Forum Discussion

newton1919_3080's avatar
newton1919_3080
Icon for Nimbostratus rankNimbostratus
Jan 01, 2019

ASM remote syslog violations issue

Hi i have 1 request with multiple violations , when i get the syslog i only see 1 vilation , why is it ?

 

this is my syslog fields that i configured:

 

11policy_name=%policy_name%12req_status=%request_status%1src_ip=%ip_client%dest_ip=%dest_ip%dest_port=%dest_port%method=%method%5uri=%uri%*country=%geo_location%8attack_type=%attack_type%9violation=%violations%10sig_name=%sig_names%7headers=%headers%

 

  • I would double check that the violations that you believe should be showing up are enabled within the logging profile that you have configured for your syslog server. Go to Security > Event Logs > Click on the advanced drop downs. Double check the violations that you see for a particular request. Be sure that those are in the selected fields versus the available fields. The main one that you need is the violations. Make sure that is in the selected fields. I would test that it is not a maximum entry length problem as well by switching it from 2k to a higher setting, if you have not already done this.

     

    If these are all set correctly, my best guess would be that it is a bug in the version that you are running and would need to open up a support ticket with F5.