Forum Discussion
kris_52344
Nimbostratus
NimbostratusASM & Splunk integration
hi,
i have installed & configure Splunk for F5, able to get LTM self-ip, source-ip etc. logs on splunk server. So, kindly provide any document or help to integrate ASM with Splunk? does it requires iRule to be configured on ASM?
Thank You! in advance...
- AaronJB
SIRT
You won't need any iRules to log out to a Splunk server from ASM, what you will need to do is configure a Remote Logging Profile with the relevant options and assign it to your ASM Web Application. There are some sections in the relevant Configuration Guides for ASM which describe this:
For v9.4.5-9.4.8:
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm_945_config_guide/asm_sys_mgmt.html1028448
For v10.x:
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm_config_10/asm_sys_mgmt.html1028448
Aaron 
Wagner_Bianchi_hello guys,
just to recap this conversation which you've started some times ago, I am getting problems in get Splunk fully functional after follow the steps part of the pdf file which came with the app's package. The field attack_type, used in many queries of the first app menu's group, is presenting, I imagine, wrong data. it is presenting graphs with symbols as commas, double quotes and single quotes. I will count on your help so as to understand whether it is a problem or not...could you give me a hand on that? Thanks a lot and looking forward to hearing from you.
Cheers, WB
Jim_Westwood_64I am having the same issue. Latest splunk, latest f5 app and it fails to work as the data is in quotes?
Bob_Blair_10901Make sure the logging profile is using a Remote Storage Type of Reporting Server.
Here's an article that might help:
ASM Logging: https://devcentral.f5.com/articles/the-big-ip-application-security-manager-part-10-event-logging.Uz3F5bEo7IV
I'll also take a look on my lab setup to see if I can figure out the exact details for ASM and Splunk configuration.
MVASo it doesn't seem possible to have all contents of /var/log/asm sent to splunk, similar to how /var/log/ltm and /var/log/audit get sent to splunk by default?
dbizzle_20930All you should have to do is define your remote logging options under system and define your inputs on Splunk. The F5 will automagically send anything that is standard syslog to that remote address. For ASM/APM you can collect data using High Speed Logging (HSL) or AVR and configure the publishers/destinations for each. Configure a pool(s) that has your indexer/port defined as a member or you could even create a VIP to handle load balancing between indexers if you wanted and your AVR/HSL destination could be a pool with the VIP address as its member.
- mortoj_167568
Altocumulus
I am currently working on getting ASM logs over to both Splunk (syslog format) and ArcSight (CEF format) I found this link useful for understanding Field/Value/Description for Splunk and ArcSight as well as for creating Custom Logging Profiles Thought I'd share: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-11-4-0/10.html
