Forum Discussion

richkingly_1410's avatar
richkingly_1410
Icon for Altostratus rankAltostratus
Dec 23, 2014

Using tmsh to Get a Specific ASM Chart

Hi,

 

We're running some F5s on 11.4.1 in our environment with the ASM module enabled for which I have some policies in place.

 

Via the web GUI I'm able to view a really useful chart by drilling down through the "Top violations with critical severity" pre-defined chart and I want to schedule this specific chart to run and dump out regularly (ideally as a .csv file to a network location but e-mail is also fine).

 

The chart in question is:

 

Severity: Critical >> Violation: Attack signature detected >> Security Policy: /my_partition/my_vs

 

Is there a way I can configure this using TMSH? I've had a read through the "Traffic Management Shell Reference Guide" but I can't seem to put the correct pieces together.

 

Appreciate any help/guidance please!

 

Thanks, Rich

 

  • Right, I know how to get the report that I need now and send it to myself by e-mail. I'll just work on how to schedule it next. Thanks for your help, here's the code that was required:

     

    send-mail analytics application-security report view-by attack-type  measures {  } drilldown { { entity policy values { "/my_partition/vs-mysite" } } { entity severity values { Critical } } { entity violation values { "Attack signature detected" } } } range now-1w format pdf email-addresses { me@company.com }
    

     

    It produces something that shows the attack signatures detected against your virtual server over the past week:

    I'm hoping to use the info, in csv format, to pump into our BI environment and trend over time.

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      nice, thanks for posting the solution, be sure to flag your question as answered.
  • Happy New Year - sorry for the late reply, I've been away for the winter break.

     

    The exact report I'm trying to get via TMSH is:

     

    For a given Policy (e.g "my_asm_policy") I want a chart of the Violations where "Attack Signature Detected" and the severity is "Critical"

     

    Looking at your example above I'm wondering if I can specify a second entity of "Attack Signature Detected" - I'll have a play now.

     

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      ok, if you don't get further let me know, i might have another look then.
  • ok, got the hang of the syntax, this works for me:

     

    root@(bigip-01)(cfg-sync Standalone)(Active)(/Common)(tmos) show analytics application-security report view-by violation drilldown { { entity severity values { Critical } } }
    --------------------------------------------------------------
    Analytics query result
    --------------------------------------------------------------
    Time range: 12/24/2014:13:10 (CET) ---> 12/24/2014:14:10 (CET)
    --------------------------------------------------------------
    name                          | occurences
    --------------------------------------------------------------
    Illegal meta character in URL | 1
    Evasion technique detected    | 1
    

     

    now what exactly do you want? still not 100% clear to me.

  • Thanks boneyard, I can get it to send out reports via the GUI (pre-defined ones and multi-level ones) but not that specific report unfortunately.

     

    I was hoping I could use tmsh syntax along the lines of:

     

    show analytics application-security report view-by violation drilldown { { entity severity values { Error } } }

     

    But I can't quite work out how to put the syntax together for the specific chart I'm after

     

  • don't think you can do that via tmsh, but you can schedule charts and email them via the GUI:

     

    Security ›› Reporting : Application : Charts Scheduler

     

    would that work for you?