Applies To:
Show VersionsBIG-IP PEM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Reporting Usage Data to an External Analytics Server
Overview: Reporting usage data to an external analytics server
In Policy Enforcement Manager™, you can create a rule within an enforcement policy that instructs the system to send usage data in high-speed logging (HSL) format to an external analytics server. The rule specifies what type of reporting data you are interested in; one of the actions it can take with the traffic is to send the information collected about it for processing to a centralized analytics server.
The system sends the information as a set of comma-separated values by means of SYSLOG transport. You can choose to use the session-based, flow-based or transactional reporting format, depending on the level of granularity you need.
For example, a rule might collect session-based information about all audio and video traffic. You can specify how often to log the data and set the destination as an HSL server or pool.
Transactional Policy Enforcement, provides the ability to report each of the HTTP transaction and sends the report to a HSL publisher. Each transaction report information is specific to that transaction only. The transactional reports are used for analytics and high level granularity for application and subscriber visibility.
Task summary
Creating a publisher
Creating a rule for high-speed logging for session reporting
Creating a rule for high-speed logging for flow reporting
Creating a high-speed logging rule for transactional reporting
Session-based reporting format
In an enforcement policy, a rule can send session-based information about traffic that matches certain criteria to an external high-speed logging (HSL) server. The logs include the following comma-separated values in the order listed.
Field | Description |
---|---|
PEM id | Identifies the reporting module (PEM) and the field value is 23003143. |
Version | Indicates the version of the format for backward compatibility. |
Timestamp seconds | The time the information was logged (along with the timestamp in milliseconds), specifies seconds using UNIX time format. |
Timestamp msec | The time the information was logged (along with the timestamp in seconds), specifies milliseconds using UNIX time format. |
Report type | The type of report. Always set to 3 for session-based reporting. |
Subscriber ID | A unique identifier (up to 64 characters) for the subscriber initiating the session, such as a phone number. The subscriber ID type determines the format. |
Subscriber ID type | The format of the subscriber ID. It can be E.164, IMSI, NAI, or Private. |
3GPP parameters | The list of 3GPP parameters, which can be imsi, imeisv, tower_id, or username. |
Policy ID | The Identification of the policy. |
Rule ID | The Identification of the policy rule. |
Application ID | A unique number that represents a particular application, and is used for classifying traffic. |
Last Sent | The time, in seconds, since the last log entry was sent. |
Bytes in | The number of bytes received during this session. |
Bytes out | The number of bytes sent during this session. |
Concurrent flows | Always 0 (unsupported). |
Opened flows | Always 0 (unsupported). |
Terminated flows | Always 0 (unsupported). |
Total transactions | Always 0 (unsupported). |
Successful transactions | Always 0 (unsupported). |
Aggregated category duration | Summary of the duration of all flows for the session. |
Reason | The reason for sending the record. It can be 0 - reserved, 1 - volume threshold reached, 2- interval time, 3 - subscriber logout, or 4 - inactivity. |
Example session-based reporting format
Oct 10 17:19:45 172.31.63.64 23003143,1349914925,546879,3,404234567123456,IMSI,linux,f501, 404234567123456,35827001,16394,1349914913,5469633,308908379, 0,0,0,0,0,5052,1 Oct 10 17:19:57 172.31.63.64 23003143,1349914937,546661,3,404234567123456,IMSI,linux,f501, 404234567123456,35827001,16394,1349914925,5550857,313317479, 0,0,0,0,0,5063,1 Oct 10 17:20:09 172.31.63.64 23003143,1349914949,546676,3,404234567123456,IMSI,linux,f501, 404234567123456,35827001,16394,1349914937,5636605,318053179, 0,0,0,0,0,5074,1
Flow-based reporting format
In an enforcement policy, a rule can send flow-based information about traffic that matches certain criteria to an external high-speed logging (HSL) server. The logs include the following comma-separated values in the order in which the attributes were added (available to selected list).
Field | Description |
---|---|
PEM id | Identifies the reporting module (PEM) and the field value is 2300314. |
Version | Indicates the version of the format for backward compatibility. |
Timestamp seconds | The time the information was logged in UNIX time format. |
Timestamp msec | The msecs time value of the timestamp (in decimal number). |
Report type | The type of report; 0 – flow start, 1 – flow interim, 2 – flow end. |
Subscriber ID | A unique identifier (up to 64 characters) for the subscriber initiating the session, such as a phone number. The subscriber ID type determines the format. |
Subscriber ID type | The format of the subscriber ID. It can be E.164, IMSI, NAI, or Private. |
Source IP | The IPv4 source address in the IP packet header. |
Source port | The source port the subscriber. |
Destination IP | The IPv4 destination address in the IP packet header. |
Destination port | The destination port for the traffic. |
Protocol | The protocol of the traffic for this flow, TCP or UDP. |
Route Domain | The route domain this flow belongs to. |
VLAN | The VLAN this flow belongs to. |
Application ID | A unique number that represents a particular application in this flow; it is used for classifying traffic. |
Urlcat ID | The URL category id that the flow belongs to. |
Flow start time seconds | The time, in seconds, the flow started in UNIX time format. |
Flow start time msecs | The time in milliseconds of the flow start time. |
Flow end time seconds | The time the flow ended in UNIX time format. |
Flow end time msecs | The time in milliseconds of the flow end time. |
Transactions count | The count of full transactions seen in the flow. |
Bytes in | The number of bytes received during this flow. |
Bytes out | The number of bytes sent during this flow. |
Example flow-based reporting format
Sep 13 13:48:58 172.31.63.60 23003143,1347546777,654398,0,4086007577,E164,2001::10,52784,2001::2,80,6, 67,1347546774,628630,4278124286,4278124286,331,156 Sep 13 13:48:58 172.31.63.60 23003143,1347546777,654398,2,4086007577,E164,2001::10,52784,2001::2,80,6, 67,1347546774,628630,1347546775,382473,547,864
Transaction-based reporting format
In an enforcement policy, a rule can send transaction-based information about traffic that matches certain criteria to an external high-speed logging (HSL) server. The logs include the following comma-separated values in the order listed.
