Forum Discussion

renaranj2024

Nimbostratus

Jan 17, 2025

APM Logon page logs

We are having a brute force username guessing attack but we can not analyze properly where it comes or since when it started. We don't have locally enough logs to generate reports for a Month. Theref...

MVP

Jan 17, 2025

Hi renaranj2024,

you can configure APM to log locally and to remote syslog.
Take a look here: https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-network-access-12-1-0/10.html
The article is for BIG-IP 12.1, but the config is very similar for current versions 16.1 and 17.1.
Create log publisher and attach it to the APM Logging Profile, as described in the article.

Cheers
Daniel

renaranj2024

Nimbostratus

Jan 20, 2025

My problem is having a single log with ip, user, and ad logon result.

Currently we get a single log for each process:

<141>Jan 20 12:28:18 hostname.local tmm7[20216]: 01490500:5: /Common/policyname:Common:7cdfd47d: New session from client IP 94.156.177.201 (ST=Limburg/CC=NL/C=EU) at VIP x.x.x.x Listener /Common/vsname (Reputation=Windows Exploits)

<139>Jan 20 12:28:18 hostname.local apmd[28841]: 01490107:3: /Common/policyname:Common:7cdfd47d: AD module: authentication with 'eortiz' failed: Client 'eortiz@DOM.DIR' not found in Kerberos database, principal name: eortiz@DOM.DIR. Please verify Active Directory and DNS configuration. (-1765328378)

boneyard
MVP
Jan 20, 2025
If you are looking for help on the SIEM, it helps telling which SIEM is used.

You can associate those together based on the session ID part in there: 7cdfd47d

Else an iRule which will log the different fields together in one line is an option.
- renaranj2024
  Nimbostratus
  Jan 21, 2025
  the SIEM is a Qradar. I have tried so far with "logging agent" but I got nothing logging. I will try with an irule.