automatic learning logs/report ?
Hello, My client has no other solution but to implement automatic learning for a new website where the owners won't help the team in understanding the application. On another side, security team wants to have information on what was changed and when by the automatic learning policy. I've come to article https://my.f5.com/manage/s/article/K58082590 that uses API to retrieve the list of learning suggestions for a given policy, but I'm not sure it will give me the information I need for automatic policy. Since suggestions that reach 100% are learned, I imagine the suggestion disappear as soon as 100% score is reached and the API will return nothing if the suggestion has already been learned. Is there a better way to get this report ? I'm ok with SIEM, syslog, API, or maybe an iCall ? To start with, I couldn't find the info in audit logs or in asm logs. some pieces of info are found in Webui : Security > application Security > audit > logs. But how to export this ?
iRule Clean up: How to audit unused conditions?
I am trying to set up a system to audit iRule conditions. After years of building on an iRule, eventually some of the conditions fall out of use and developers are not always great about telling me what has been deprecated. I'd like to figure out a way to audit the routing conditions in an iRule to ensure they are still being used. The most simple way to do it would be to simply log all URI paths being called and then go through and figure out what they match on the irule. The problem with this approach is it time consuming. Also, it will result in a lot of URLs being logged due to unique portions of each URL. I was thinking of doing something with ISTATS to log the URL name being called, like this: switch -glob [HTTP::uri] { "/condition1/* { ISTATS:: incr "url /condition1/" 1 pool POOL1 return } "/conditon2/* { ISTATS::incr "url /condition2/" 1 pool POOL2 return } That works fine if every condition is in it's own block, however, I have blocks like this: switch -glob [HTTP::uri] { "/condition1/* - "/condition2/* - "/condition3/* { pool POOL_MULTI return } In that scenario, I cannot use ISTATS::incr [key] [value] because it wouldn't tell me which of the conditions was used. I could only log that that block was used. In a perfect world I would love to be able to access the actual condition the F5 used to make its routing decision. I don't think there is a way to access that. Also, If I were to just simply log the HTTP::uri value, I would end up with lots of entries. Also, sometimes I have a more specific condition and a less specific condition like this: "/condition1/*/some_string" - "/conditoin2/*/some_other_string" { do some stuff } "/condition1/*" { do some stuff } Having to go back and manually figure out which condition the traffic hit is a bit of a pain. I'd love to be able to simply increment a counter when a condition was used for routing. Any ideas around this are appreciated.pool_member_new_session_enable, and pool_member_monitor_state, etc. values?
I'm pushing all of my logs into Splunk and want to create a dashboard to show all recent changes made to an LTM. What I cannot find anywhere (unless my google-fu has completely failed me) is a listing of all possible values and their meanings for the 'pool_member_update_status', 'pool_member_new_session_enable', 'pool_member_monitor_state', and other, similar fields that appear in the AUDIT log. The only thing that I have found that references these values is here:https://support.f5.com/csp/article/K30252226and that is very far from a comprehensive listing. There's also an iRule that posts things to twitter, but that's not helpful in this context, either. I suppose I could just create a test VS/pool/node and try all combinations of things an operator could do to them, but I have to believe that F5 has these listed somewhere.
F5 ASM - Logging Traffic Learning
Hey team, BIG-IP 12.1.3.5 Build 0.0.10 Point Release 5 Curious if ASM security policy Traffic Learning suggestions has logging, as in what user may have accepted what suggestion, deleted another, etc. Also, if it has logging around security policy changes. I believe this does occur, but interested in if these (and the above logs, if they exist) can be syslog'd out. If that is the case, may need a quick run-down of where to turn on/expect this type of audit logging configuration. Much appreciated!F5 APM retrieve information for a specific username from archived audit tracks
Hi, I'm currently facing a nice challenge. One wants to know whether a specific user has logged on to our remote portal, within a month or even longer ago.. Our remote portal is to be accessed by a F5 APM appliance. Two weeks ago we've upgraded our appliances, so the last audit log is from two weeks ago. I can tell, when I choose in the menu "Access Policy" , "Reports" and I fill in 60 days or more, the last line shows a date which is two weeks ago. I'd like the report data from a month ago (and older). Before the upgrade a UCS file was made. So what I Did is extract the UCS file. searched with Windows Grep, typed the username as string, in all directories and files, off course, nothing with that username is found. Several questions has popped up right now: audit track of user logon onto a remote portal is actually kept within /var/log/audit?* The UCS file of previous APM state doesn't show a /var/log dir. Where are the logs stored? How am I able to fetch the data I need without returning to a previous state? I haven't got a spare appliance to restore the UCS to. Best, Erik
