My goal is to log different information from Webmail clients than from ActiveSync clients. It seems the most obvious way to distinguish the two clients is from the HTTP::URI. So I’ve written the following script, which sadly has an error somewhere in it; line 19 according to the A10.
when HTTP_REQUEST { if { [HTTP::method] == “POST” } { HTTP::collect } }
when HTTP_REQUEST_DATA { set whatif [HTTP::uri] if {$whatif contains “activesync”} {
if { [HTTP::payload length] > 5 } { set uri [HTTP::uri] set c_ip [IP::client_addr] set vip_ip [IP::local_addr] log “IF=$uri, Client=$c_ip, VIP=$vip_ip,” } } { if { [HTTP::payload length] > 5 } { set payload [HTTP::payload] set client [HTTP::header User-Agent] set index [expr [string first “username=” $payload] + [string length “username=”]] set index2 [expr [string first “password=” $payload]-2] set username “[string range $payload $index $index2]” set c_ip [IP::client_addr] set vip_ip [IP::local_addr] log “ELSE=$username, Client=$c_ip, VIP=$vip_ip, Client=$index3” } } }
The error the A10 is spitting out is: Warning: aFleX syntax error: line 18: “unknown command " if { [HTTP::payload length] > 5 } { set payload […”"
Try the following: when HTTP_REQUEST { if { [HTTP::method] == "POST" } { HTTP::collect }
`}
when HTTP_REQUEST_DATA { set whatif [HTTP::uri] if {($whatif contains “activesync”) and ([HTTP::payload length] > 5 )} { set uri [HTTP::uri] set c_ip [IP::client_addr] set vip_ip [IP::local_addr] log “IF=$uri, Client=$c_ip, VIP=$vip_ip,” } elseif { [HTTP::payload length] > 5 } { set payload [HTTP::payload] set client [HTTP::header User-Agent] set index [expr [string first “username=” $payload] + [string length “username=”]] set index2 [expr [string first “password=” $payload]-2] set username “[string range $payload $index $index2]” set c_ip [IP::client_addr] set vip_ip [IP::local_addr] log “ELSE=$username, Client=$c_ip, VIP=$vip_ip, Client=$index3” } }`
brunov, thanks for the response. I see what you did there and it makes perfect sense. However I still had something wrong with the script ($index3 was being called but was never set), which I’ve fixed. However I still have a problem.
when HTTP_REQUEST { if { [HTTP::method] == “POST” } { HTTP::collect } }
when HTTP_REQUEST_DATA { set whatif [HTTP::uri] if {($whatif contains “activesync”) and ([HTTP::payload length] > 5 )} { set uri [HTTP::uri] set c_ip [IP::client_addr] set vip_ip [IP::local_addr] log “uri=$uri, Client=$c_ip, VIP=$vip_ip,” } elseif { [HTTP::payload length] > 5 } { set payload [HTTP::payload] set client [HTTP::header User-Agent] set index [expr [string first “username=” $payload] + [string length “username=”]] set index2 [expr [string first “password=” $payload]-2] set username “[string range $payload $index $index2]” set c_ip [IP::client_addr] set vip_ip [IP::local_addr] log “User=$username, Client=$c_ip, VIP=$vip_ip” } }
The ($whatif contains “activesync”) section isn’t being triggered when I sync my iPad. I addded the URI to the elseif section for a quick test, and sure enough it looks like the ($whatif contains “activesync”) just isn’t working.
Here is what the URI looks like. uri=/Microsoft-Server-ActiveSync?User=bg raham&DeviceId=ApplDMPHK0TYDVGF&DeviceType=iPad&Cmd=Ping
Do I need to do something different to the ($whatif contains “activesync”) section to make this work? I’ll keep playing around with it, but any feedback is helpful!
I just changed activesync to Microsoft-Server-ActiveSync and that seems to have fixed it. I don’t know enough about programming or aflex to know if it makes sense that this change was needed. But it’s working, so that’s all I care about for now!
Here is the script for now, in case it helps anyone else. I still have some editing to do as I still want to: a)pull the userid out of the URI for ActiveSync connections and b)it looks like certain mobile devices don’t display the userid in the URI; if they do it’s jumbled (uri=/Microsoft-Server-ActiveSync?eRIJBA45OTAwMDExOTc1NDYzMwR WkRHaEE1vdG9EUk9JRFJBWlI2NTE= as complared to uri=/Microsoft-Server-ActiveSync?User=bgraham&DeviceId=ApplD MPHK0TYDVGF&DeviceType=iPad&Cmd=Ping)
when HTTP_REQUEST { if { [HTTP::method] == “POST” } { HTTP::collect } }
when HTTP_REQUEST_DATA { set whatif [HTTP::uri] if {($whatif contains “activesync”) and ([HTTP::payload length] > 5 )} { set uri [HTTP::uri] set c_ip [IP::client_addr] set vip_ip [IP::local_addr] log “uri=$uri, Client=$c_ip, VIP=$vip_ip,” } elseif { [HTTP::payload length] > 5 } { set payload [HTTP::payload] set client [HTTP::header User-Agent] set index [expr [string first “username=” $payload] + [string length “username=”]] set index2 [expr [string first “password=” $payload]-2] set username “[string range $payload $index $index2]” set c_ip [IP::client_addr] set vip_ip [IP::local_addr] log “User=$username, Client=$c_ip, VIP=$vip_ip” } }
The comparison is case sensitive. You can solve this by using the correct case as you did, or just set the variable to be all lower case. set whatif [string tolower [HTTP::uri]]