05-24-2012 07:39 AM
We allow mobile users the ability to sign on based on user agent string checks. For example, if someone has an iPad we check that and then know that they are part of the mobile user realm and they are placed in a specific permission group.
That said, I cannot find any useful data in the IVE logs that would allow me to see how many iPad users logged into the IVE for the week.
Does anyone have a way to produce a metric like this with the IVE logs? It appears that user agent string info is not in the IVE logs by default.
05-28-2012 03:55 AM
You can use either a query like "userAgent = <string>" OR specify the query in a filter OR you can do a custom filter like this:
"%date% %time% - %node% - [%sourceip%] %ivs%::%user%(%realm%)[%role%]%nonRoot% - %msg% - %useragent%".
If you set this filter as default you will always get specified information in your log.
Is this what you were looking for?
05-28-2012 06:29 AM
don't know the specific search capabilites of IVE as i don't use them,
if you do use a different Log Collector (STRM / Q1Radar / Arcsight / Splunk and so on).
Limit the search to a 1 Week basis.
Search with a Group by on Useragenst xyz (in your case iOS) then count the "Username".
Hope this helps
05-28-2012 06:32 AM
I don't think the %useragent% is collected if not specified in the default filter though..
05-28-2012 07:26 AM
The standard logs that we send over to a syslog server do not show useragent. The most we receive is that the user belongs to the mobile user realm, which is not helpful in this case.
My specific question to Juniper is if they log the actual useragent string anywhere or is there a way to enable this for logging purposes? We want to parse out the different types of mobile devices that are being used by our users.
05-28-2012 11:39 PM
No, the useragent is not logged anywhere if not specified in your default filter.. See my post above.
05-29-2012 04:37 PM
In a case much like this, I set up a role-mapping rule to map users with a specific agent string to a role with only default session and UI settings and no resources. Of course, I specify that the processing of role-mapping rules should not stop with that assignment.
So, if you had a role-mapping rule which mapped any user with an iPad agent string to role "iPad User", you could then search using Splunk for messages with that string in them. If you only select the "authentication successful" or some other message that would occur only once per session, you can count them to get the number of iPad sessions, and count unique user names to see how many users logged on with iPads that week.