For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

toneman's avatar
toneman
Icon for Altostratus rankAltostratus
Nov 23, 2021

ASM Event Logs - request_status = passed

I'm used to seeing event logs classified as "Illegal" or "Blocked" but in Splunk I see events that are listed as "passed" under request_status. There are obvious violations within the requests like ...
ASM Advanced WAF
security
Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP
Nov 24, 2021

Hi ,

 

you can refer to K9435: Overview of the Storage Format option for a remote logging profile.

The option request_status knows three different values: blocked, alerted and passed.

 

Maybe another setting in your security policy is missing and therefore these request are not categorized as violations? Did you apply the required Attack Signatures with the correct settings?

Is the Qualys maybe on the IP address exception list?

 

KR

Daniel