ASM send mail alert when request violation with iRule

Question

Hi all&nbsp;
I have F5-ASM (11.3.0), when ASM have violation or blocking request, I want F5 notice me via email.&nbsp;
I have configed F5-ASM send email when have request blocking. But I want in body of email show more information detail about this request is blocked or violation like this:  violation_type; status request; ip client source... all in one email&nbsp;
Currently when I recieved email i just know only one information is Support_id of violation. I using iRule to capture Support_id from ASM log, here is iRule i found on Devcentral:&nbsp;
when ASM_REQUEST_VIOLATION {&nbsp;
 &nbsp;
log local3. "Support_id: [lindex [ASM::violation_data] 1]"&nbsp;
}&nbsp;
and modify in /config/user_alert.conf to send email:&nbsp;
alert ASM_MAIL "Support_id" {&nbsp;
        email toaddress="abc@company.com"&nbsp;
        fromaddress="monitor"&nbsp;
        body="The ASM Blocking" &nbsp;
} &nbsp;
==&gt; this way work fine but with one information is "Support_id"&nbsp;
=======================&nbsp;
I have tried to insert other information in iRule :&nbsp;
when ASM_REQUEST_VIOLATION {&nbsp;
 &nbsp;
log local3. "Support_id: [lindex [ASM::violation_data] 0]"&nbsp;
log local3. "Support_id: [lindex [ASM::violation_data] 1]"&nbsp;
log local3. "Support_id: [lindex [ASM::violation_data] 2]"&nbsp;
.......&nbsp;
}&nbsp;
This way i can recieved 2 or 3 email every have request blocked or violation but these informations not stay same one email ??&nbsp;
So hope everyone help this issue ?&nbsp;
Thanks&nbsp;

zeeshan_ahmad_1 · Answer

You can use the below irule to print the entire detail in a single log entry and will receive a single email.&nbsp;
when ASM_REQUEST_VIOLATION { &nbsp;
set x [ASM::violation_data]
log local3. "Request violations:=[lindex $x 0]   Support id:=[lindex $x 1]  web_application=[lindex $x 2]  severity=[lindex $x 3] source ip:=[lindex $x 4] attack_type=[lindex $x 5] request_status=[lindex $x 6]" &nbsp;
}&nbsp;

ahmed_eissa_206 · Answer

have it worked with you ??&nbsp;

ahmed_eissa_206 · Answer

it didnt work with me ....&nbsp;

zeeshan_ahmad_1 · Answer

You just need to add Support_id in the log as your custom alerts looks for this. Use the below iRule it will work
when ASM_REQUEST_VIOLATION {

set x [ASM::violation_data] 
log local3. "Support_id: Request violations:=[lindex $x 0] Support id:=[lindex $x 1] web_application=[lindex $x 2] severity=[lindex $x 3] source ip:=[lindex $x 4] attack_type=[lindex $x 5] request_status=[lindex $x 6]"

}

imtiyaz · Answer

Hello,Will this iRule send email notification?I have SMPT configured and working on the ASM version 16.Thanks

Forum Discussion

ASM send mail alert when request violation with iRule

5 Replies

Recent Discussions

Advise on setting up IRULE

Chrome V 124+ on MacOS - Virtual Server Access Issue

Port Group on F5OS network setting

F5Access | MacOS Sonoma

Rewrite uri translation not working

Related Content

Certificate Expiry Email alert configuration

Distributed caching of authentication requests with NGINX Ingress Controller

Rate limiting GraphQL API query using iRule and Advanced WAF Violation

Logging DNS Requests

Separating False Positives from Legitimate Violations