Forum Discussion

AngryCat_52750's avatar
AngryCat_52750
Icon for Nimbostratus rankNimbostratus
Feb 27, 2013

APM SSL User Login/Logout Logging

We are running our SSL VPN through the F5 APM.. as part of a security audit, we need to be able to log when a user logs in and logs out with a time stamp.

 

Does this already exist or is there a way to log this information??

 

application delivery
dev
devops
iRules

7 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Feb 27, 2013
    Do you want to know when the user logs into the APM webtop, or when they start the SSLVPN?
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Feb 27, 2013
    This is perhaps a little crude, but try this: 

    
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable 
}
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/myvpn?sess=" } {
log local0. "SSLVPN session started for [ACCESS::session data get session.logon.last.username], from IP [IP::client_addr]"
}
if { [HTTP::uri] equals "/vdesk/timeoutagent-i.php" } {
log local0. "SSLVPN session terminated for [ACCESS::session data get session.logon.last.username]"
}
}

    It assumes you've captured the username during authentication, which should be stored in the session.logon.last.username session variable. It logs to the LTM log, which shows the time and date natively.

    Logon should be solid, but logout will never be a guarantee if the user closes without logging out, reboots, or otherwise.

  • AngryCat_52750's avatar
    AngryCat_52750
    Icon for Nimbostratus rankNimbostratus
    Feb 27, 2013
    I shall give this a try.. we have the same issue (not logging out, reboots, etc..) with our current solution.. As long as we can get a time stamp to when the system kicks them out, we will be golden..

     

     

    Thanks Kevin..
  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Feb 27, 2013
    Kevin, Not sure why you would use an iRule... the information is in the /var/log/apm file...

     

     

    [root@apm-device:Active:Standalone] log grep ca0767ca apm | egrep "Session deleted due|AD agent: Auth"

     

    Feb 26 14:58:51 apm-device info apd[5720]: 01490017:6: ca0767ca: AD agent: Auth (logon attempt:0): authenticate with 'scoope' successful

     

    Feb 26 15:14:06 apm-device notice tmm[8414]: 01490502:5: ca0767ca: Session deleted due to user inactivity or errors.

     

    [root@apm-device:Active:Standalone] log

     

     

    You can write a script to parse the logs and get all the information you need...

     

     

    Thanks,

     

    Seth Cooper
  • AngryCat_52750's avatar
    AngryCat_52750
    Icon for Nimbostratus rankNimbostratus
    Aug 27, 2013

    what i ended doing was the following - 

    

    when ACCESS_SESSION_STARTED {
     set userid [ACCESS::session data get "session.logon.last.username"]
     set userip [ACCESS::session data get "session.user.clientip"]
    log local0. "$userid logged in from $userip" 
}
when ACCESS_SESSION_CLOSED {
     set userid [ACCESS::session data get "session.logon.last.username"]
     set userip [ACCESS::session data get "session.user.clientip"]
    log local0. "$userid logged out from $userip" 
}