Irule for logging user connections for the APM portal

Question

I have been asked by my security department to basically log information about all users that log in or try to log into one of our portals being hosted on the F5 APM. I basically need the following information if possible in two scenarios.
If they authenticate successfully:
Client source IP addresstime stamp of the connectionwhich Virtual server they are connecting toousername they logged in withwhat kind of browser or device etc...a message saying they succeeded
If they don't authenticate successfully:
Client source IP addresstime stamp of the connectionwhich Virtual server they are trying to connect toousername they tried to log in withwhat kind of browser or device etc...a message saying they failed
Not sure where i would put this irule. An example i have stolen so far from others:
 when SERVER_CONNECTED {  
     log local0. "Client Source IP: [IP::client_addr]:[TCP::client_port]and tried to connect to [IP::server_addr]:[TCP::server_port]" 
     }

But if the authentication fails, then i am not sure if this would work and i know it doesn't have all teh info i need!

josiah_39459 · Answer

Have you considered the Logging action in the VPE?  It might be easier than an irule:&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-visual-policy-editor-11-5-2/3.htmlunique_355447140&nbsp;

stanislas_piro2 · Answer

Hi,
you can use the following irule to add username in request logging profile:
when CLIENT_ACCEPTED {
    set APMusername "-"
}

when ACCESS_ACL_ALLOWED {
    if {![info exists APMusername] || $APMusername equals "-"} {
        set APMusername [ACCESS::session data get session.logon.last.username]
    }
}

when HTTP_RESPONSE {
    if [info exists APMusername] {
        HTTP::header insert "USER" APMusername
    }
}

when HTTP_RESPONSE_RELEASE {
    HTTP::header remove "USER"
}

This irule must be enabled associated with Request_logging profile.
The Request logging profile may be configure with following Response Profile:
$CLIENT_IP - ${USER} $DATE_NCSA $HTTP_REQUEST $HTTP_STATCODE $RESPONSE_SIZE $Referer 0 $Cookie

the-messenger · Answer

I have the same challenge from our security team and monitoring team.  Have to say this always surprises me, other "security" devices seem to do much better at logging.  Problem with Big-IP is that you have to correlate it all together. Yes an Unix admin can do this but then something changes and you have to start all over - and you don't know that it's all missing.  Correlating events are in different logs, field names are different, it is not simple to put together.&nbsp;
I simply don't have the time for this, so I plan on an engagement with PS to get my logging all down so it APM can operate as a security device, and then add ASM logs as well.&nbsp;

Forum Discussion

Irule for logging user connections for the APM portal

3 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

Related Content

F5 portal download RDP connectivity

Log tcp Connections.

Log client to vip connections

After applied ASM Policy to Virtual Server, connections will reset with Internal error in log

access portal with redirect URL