Forum Discussion

renaranj2024's avatar
renaranj2024
Icon for Nimbostratus rankNimbostratus
Jan 17, 2025

APM Logon page logs

We are having a brute force username guessing attack but we can not analyze properly where it comes or since when it started. We don't have locally enough logs to generate reports for a Month. Theref...
APM
event
security
renaranj2024's avatar
renaranj2024
Icon for Nimbostratus rankNimbostratus
Jan 20, 2025

My problem is having a single log with ip, user, and ad logon result. 

Currently we get a single log for each process:

<141>Jan 20 12:28:18 hostname.local tmm7[20216]: 01490500:5: /Common/policyname:Common:7cdfd47d: New session from client IP 94.156.177.201 (ST=Limburg/CC=NL/C=EU) at VIP x.x.x.x Listener /Common/vsname (Reputation=Windows Exploits)

<139>Jan 20 12:28:18 hostname.local apmd[28841]: 01490107:3: /Common/policyname:Common:7cdfd47d: AD module: authentication with 'eortiz' failed: Client 'eortiz@DOM.DIR' not found in Kerberos database, principal name: eortiz@DOM.DIR. Please verify Active Directory and DNS configuration. (-1765328378)

boneyard's avatar
boneyard
Icon for MVP rankMVP
Jan 20, 2025

If you are looking for help on the SIEM, it helps telling which SIEM is used.

 

You can associate those together based on the session ID part in there: 7cdfd47d

 

Else an iRule which will log the different fields together in one line is an option.

  • renaranj2024's avatar
    renaranj2024
    Icon for Nimbostratus rankNimbostratus
    Jan 21, 2025

    the SIEM is a Qradar. I have tried so far with "logging agent" but I got nothing logging. I will try with an irule.