iRule to log a specific field in POST data

rmd1023 · ‎09-Oct-2013

I'd like to have an irule log the authentication attempts for a web application I have that takes POST data. How do I pull a specific POST parameter out of the http content?

Suppose I have a login page, http://example.com/loginform.html" that will have POST data for "username" and "password". So, right now, I can detect the presence of the 'username' parameter in my submitted form by looking for HTTP::method as "POST" to HTTP::uri "login-form.html" and checking that [HTTP::payload] contains "username". But I'd like to be able to generate a syslog saying "User $username attempted login from [IP::client_addr]:[TCP::client_port]"

How do I best extract that "username" value from the payload data for logging without altering the actual transaction at all?

Thanks!

Kevin_Stewart · ‎09-Oct-2013

Please try this:

when HTTP_REQUEST {
    if { ( [string tolower [HTTP::uri]] equals "/loginform.html" ) and ( [HTTP::method] equals "POST" ) } {
        HTTP::collect [HTTP::header Content-Length]
    }
}
when HTTP_REQUEST_DATA {
    set username "unknown"
    foreach x [split [string tolower [HTTP::payload]] "&"] {
        if { $x starts_with "username=" } {
            set username [lindex [split $x "="] 1]
        }
    }
    log local0. "User $username attempted login from [IP::client_addr]:[TCP::client_port]"
}

nitass · ‎22-Dec-2014

if i want to store temporarily two parameters, how i can store them ?

you can just store them in local variables. they will be available until connection is closed.

The101: iRules 101 - Variables by Colin Walker

https://devcentral.f5.com/articles/-the101-irules-101-variables

DevCentral

iRule to log a specific field in POST data

MFA required on DevCentral