Logging APM Username and XFF Address

Question

I'm trying to create a single log entry that is triggered by an ACCESS_POLICY_AGENT_EVENT containing a user's username (after successful logon) and their X-Forwarded-For address.  This log needs to be triggered immediately after successful authentication.  Here is my iRule:
when ACCESS_POLICY_AGENT_EVENT {
    log local0. "SESSION_STARTED, User=[ACCESS::session data get session.logon.last.username], IP=[HTTP::header X-Forwarded-For]"
}

However, I'm getting this as my log entry:
Rule /Common/UserID_Logger : SESSION_STARTED, User=testuser, IP=
It seems that the http headers are not accessible from within the APM event.  Any suggestions?

stanislas_piro2 · Answer

Use this code&nbsp;when ACCESS_SESSION_STARTED {
    ACCESS::session data set session.custom [HTTP::header X-Forwarded-For]
}
when ACCESS_POLICY_COMPLETED {
    log local0. "SESSION_STARTED, User=[ACCESS::session data get session.logon.last.username], IP=[ACCESS::session data get session.custom.xff]"
}

Forum Discussion

Logging APM Username and XFF Address

1 Reply

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

SNAT IP address logging

Decoding the IPv4 address from the persistence cookie

ASM logs

CSV to Address External Datagroup File

Persist connection based on NTLM username