Stream matched rewrite irule statistics
We have a rewrite irule that uses stream match to rewrite hostnames etc. For decomissioning purposes we woud like to generate a report showing which requests (urls) are using the irule and the results of rewrite. The report should have columns like matched, replacewith, fromURI, count when ACCESS_ACL_ALLOWED { #STREAM::disable #HTTP::header remove "Accept-Encoding" #log local0. "[IP::client_addr] is accessing and we are removing Accept-Encoding" } when CLIENT_ACCEPTED { ACCESS::restrict_irule_events enable } when HTTP_REQUEST { STREAM::disable HTTP::header remove "Accept-Encoding" set http_uri "https://[HTTP::host][HTTP::uri]" } when HTTP_RESPONSE { # Check if response type is text if {([HTTP::header value Content-Type] contains "text") || ([HTTP::header value Content-Type] contains "json")}{ STREAM::expression {@https?:\/\/([^\/\"]*\.)*city\.council\.com@replace_me@} # Enable the stream filter for this response only STREAM::enable } } when STREAM_MATCHED { #log local0. "Debug1: STREAM_MATCHED" set CHECK [class match -value [string tolower [STREAM::match]] starts_with URI_department.city.council.com_no_rewrite] if { $CHECK == "1" } { #log local0. "found exception for [STREAM::match]" STREAM::replace [STREAM::match] } else { set RE {https:\/\/([^\/\"]*\.)*city\.council\.com} set STRING "[string map {http:// https://} [STREAM::match]]" set SUBST "https://\\1department.city.council.com if {! ($STRING contains "intranett") } { # we need to insert intranett set STRING "[regsub -all $RE $STRING $SUBST ]" } #log local3. "[IP::client_addr]:[TCP::local_port]: matched: '[STREAM::match]', replaced with: '$STRING', from URI: $http_uri" STREAM::replace $STRING #if { ! ($STRING == [STREAM::match]) } { # } } }
ASM Reporting in BIG IQ
Case Scenario: Single BIG IP device managed by Single BIG IQ device at a client. BIG IP was used to send daily scheduled reports including top attacks in the day, most affected virtual servers, top triggered security policies, bot traffic for the day, dos traffic for the day, top attacks by geo-location and such. Client wanted a BIG IQ, we provided and all the data is being sent to the BIG IQ. Problem Scenario: All the configurations have been properly set up and we can view all the data from BIG IQ. We also set up a scheduling report and now, unlike BIG IP, there is no way we can create such reports and schedule them. Either that or we havent found the proper ways to do so. The only report that can be sent is a very generic overview with how much traffic the whole system has been getting and nothing much. If we go back to BIG IP and send the report from there, the BIG IQ doesnot display its graphs in the monitoring tab, and removing the whole centralized monitoring part. (We get that the need of BIG IQ is not apparent in the scenario, but such is the case) Required Scenario: The BIG IQ will be used to centrally monitor the lonesome BIG IP and BIG IQ has to be able to send the scheduled report as BIG IP used to. Is there a way to do so? or is it a lost cause? If it helps, we have configured all the security policies, logging profiles and such from BIG IP and simply imported them to BIG IQ.
Scheduled Report - Top Attacks By Security Policy
Hello, I am looking to generate a scheduled report to display the top attacks by each security policy I have (4) and I am using v12.1.2. I navigate to "Security ›› Reporting : Scheduled Reports" and enter the required fields such as name, SMTP info, frequency, etc. But the question is obviously in the exact configuration of the report. If I use... Dynamic Report Time Period: Last Week Show Results: Top 20 Top Report Criteria: Security Policy Select Measure: Requests .. then I get a report with a chart that shows the amount of requests each of those policies has received. Cool. But that is not exactly what I want. So I hit the plus button to "Use top result from security policy to report" > "Attack Type" Is there any way that I can "Use ALL results from security policy to report > Attack Type" ?? Any other info on how I could get something like this working to see attack types / violation for the last week from all my policies is appreciated. It is hard to share this info with others when I can only see traffic from my largest virtual server in these reports.
reporting possibilites
We are currently running v12.1.1 in a HA pair. What are looking into, is a way to export/stream network information to an external source(not yet defined), for a more detailed reporting. Currently, i have only found the option to set up automatic mailing of asm reports. but are there any ways to do this with network traffic(connection, requests, top 10 busiest vs etc)? I have looked at splunk, but they only do asm as far as i know, and this is already covered. we have solarwinds, but i think this only covers monitoring, and not reporting. any input would be appreciated.
Powershell: LTM Config to XML (or CSV even!)
I am brand new to iControl, but not new to Powershell, which is why I've chosen it as my iControl language (using powershell snapin). Essentially what I want/need to do is create a report of all Virtual servers, associated profiles, pools, and irules. I found something very compelling: (https://devcentral.f5.com/wiki/iControl.PerlLtmConfigToXml.ashx) but this is (sadly for me) written in Perl. Has anyone had a need for this kind of report, or any pointers for using powershell for this? Your help is much appreciated.