Forum Discussion

Colin_Keltie's avatar
Colin_Keltie
Icon for Nimbostratus rankNimbostratus
Jun 28, 2013

ASM event log output formatting

I (like so many others, I suspect) was so impressed with F5's use of Logstalgia to visualise ASM defending against a number of L7 attacks at Interop this year, that I thought I'd have a play with it to see if there was any way I could produce something similar for our management. I've had a bit of pretty success using raw Apache logs (enough to get my managers' ears pricked up anyway) and now I'm looking to see if there's a way of shoehorning ASM's log output into any of the standard log formats that Logstalgia likes:

 

NCSA Common Log Format (CLF)

 

"%h %l %u %t \"%r\" %>s %b"

 

 

NCSA Common Log Format with Virtual Host

 

"%v %h %l %u %t \"%r\" %>s %b"

 

 

NCSA extended/combined log format

 

"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""

 

 

NCSA extended/combined log format with Virtual Host

 

"%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""

 

 

Does anyone know of an easy way to do this without writing a bespoke parser? Furthermore, Imagine an iControl hook that fed HSL log data through a parser and into server running a real-time instance of Logstalgia? Real time Empire Strikes Back Skiddie Pong - better than trying to write it down or explain to a manager what an L7 DDoS attack might "look" like if you could actually see it.

 

 

A great piece of work by the way. Hopefully see some of you guys there next year.

 

 

Horse