query result -------------------------------------------------------------- Time range: 12/24/2014:13:10 (CET) ---> 12/24/2014:14:10 (CET) -------------------------------------------------------------- name | occurences -------------------------------------------------------------- Illegal meta character in URL | 1 Evasion technique detected | 1now what exactly do you want? still not 100% clear to me.
- richkingly_1410
Happy New Year - sorry for the late reply, I've been away for the winter break.
The exact report I'm trying to get via TMSH is:
For a given Policy (e.g "my_asm_policy") I want a chart of the Violations where "Attack Signature Detected" and the severity is "Critical"
Looking at your example above I'm wondering if I can specify a second entity of "Attack Signature Detected" - I'll have a play now.
- boneyardok, if you don't get further let me know, i might have another look then.