APM/Analytics - Log click on webtop resources [serverside]

Problem this snippet solves:

When providing VPN SSL portal to the client, you publish several applications like Portal access, Remote Desktop, Webtop links, SAML Resources, Citrix/Vmware VDI, etc.

APM log access to the webtop, once connected, there is no more visibility on who click on which icon. We provide Visibility and Analytics capabilities through a simple irule.

How to use this snippet:

Installation

You just need to put this irule in the Virtual Server configuration that handle your access profile.

Logging information

Clicks are logged in the local0 (ltm logs). You can see below examples : 

virtual=/Common/test, apm=1239853, user=testuser, resource_type=portal, resourcename=owa
virtual=/Common/test, apm=1239853, user=testuser, resource_type=remote_desktop, resourcename=ActiveDirectory

Features

You can currently log the following application types :

  • Portal access
  • Remote Desktop access

The irule provide the additional features :

  • Decode Portal access uri
  • logging of username, apm session and resource name

Credits

Inspired from an original irule in a reply from Kevin Stewart : Logging for Portal Access

External links

Github : github.com/e-XpertSolutions/f5

Code :

when ACCESS_ACL_ALLOWED {
 switch -glob [HTTP::uri] {
  "*resourcetype=remote_desktop*" {    
      
      #
      # Basic logging. Remote or local logging settings can be configured
      #
      
      # log local0. "virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resourcetype=remote_desktop, [findstr [HTTP::uri] "resourcename=" 0 "\%"]" 
      
      #
      # ACCESS logging before v13.x
      #
      
      log -noname accesscontrol.local1.notice "$static::ACCESS_LOG_PREFIX /Common/ap-ad-auth:Common:$session: virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resourcetype=remote_desktop, [findstr [HTTP::uri] "resourcename=" 0 "\%"]"
      
      #
      # ACCESS::log is available in v13.x. Log saved in Access report too.
      #
      
      # ACCESS::log accesscontrol.notice "virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resourcetype=remote_desktop, [findstr [HTTP::uri] "resourcename=" 0 "\%"]"
      
  }
  "*f5-w-*" { 
  catch {
            set resource [binary format H* [findstr [HTTP::uri] "/f5-w-" 6 "\$\$"]]
            if { [table lookup -subtable PORTALACCESS "[ACCESS::session sid]:[ACCESS::session data get session.logon.last.username]:$resource"] eq "" } {
                table set -subtable PORTALACCESS "[ACCESS::session sid]:[ACCESS::session data get session.logon.last.username]:$resource" [clock format [clock seconds] -format %Y%m%d-%H%M%S] 3600
                
                #
                # Basic logging. Remote or local logging settings can be configured
                #
                
                # log local0. "virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resource_type=portal, resourcename=$resource" 
                
                #
                # ACCESS logging before v13.x
                #
                
                log -noname accesscontrol.local1.notice "$static::ACCESS_LOG_PREFIX /Common/ap-ad-auth:Common:$session: virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resource_type=portal, resourcename=$resource"
                
                #
                # ACCESS::log is available in v13.x. Log saved in Access report too.
                #
                
                # ACCESS::log accesscontrol.notice "virtual=[virtual], apm=[string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] - 10] end], user=[ACCESS::session data get session.logon.last.username], resource_type=portal, resourcename=$resource"
                
            }           
        }
  }
 }
}

Tested this on version:

11.5
Updated Jun 06, 2023
Version 2.0
analytics
application delivery
BIG-IP Access Policy Manager (APM)
iRules
portal access
remote desktop
security
visibility
  • brad_11480's avatar
    brad_11480
    Icon for Nimbostratus rankNimbostratus
    Jul 15, 2016

    thanks. works for portal access but does not record/log webtop links that were clicked.. Will dig into it and look at the referenced document. thanks.

     

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jul 15, 2016

    Hi,

     

    webtop links are external links to web applications. You can catch the user click by inserting javascript into the full webtop.

     

  • Peter_Baumann_5's avatar
    Peter_Baumann_5
    Icon for Nimbostratus rankNimbostratus
    Jul 25, 2017

    @Yann Desmarest: Do you have an example of such a javascript code and do you know where in the customizing exactly such a script has to be inserted?