cancel
Showing results for 
Search instead for 
Did you mean: 

Irule for logging user connections for the APM portal

I have been asked by my security department to basically log information about all users that log in or try to log into one of our portals being hosted on the F5 APM. I basically need the following information if possible in two scenarios.

 

If they authenticate successfully:

 

  • Client source IP address
  • time stamp of the connection
  • which Virtual server they are connecting too
  • username they logged in with
  • what kind of browser or device etc...
  • a message saying they succeeded

If they don't authenticate successfully:

 

  • Client source IP address
  • time stamp of the connection
  • which Virtual server they are trying to connect too
  • username they tried to log in with
  • what kind of browser or device etc...
  • a message saying they failed

Not sure where i would put this irule. An example i have stolen so far from others:

 

when SERVER_CONNECTED { log local0. "Client Source IP: [IP::client_addr]:[TCP::client_port]and tried to connect to [IP::server_addr]:[TCP::server_port]" }

But if the authentication fails, then i am not sure if this would work and i know it doesn't have all teh info i need!

 

3 REPLIES 3

Josiah_39459
Historic F5 Account

Have you considered the Logging action in the VPE? It might be easier than an irule:

 

https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-visual-policy-editor-11-5-2/...

 

Stanislas_Piro2
Cumulonimbus
Cumulonimbus

Hi,

 

you can use the following irule to add username in request logging profile:

 

when CLIENT_ACCEPTED { set APMusername "-" } when ACCESS_ACL_ALLOWED { if {![info exists APMusername] || $APMusername equals "-"} { set APMusername [ACCESS::session data get session.logon.last.username] } } when HTTP_RESPONSE { if [info exists APMusername] { HTTP::header insert "USER" APMusername } } when HTTP_RESPONSE_RELEASE { HTTP::header remove "USER" }

This irule must be enabled associated with Request_logging profile.

 

The Request logging profile may be configure with following Response Profile:

 

$CLIENT_IP - ${USER} $DATE_NCSA $HTTP_REQUEST $HTTP_STATCODE $RESPONSE_SIZE $Referer 0 $Cookie

The-messenger
Cirrus
Cirrus

I have the same challenge from our security team and monitoring team. Have to say this always surprises me, other "security" devices seem to do much better at logging. Problem with Big-IP is that you have to correlate it all together. Yes an Unix admin can do this but then something changes and you have to start all over - and you don't know that it's all missing. Correlating events are in different logs, field names are different, it is not simple to put together.

 

I simply don't have the time for this, so I plan on an engagement with PS to get my logging all down so it APM can operate as a security device, and then add ASM logs as well.