SSL VPN
Reply
Contributor
TheHorse13
Posts: 32
Registered: ‎07-30-2008
0

Unique Mobil Device User Agent String Count

We allow mobile users the ability to sign on based on user agent string checks. For example, if someone has an iPad we check that and then know that they are part of the mobile user realm and they are placed in a specific permission group.

 

That said, I cannot find any useful data in the IVE logs that would allow me to see how many iPad users logged into the IVE for the week. 

 

Does anyone have a way to produce a metric like this with the IVE logs? It appears that user agent string info is not in the IVE logs by default.

 

Thanks.

Contributor
Lilja
Posts: 85
Registered: ‎12-02-2009
0

Re: Unique Mobil Device User Agent String Count

You can use either a query like "userAgent = <string>" OR specify the query in a filter OR you can do a custom filter like this:

"%date% %time% - %node% - [%sourceip%] %ivs%::%user%(%realm%)[%role%]%nonRoot% - %msg% - %useragent%".

If you set this filter as default you will always get specified information in your log.

 

Is this what you were looking for?

---------------------------------------------------
Please mark this post as 'accepted solution' if my input answers your question!
A kudo would be nice if you think I deserve it.
---------------------------------------------------
2 A/P clustered 6500, 7.4R9.1
2 A/P clustered 2500, 8.0R3.1 LAB
Trusted Contributor
NULL
Posts: 113
Registered: ‎11-27-2010
0

Re: Unique Mobil Device User Agent String Count

Hi TheHorse13,

 

don't know the specific search capabilites of IVE as i don't use them,

 

if you do use a different Log Collector (STRM / Q1Radar / Arcsight / Splunk and so on).

 

Limit the search to a 1 Week basis.

Search with a Group by on Useragenst xyz (in your case iOS) then count the "Username".

 

Hope this helps

Regards

NULL 

Contributor
Lilja
Posts: 85
Registered: ‎12-02-2009
0

Re: Unique Mobil Device User Agent String Count

I don't think the %useragent% is collected if not specified in the default filter though..

---------------------------------------------------
Please mark this post as 'accepted solution' if my input answers your question!
A kudo would be nice if you think I deserve it.
---------------------------------------------------
2 A/P clustered 6500, 7.4R9.1
2 A/P clustered 2500, 8.0R3.1 LAB
Contributor
TheHorse13
Posts: 32
Registered: ‎07-30-2008
0

Re: Unique Mobil Device User Agent String Count

The standard logs that we send over to a syslog server do not show useragent. The most we receive is that the user belongs to the mobile user realm, which is not helpful in this case.

 

My specific question to Juniper is if they log the actual useragent string anywhere or is there a way to enable this for logging purposes? We want to parse out the different types of mobile devices that are being used by our users.

 

Thanks.

Contributor
Lilja
Posts: 85
Registered: ‎12-02-2009
0

Re: Unique Mobil Device User Agent String Count

No, the useragent is not logged anywhere if not specified in your default filter.. See my post above.

---------------------------------------------------
Please mark this post as 'accepted solution' if my input answers your question!
A kudo would be nice if you think I deserve it.
---------------------------------------------------
2 A/P clustered 6500, 7.4R9.1
2 A/P clustered 2500, 8.0R3.1 LAB
Recognized Expert
kenlars
Posts: 420
Registered: ‎03-24-2008
0

Re: Unique Mobil Device User Agent String Count

In a case much like this, I set up a role-mapping rule to map users with a specific agent string to a role with only default session and UI settings and no resources.  Of course, I specify that the processing of role-mapping rules should not stop with that assignment. 

 

So, if you had a role-mapping rule which mapped any user with an iPad agent string to role "iPad User", you could then search using Splunk for messages with that string in them.  If you only select the "authentication successful" or some other message that would occur only once per session, you can count them to get the number of iPad sessions, and count unique user names to see how many users logged on with iPads that week.

 

Ken

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.