cancel
Showing results for 
Search instead for 
Did you mean: 

Export single ASM Event Log over API

muratalagoz
Altostratus
Altostratus

Hello,

I looked at the forum and also documentation but couldn't find anything. 

I am trying to export single log Security ›› Event Logs : Application: Requests with the VT support id over API. (v 15)

I replicate all the steps and am successfully capable of writing the HTML file w/ python.

The only difference is that one specific line has missing base64 data, and the HTML file is not rendered correctly, making it unuseful. Only redacted part is less, and unfortunately, it contains sensitive info, I can not provide more info. But the rest of the file is the same.

 

window.requestsData = conv_value_REQUESTS_DATA_PLACEHOLDER ("eyj//redacted....==);

 

First, I thought something was wrong with the requests library of python, but the HTTP response (800kb approx.) was successfully written to the file. I tried other libraries, and the result was the same. 

My question is, did anyone do something like that before, and/or do you have any other suggestions?

Thank you.

1 ACCEPTED SOLUTION

muratalagoz
Altostratus
Altostratus

Hello,

After days of debugging, I discovered that I am querying the support id as a List object.

As a result, API does not return an error instead, the particular place is empty. After changing it to a string and everything works as expected. 

 

View solution in original post

4 REPLIES 4

muratalagoz
Altostratus
Altostratus

Hello,

After days of debugging, I discovered that I am querying the support id as a List object.

As a result, API does not return an error instead, the particular place is empty. After changing it to a string and everything works as expected. 

 

tatmotiv
Cirrus
Cirrus

Can you provide some more insight on how you resolved this? I'm trying to do the same ("Export single ASM Event Log over API"), following this guide:  https://support.f5.com/csp/article/K50284219

I receive an html file which is useless, because it contains only a header with f5 logo and some metadata, but no details on the specific event ID at all. Although the html only displays very few lines, it is also about 800kb in size, but this seems to be due to the fact that it contains some java script that brings along a lot of static basic stuff like country codes, descriptions of violations and such. 

Is this the same error you enconuntered? If so, can you point out what you mean by "querying the support id as a List object" and "changing it to a string"? 

It has been a few years since I looked into the report generation process, so you may need to do some sniffing of the requests the webui makes through Developer Tools in your browser and double check this still works.

The following call is one I used to grab the report data in JSON format, this is in Python. Set the $filter attribute in the query paramater (aka the variable exampleid in this case) to match the appropriate support ID number. Send this URL via requests as a GET query:

url = "/mgmt/tm/asm/events/requests?$expand=violations%2FcontentProfileReference%2Cviolations%2FpolicyEntityReference%2Cviolations%2FsignatureReference%2Cviolations%2FhttpSubviolationReference%2F*%2Cviolations%2FwssSubviolationReference%2F*%2Cviolations%2FevasionSubviolationReference%2F*%2CrequestPolicyReference&$select=*%2CrequestPolicy%2FfullPath%2CrawRequest%2F*%2CrawResponse%2F*%2CenforcementState%2F*&$top=100&ver=13.1.1&$filter=id%20eq%20'{exampleid}'&servertime=true&$orderBy=requestDatetime%20desc%2Cid%20desc".format(exampleid=exampleid)

After obtaining the data, if you want to use it in the HTML template it normally goes into, I found it necessary to set the encoding to utf-8 before base64 encoding it. Otherwise as it is just a big JSON file, you can do whatever you want with it.

I had the same issue. When you make the get request with the support id, when the support id is not correctly passed to the f5, it generates a report but a useless empty one.

In my case, because of my mistake:

muratalagoz_0-1659426517918.png

Correct one:

muratalagoz_1-1659426573948.png

What I can suggest is that you try to check your inputs. If you need more insight sharing the code:

    try:

        data = {
            "restPath": "/mgmt/tm/asm/events/requests",
            "filename": f"ASM_security_event_report_{datetime.now().strftime(DATE_FORMAT)}.html",
            "filter": f"id eq '{vt_number}'"
        }
        request = requests.post(url=f'{selected_f5}/mgmt/tm/asm/tasks/export-to-file', headers=headers, json=data, verify=False)
        filename = json.loads(request.text)['filename']
        id = json.loads(request.text)['id']
        request = requests.get(url=f'{selected_f5}/mgmt/tm/asm/tasks/export-to-file/{id}', headers=headers, verify=False)
        while json.loads(request.text)['status'] == "STARTED":
            request = requests.get(url=f'{selected_f5}/mgmt/tm/asm/tasks/export-to-file/{id}', headers=headers, verify=False)
            if json.loads(request.text)['status'] == 'COMPLETED':
                request = requests.delete(url=f'{selected_f5}/mgmt/tm/asm/tasks/export-to-file/{id}', headers=headers, verify=False)
        response = requests.get(url=f'{selected_f5}/mgmt/tm/asm/file-transfer/downloads/{filename}', headers=headers, verify=False)
        response.raise_for_status()
        with open('logs/%s' % filename, 'wb') as f:
            f.write(response.content)
        print(f'{filename} is saved to logs folder.')

I didn't use the article that you shared. I intercept every request with UI and replicate the steps in python. 

I hope it helps your case.