Forum Discussion
NimbostratusAPM Logon page logs
MVPHi renaranj2024,
you can configure APM to log locally and to remote syslog.
Take a look here: https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-network-access-12-1-0/10.html
The article is for BIG-IP 12.1, but the config is very similar for current versions 16.1 and 17.1.
Create log publisher and attach it to the APM Logging Profile, as described in the article.
Cheers
Daniel
NimbostratusMy problem is having a single log with ip, user, and ad logon result.
Currently we get a single log for each process:
<141>Jan 20 12:28:18 hostname.local tmm7[20216]: 01490500:5: /Common/policyname:Common:7cdfd47d: New session from client IP 94.156.177.201 (ST=Limburg/CC=NL/C=EU) at VIP x.x.x.x Listener /Common/vsname (Reputation=Windows Exploits)
<139>Jan 20 12:28:18 hostname.local apmd[28841]: 01490107:3: /Common/policyname:Common:7cdfd47d: AD module: authentication with 'eortiz' failed: Client 'eortiz@DOM.DIR' not found in Kerberos database, principal name: eortiz@DOM.DIR. Please verify Active Directory and DNS configuration. (-1765328378)
- boneyard
If you are looking for help on the SIEM, it helps telling which SIEM is used.
You can associate those together based on the session ID part in there: 7cdfd47d
Else an iRule which will log the different fields together in one line is an option.
- renaranj2024
the SIEM is a Qradar. I have tried so far with "logging agent" but I got nothing logging. I will try with an irule.
