I had to noodle on this one for a bit, but here's an idea:
When a portal access resource is requested, at least three things should be available
- The HTTP URI - something that starts with "/f5-w-"
- Hopefully the username that was used to authenticate the user
- And the session ID
So at the VERY least, you could do something like this:
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/f5-w-" } {
catch {
set resource [binary format H* [findstr [HTTP::uri] "/f5-w-" 6 "\$\$"]]
log local0. "[ACCESS::session data get session.logon.last.username] has accessed $resource"
}
}
}
This will first decode the mangled URI and then send it and the username to syslog. Example:
chuck has accessed http://10.70.0.1
You'll need another mechanism to translate that resource back into the actual portal resource name. This will also of course log each request to that resource. Here's something a little fancier:
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/f5-w-" } {
catch {
set resource [binary format H* [findstr [HTTP::uri] "/f5-w-" 6 "\$\$"]]
if { [table lookup -subtable PORTALACCESS "[ACCESS::session sid]:[ACCESS::session data get session.logon.last.username]:$resource"] eq "" } {
table set -subtable PORTALACCESS "[ACCESS::session sid]:[ACCESS::session data get session.logon.last.username]:$resource" [clock format [clock seconds] -format %Y%m%d-%H%M%S] 3600
log local0. "[ACCESS::session data get session.logon.last.username] has accessed $resource"
}
}
}
}