You can use either a query like "userAgent = <string>" OR specify the query in a filter OR you can do a custom filter like this:

"%date% %time% - %node% - [%sourceip%] %ivs%::%user%(%realm%)[%role%]%nonRoot% - %msg% - %useragent%".

If you set this filter as default you will always get specified information in your log.

Is this what you were looking for?

Hi TheHorse13,

don't know the specific search capabilites of IVE as i don't use them,

if you do use a different Log Collector (STRM / Q1Radar / Arcsight / Splunk and so on).

Limit the search to a 1 Week basis.

Search with a Group by on Useragenst xyz (in your case iOS) then count the "Username".

Hope this helps

Regards

NULL

I don't think the %useragent% is collected if not specified in the default filter though..

The standard logs that we send over to a syslog server do not show useragent. The most we receive is that the user belongs to the mobile user realm, which is not helpful in this case.

My specific question to Juniper is if they log the actual useragent string anywhere or is there a way to enable this for logging purposes? We want to parse out the different types of mobile devices that are being used by our users.

Thanks.

No, the useragent is not logged anywhere if not specified in your default filter.. See my post above.

In a case much like this, I set up a role-mapping rule to map users with a specific agent string to a role with only default session and UI settings and no resources. Of course, I specify that the processing of role-mapping rules should not stop with that assignment.

So, if you had a role-mapping rule which mapped any user with an iPad agent string to role "iPad User", you could then search using Splunk for messages with that string in them. If you only select the "authentication successful" or some other message that would occur only once per session, you can count them to get the number of iPad sessions, and count unique user names to see how many users logged on with iPads that week.

Ken