Field | Description |
---|---|
PEM id | Identifies the reporting module (PEM) and the field value is 23003143. |
Version | Indicates the version of the format for backward compatibility. |
Record type | The type of report; 10 – transactional. |
Transaction Number | The sequential number of transaction in this flow (starting from 1). |
Subscriber ID | A unique identifier (up to 64 characters) for the subscriber initiating the session, such as a phone number. The subscriber ID type determines the format. |
Subscriber ID type | The format of the subscriber ID. It can be E.164, IMSI, NAI, or Private. |
Source IP | The IPv4 source address in the IP packet header. |
Source port | The source port the subscriber. |
Destination IP | The IPv4 destination address in the IP packet header. |
Destination port | The destination port for the traffic. |
Protocol, TCP/UDP | The protocol of the traffic for this flow, TCP or UDP. |
Route Domain ID | The route domain ID of the traffic. |
VLAN ID | The VLAN ID of the traffic. |
Application/Category ID | A unique number that represents the most relevant application or category that is classified for the transaction. |
URL Category ID | A unique number that represents the first (most relevant) URL category that is classified for the transaction. |
Transaction Classification result | Reports all classification tokens from the classification engine.
Note: The traffic classification result is stored using multiple tokens (8
application/category token identifiers and 4 URL token identifiers) and reported
using a CSV format.
|
Transaction Start, seconds | The transaction timestamp (seconds) in UNIX time format, when an HTTP request is received. |
Transaction Start, msecs | The transaction timestamp (msecs) in UNIX time format when an HTTP request is received. |
Transaction Stop, seconds | The transaction timestamp (seconds) in UNIX time format when the corresponding HTTP response is received. |
Transaction Stop, msecs | The transaction timestamp (msecs) in UNIX time format when the corresponding HTTP response is received. |
Transaction Upstream Volume, bytes | The number of HTTP request bytes for this transaction. |
Transaction Downstream Volume, bytes | The number of HTTP response bytes for this transaction. |
Skipped Transactions of this kind | The number of transactional reports skipped within the flow since the last successfully transmission in the flow. |
HTTP information: | The HTTP request/response information presented in a CSV format containing the
following fields:
|
Example transaction-based reporting format
Jan 15 11:36:27 localhost info tmm[29503]: 23003143,10,1.0.0,1,12341234,IMSI,10.10.10.212,32965,10.10.10.217,80,6,0,311,67,0, 67,16394,0,0,0,0,0,0,0,0,0,0,1389123382,694,1389123382,697,127,80799103,0,200, 0,10.10.10.217,0,Wget/1.13.4 (linux-gnu),0,/index_long.html Jan 15 11:36:28 localhost info tmm[29503]: 23003143,10,1.0.0,2,12341234,IMSI,10.10.10.212,32965,10.10.10.217,80,6,0,311,67,0, 67,16394,0,0,0,0,0,0,0,0,0,0,1389123384,264,1389123384,267,127,80799103,0,200, 0,10.10.10.217,0,Wget/1.13.4 (linux-gnu),0,/index_long.html Jan 15 11:36:33 localhost info tmm[29503]: 23003143,10,1.0.0,3,12341234,IMSI,10.10.10.212,32965,10.10.10.217,80,6,0,311,67,0, 67,16394,0,0,0,0,0,0,0,0,0,0,1389123385,572,1389123385,574,127,80799103,0,200, 0,10.10.10.217,0,Wget/1.13.4 (linux-gnu),0,/index_long.html Jan 15 11:36:33 localhost info tmm[29503]: 23003143,10,1.0.0,4,12341234,IMSI,10.10.10.212,32965,10.10.10.217,80,6,0,311,67,0, 67,16394,0,0,0,0,0,0,0,0,0,0,1389123387,968,1389123387,970,127,80799103,0,200, 0,10.10.10.217,0,Wget/1.13.4 (linux-gnu),0,/index_long.html Jan 15 11:36:45 localhost info tmm[29503]: 23003143,10,1.0.0,5,12341234,IMSI,10.10.10.212,32965,10.10.10.217,80,6,0,311,67,0, 67,16394,0,0,0,0,0,0,0,0,0,0,1389123399,196,1389123399,201,127,80799103,0,200, 0,10.10.10.217,0,Wget/1.13.4 (linux-gnu),0,/index_long.html