Forum Discussion
NimbostratusArcsight formatted logs from LTM (only)
Hello
I have already read many articles regarding the remote logging and especially to Arcsight which i am trying to make it work . I am confused if finally you can send Arcsight formatted logs from LTM . From some articles it should work , from other is not supported (only for other like ASM) .
I want to send logs from LTM to the Arcsight Server , and logs either from the HTTP info , irules , etc . Not only audit logs for example .
I have tried the Filter->Publisher->HSL->Arcsight with Pool Servers , but i don't receive any logs .
I there an updated Document for 12.x versions for this ? Or its not possible ?
Thanks in advanced
Makis
3 Replies
From all the documentation I can find on AskF5 (going back to BIG-IP v11.3), "Important: ArcSight formatting is only available for logs coming from Advanced Firewall Manager™ (AFM™), Application Security Manager™ (ASM™), and the Secure Web Gateway component of Access Policy Manager® (APM®)." Here's a link to the Configuring High Speed Logging doc for v12.0: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-12-0-0/4.html
AndOsCirrostratus
I was looking into this aswell about a year ago, and my findings were the same as crodriguez mentiones. There does not seem to be any "native" support in just LTM for ArcSight and CEF output.
It is possible to send CEF formatted logs over HSL, but you have to manually create the output format to be correct CEF.Some useful links I found for formatting the logs as CEF.
ArcSight Common Event Format (CEF) Guide Apache Access Log in CEF System Logging: Log Messages Format for your SIEM - RFC 3164 or CEF?Also, have a look at this for available parameters
Overview: Configuring a Request Logging profileTo send CEF from a request profile this is what we use
Request settings / Template: $DATE_MON $DATE_DD $TIME_HMS $BIGIP_HOSTNAME CEF:0|F5|BIG-IP|||HTTP Request|Low| src=$CLIENT_IP spt=$CLIENT_PORT dst=$SERVER_IP dpt=$SERVER_PORT requestMethod=$HTTP_METHOD request=$HTTP_URI requestClientApplication=${User-agent} Response settings / Template: $DATE_MON $DATE_DD $TIME_HMS $BIGIP_HOSTNAME CEF:0|F5|BIG-IP||$HTTP_METHOD:$HTTP_STATCODE|HTTP Response|Low| src=$CLIENT_IP spt=$CLIENT_PORT dst=$SERVER_IP dpt=$SERVER_PORT deviceSeverity=$HTTP_STATCODE requestMethod=$HTTP_METHOD request=$HTTP_URI requestClientApplication=${User-agent} in=${Content-Length} out=$RESPONSE_SIZE sourceTranslatedAddress=$SNAT_IP sourceTranslatedPort=$SNAT_PORT requestUrlQuery=$HTTP_QUERY cs2=$RESPONSE_MSECS cs2Label=time-takenConfig
ltm pool arcsight_log_pool { members { connector1.company.com:514 { address 10.10.10.10 } } } ltm profile request-log COMPANY_request_logging_profile { app-service none defaults-from /Common/request-log log-response-by-default yes request-log-pool /Common/arcsight_log_pool request-log-protocol mds-udp request-log-template "$DATE_MON $DATE_DD $TIME_HMS $BIGIP_HOSTNAME CEF:0|F5|BIG-IP|||HTTP Request|Low| src=$CLIENT_IP spt=$CLIENT_PORT dst=$SERVER_IP dpt=$SERVER_PORT requestMethod=$HTTP_METHOD request=$HTTP_URI requestClientApplication=${User-agent}" request-logging enabled response-log-pool /Common/arcsight_log_pool response-log-protocol mds-udp response-log-template "$DATE_MON $DATE_DD $TIME_HMS $BIGIP_HOSTNAME CEF:0|F5|BIG-IP||$HTTP_METHOD:$HTTP_STATCODE|HTTP Response|Low| src=$CLIENT_IP spt=$CLIENT_PORT dst=$SERVER_IP dpt=$SERVER_PORT deviceSeverity=$HTTP_STATCODE requestMethod=$HTTP_METHOD request=$HTTP_URI requestClientApplication=${User-agent} in=${Content-Length} out=$RESPONSE_SIZE sourceTranslatedAddress=$SNAT_IP sourceTranslatedPort=$SNAT_PORT requestUrlQuery=$HTTP_QUERY cs2=$RESPONSE_MSECS cs2Label=time-taken" response-logging enabled }This post has an example of using an irule and remote logging to send CEF. Measuring Response time based on POST and GET Parameters
/Andreas
Pmet_260009Andrea
Thanks for your really detail answer . I need to read your links and check what logs the device could send . I will reply with my feedback
Thanks again for your time .
Makis
