get bot management logging

[Gijs Lemahieu1709159845]

Hi,

 

I'm exploring bot management and the possibilities of this.

I was able to setup a basic configuration and i see that there are hits on the signatures (with the command  stat bot profile) but how can I get some logging of this?

I cannot find any entry in the ns.log file. I can configure a log action on 'bot management policy' level, but I don't know how to get the bot management variables to see which signature was hit on which url for instance. 

We are running the latest version of ADC 13.0

LOG is enabled for every signature and action is set to 'none'.

Other features (like waf) are logging to the ns.log by default but this seems to be different for bot management logging?

 

Can anyone help me?

 

Regards,

 

Gijs.

 

[Rhonda Rowland1709152125]

I believe it should be to syslog too.     Are you generating a violation for this test?

Logging is enabled in the bot signatures, and some specific violations in the action.  These only log when the violation is encountered. 

 

For custom logactions on the bot policy itself to log when the policy hit occurs, you need to also enable "user configurable log messages" in your system syslog audit parameters or action of any external syslog audit policy. (If the custom log action applied to the policy says log to nslog, then it is going to the nslog /var/nslog/newnslog instead of syslog at /var/log/ns.log)

 

Local syslog logging is controlled by the settings of the global system auditing parameters. Any other external logging location's logging behavior will be set in the associated syslog auditing policy in effect. So be sure you check both locations. System > Auditing (right-pane for syslog parameters). Continue to the policies node under auditing for alternate log locations.

 

Also identify if your default logging (global system audit parameters) are setting logging level to only certain criticalities that might be excluding some of your events. And check any external audit policies also set.

 

The regular bot signature violations should be logging to syslog by default. They only log on violation though.