Forum Discussion

renaranj2024's avatar
renaranj2024
Icon for Nimbostratus rankNimbostratus
Jan 17, 2025

APM Logon page logs

We are having a brute force username guessing attack but we can not analyze properly where it comes or since when it started. We don't have locally enough logs to generate reports for a Month. Therefore we want to use our SIEM for it. Unfortunately the logs needs to be correlated separtely to get the username, date and IP from the same session. 

 

Anyone could acomplished that in your syslog SIEM?

 

 

 

 

    • renaranj2024's avatar
      renaranj2024
      Icon for Nimbostratus rankNimbostratus

      My problem is having a single log with ip, user, and ad logon result. 

      Currently we get a single log for each process:

      <141>Jan 20 12:28:18 hostname.local tmm7[20216]: 01490500:5: /Common/policyname:Common:7cdfd47d: New session from client IP 94.156.177.201 (ST=Limburg/CC=NL/C=EU) at VIP x.x.x.x Listener /Common/vsname (Reputation=Windows Exploits)

      <139>Jan 20 12:28:18 hostname.local apmd[28841]: 01490107:3: /Common/policyname:Common:7cdfd47d: AD module: authentication with 'eortiz' failed: Client 'eortiz@DOM.DIR' not found in Kerberos database, principal name: eortiz@DOM.DIR. Please verify Active Directory and DNS configuration. (-1765328378)

      • boneyard's avatar
        boneyard
        Icon for MVP rankMVP

        If you are looking for help on the SIEM, it helps telling which SIEM is used.

         

        You can associate those together based on the session ID part in there: 7cdfd47d

         

        Else an iRule which will log the different fields together in one line is an option.