Forum Discussion

Hamish's avatar
Hamish
Icon for Cirrocumulus rankCirrocumulus
Oct 30, 2013

Request Logging Other (APM) Information

Does anyone know if there's a (undocumented presumably since I haven't managed to find one yet) way to get the request logging profile to add in information from modules such as APM?

 

It would be nice to add APM authenticated usernames (And other info) to the request-logging response logs... But the list of information that can be logged is a bit short on info from other modules and I haven't found a way yet (or possibly I've just missed something if indeed it is possible).

 

Anyone managed to get anything like this to work? I was hoping 11.4.1 would extend the range of information available, but nothing obvious pops out at me...

 

H

 

APM
security

3 Replies

Sort By
  • Thomas_Gobet's avatar
    Thomas_Gobet
    Icon for Nimbostratus rankNimbostratus
    Oct 30, 2013

    I think there isn't any way to get your request logging profile into your APM module.

     

    But what you can do is add a logging box into your Visual Policy Editor and in the log message you can write what you want (e.g %{session.logon.last.username} which will log the username of the session).

     

    When the log is done, you can make a log filter and forward it to your log publisher.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 30, 2013

    The request logging profile is a little odd with an APM profile, as it generally triggers on every request, even the ones that should be hidden inside the APM access session evaluation. That said, you could technically create a set of HTTP headers that the request logging profile can consume, and then delete them just before sending the traffic off to the server.

    when ACCESS_ACL_ALLOWED {
    HTTP::header insert "USER" [ACCESS::session data get session.logon.last.username]
}
when HTTP_REQUEST_RELEASE {
    HTTP::header remove "USER"
}

    And then in the request logging profile, you'd just capture ${USER}. I think though, for the complexity of this, that you're probably better off doing HSL in an iRule to capture what you want.

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Sep 02, 2015

    Hi,

     

    I had the same need and the first solution I found was to configure ACL with log "packet" and create a log filter to send cal log to HSL pool.

     

    the problem with ACL log is there is no username information but session ID and I needed to create a correlation tool to match username / session ID / ACL.

     

    After reading the Kevin's irule, I modified it to log RESPONSE instead of REQUEST to get response code.

     

    The new irule is :

     

    when CLIENT_ACCEPTED {
    set user "-"
}

when ACCESS_ACL_ALLOWED {
    set user [ACCESS::session data get session.logon.last.username]
}

when HTTP_RESPONSE {
    HTTP::header insert "USER" $user
}

when HTTP_RESPONSE_RELEASE {
    HTTP::header remove "USER"
}

    The "-" default value is to replace username by - if request is not authenticated. I configured RESPONSE Template with:

     

    $CLIENT_IP - ${USER} $DATE_NCSA $HTTP_REQUEST $HTTP_STATCODE $RESPONSE_SIZE $Referer 0 $Cookie

    This is the NCSA_COMBINED template with the second "-" replaced by ${USER}