Here is an Irule that not only logs the client IP address, but also the HOST, URI, and VIP address
(FYI, Im using 10.2.1 code)
rule ASM_DOS_LOG_RULE {
when CLIENT_ACCEPTED
{
set vip "[IP::local_addr clientside]:[TCP::local_port clientside]"
}
when HTTP_REQUEST
{
set client_request [HTTP::uri]
set host_head [HTTP::host]
}
when ASM_REQUEST_VIOLATION
{
set x [ASM::violation_data]
if {([lindex $x 0] contains "VIOLATION_DOS_ATTACK") or ([lindex $x 5] contains "VIOLATION_DOS_ATTACK")}
{
log local0. "VIOLATION_DOS_ATTACK detected in ASM_REQUEST_VIOLATION, Web App=[lindex $x 2], VIP=$vip, HOST=$host_head, URI=$client_reques
t, Client IP=[lindex $x 4]"
}
}
when ASM_RESPONSE_VIOLATION
{
set x [ASM::violation_data]
if {([lindex $x 0] contains "VIOLATION_DOS_ATTACK") or ([lindex $x 5] contains "VIOLATION_DOS_ATTACK")}
{
log local0. "VIOLATION_DOS_ATTACK detected in ASM_REQUEST_VIOLATION, Web App=[lindex $x 2], VIP=$vip, HOST=$host_head, URI=$client_reques
t, Client IP=[lindex $x 4]"
}
}
when ASM_REQUEST_BLOCKING
{
set x [ASM::violation_data]
if {([lindex $x 0] contains "VIOLATION_DOS_ATTACK") or ([lindex $x 5] contains "VIOLATION_DOS_ATTACK")}
{
log local0. "VIOLATION_DOS_ATTACK detected in ASM_REQUEST_VIOLATION, Web App=[lindex $x 2], VIP=$vip, HOST=$host_head, URI=$client_reques
t, Client IP=[lindex $x 4]"
}
}
}