Forum Discussion
renaranj2024
Nimbostratus
NimbostratusAPM Logon page logs
We are having a brute force username guessing attack but we can not analyze properly where it comes or since when it started. We don't have locally enough logs to generate reports for a Month. Therefore we want to use our SIEM for it. Unfortunately the logs needs to be correlated separtely to get the username, date and IP from the same session.
Anyone could acomplished that in your syslog SIEM?
- Daniel_Wolf
MVP
Hi renaranj2024,
you can configure APM to log locally and to remote syslog.
Take a look here: https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-network-access-12-1-0/10.html
The article is for BIG-IP 12.1, but the config is very similar for current versions 16.1 and 17.1.
Create log publisher and attach it to the APM Logging Profile, as described in the article.Cheers
Daniel
renaranj2024My problem is having a single log with ip, user, and ad logon result.
Currently we get a single log for each process:
<141>Jan 20 12:28:18 hostname.local tmm7[20216]: 01490500:5: /Common/policyname:Common:7cdfd47d: New session from client IP 94.156.177.201 (ST=Limburg/CC=NL/C=EU) at VIP x.x.x.x Listener /Common/vsname (Reputation=Windows Exploits)
<139>Jan 20 12:28:18 hostname.local apmd[28841]: 01490107:3: /Common/policyname:Common:7cdfd47d: AD module: authentication with 'eortiz' failed: Client 'eortiz@DOM.DIR' not found in Kerberos database, principal name: eortiz@DOM.DIR. Please verify Active Directory and DNS configuration. (-1765328378)
- boneyard
If you are looking for help on the SIEM, it helps telling which SIEM is used.
You can associate those together based on the session ID part in there: 7cdfd47d
Else an iRule which will log the different fields together in one line is an option.
