Forum Discussion

GeoffG's avatar
GeoffG
Icon for Altostratus rankAltostratus
Nov 14, 2019

High Speed Logging in Access policy for Okta SAML

Hi All,

 

I am looking at logging specific HTTP headers to a Remote syslog server via High Speed logging

 

I only want to log the Headers however on the Initial ACL pass and HTTP request to try to limit the amount of syslog messaages for each session. At the moment it sends syslog messages for every time the URL is used in the browser but I really only want to log the HTTP headers once....

 

I have the following irule

 

when RULE_INIT {

  set static::debug 0

}

 

when ACCESS_ACL_ALLOWED {

    set oktaUser [ACCESS::session data get "session.saml.last.identity"]

    if { $static::debug } { log local0. "id is $oktaUser" }

    if { !([HTTP::header exists "OKTA_USER"]) } {

      HTTP::header insert "OKTA_USER" $oktaUser

    }

 

    set oktaFirstName [ACCESS::session data get "session.saml.last.attr.name.FirstName"]

    if { $static::debug } { log local0. "id is $oktaFirstName" }

    if { !([HTTP::header exists "OKTA_FIRSTNAME"]) } {

      HTTP::header insert "OKTA_FIRSTNAME" $oktaFirstName

    }

 

    set oktaLastName [ACCESS::session data get "session.saml.last.attr.name.LastName"]

    if { $static::debug } { log local0. "id is $oktaLastName" }

    if { !([HTTP::header exists "OKTA_LASTNAME"]) } {

      HTTP::header insert "OKTA_LASTNAME" $oktaLastName

    }

 

    set oktaCity [ACCESS::session data get "session.saml.last.attr.name.City"]

    if { $static::debug } { log local0. "id is $oktaCity" }

    if { !([HTTP::header exists "OKTA_CITY"]) } {

      HTTP::header insert "OKTA_CITY" $oktaCity

    }

set hsl [HSL::open -publisher /Common/hslsyslog]

  set logEntry ""

  foreach x [HTTP::header names] {

    append logEntry "$x:[HTTP::header value $x]"

  }

  HSL::send $hsl "$logEntry"

}

 

Any Ideas on how I can limit the HSL messages down to reduce chatter ?

 

Cheers

 

GeoffG

 

 

4 Replies

  • Anyone know how to log the Headers only on the first HTTP request from the client ??

  • Haven't tried, but something like below, like setting a variable as 1 for a connection start. Till that connection is open, in its subsequent requests, the variable will be set to 0 post the first request.

    But the problem is, for a session, there will be many sub tcp connections, if thats the case, this will not give you the exact method your looking for.

    ltm rule HTTP-FIRST-REQUEST {
    when CLIENT_ACCEPTED {
    set unique_conn [string range [AES::key 256] 15 23]
    set first_http 1
    log local0. "Conn-ID=$unique_conn Client=[IP::client_addr] connection accepted. First HTTP value=$first_http"
    }
     
    when HTTP_REQUEST {
    if { $first_http } {
    set reqheader "Method=[HTTP::method] Host=[HTTP::host] URI=[HTTP::uri] Content-Length=$content_length"
    log local0. "Client=[IP::client_addr] - Headers: $reqheader - First HTTP value=$first_http"
    }
    set first_http 0
    }
    when CLIENT_CLOSED {
    log local0. "Conn-ID=$unique_conn Client=[IP::client_addr] connection closed. First HTTP value=$first_http"
    }
    }
  • Hi and thanks mate

    I have worked it out with a combination of what you provided and my own stuff.

    Likely this isn't the best way to do it but it works at least.. 😉

    Thanks for your help though.... Much appreciated.

    when RULE_INIT {
        set static::debug 0
        set static::first_http 1
    }
     
    when ACCESS_ACL_ALLOWED {
        set oktaUser [ACCESS::session data get "session.saml.last.identity"]
        if { $static::debug } { log local0. "id is $oktaUser" }
        if { !([HTTP::header exists "OKTA_USER"]) } {
            HTTP::header insert "OKTA_USER" $oktaUser
        }
        
        set oktaFirstName [ACCESS::session data get "session.saml.last.attr.name.FirstName"]
        if { $static::debug } { log local0. "id is $oktaFirstName" }
        if { !([HTTP::header exists "OKTA_FIRSTNAME"]) } {
            HTTP::header insert "OKTA_FIRSTNAME" $oktaFirstName
        }
     
        set oktaLastName [ACCESS::session data get "session.saml.last.attr.name.LastName"]
        if { $static::debug } { log local0. "id is $oktaLastName" }
        if {!([HTTP::header exists "OKTA_LASTNAME"]) } {
            HTTP::header insert "OKTA_LASTNAME" $oktaLastName
        }
        
        set oktaEmail [ACCESS::session data get "session.saml.last.attr.name.Email"]
        if { $static::debug } { log local0. "id is $oktaEmail" }
        if { !([HTTP::header exists "OKTA_EMAIL"]) } {
            HTTP::header insert "OKTA_EMAIL" $oktaEmail
        }
     
        set hsl [HSL::open -publisher /Common/hslsyslog]
        if { $static::first_http } {
            HSL::send $hsl "Client=[IP::client_addr] connection accepted."
            HSL::send $hsl "OKTA_USER Value=[HTTP::header value OKTA_USER]"
            HSL::send $hsl "OKTA_USERNAME Value=[HTTP::header value OKTA_USERNAME]"
            HSL::send $hsl "OKTA_FIRSTNAME Value=[HTTP::header value OKTA_FIRSTNAME]"
            HSL::send $hsl "OKTA_LASTNAME Value=[HTTP::header value OKTA_LASTNAME]"
            HSL::send $hsl "OKTA_EMAIL Value=[HTTP::header value OKTA_EMAIL]"
            set static::first_http 0
        }
    }