Forum Discussion
NimbostratusASM Automation (API / MySQL)
I'm running ASM 11.6 with EM 3.1.1. (Mainly used for config backup/pushing signatures)
My syslog feed for security events goes to another group for SIEM processing.
I'm looking to automate some things such as searching for Support ID's for blocked events.
Currently we have to log into multiple devices and search manually because 11.6 no longer writes to /var/log/asm.
Is there a way to automate this search via API/SQL access? Some other way I'm not thinking of?
I've looked through the API docs and it does not appear that this is available via API. And I've seen references to accessing the DB directly, but little documentation.
3 Replies
samstepCirrocumulus
Do you really need the API here? or just the ability to the dump the alerts somewhere you can use them?
It is trivial to set up your log publishers in such a way to log locally (be aware of the performance overhead). Or log it remotely to an additional log destination under your control so you can search it for SupportID or insert the log data into your own database there (this can be done easily with something like Kiwi Syslog - http://www.kiwisyslog.com/help/syslog/action_log_to_odbc_database.htm )
Don't forget that you can always get your /var/log/asm file back by setting ASM system variable "send_content_events" to 1 in Security/Options/Application Security/Advanced Configuration menu. Beware of the performance impact - there is a reason why F5 has disabled local logging - writing logs to local disk is SLOW, so if you are protecting a high-load website/application you may experience unnecessary latency and CPU increase introduced by local logging.
Hope this helps,
Sam
jstauffacher_11Cirrus
You can enable the ASM REST api. Theres a kb doc on it.
StewartT_232774I did look over the REST API, but I didn't see anything in the docs dealing with ASM Logs.
