Forum Discussion

swo0sh_gt_13163's avatar
swo0sh_gt_13163
Icon for Altostratus rankAltostratus
Oct 20, 2013

ASM Signature Download logs to Remote SIEM server.

Hello Folks,

 

Could you please help me with a specific scenario to send ASM logs to external SIEM logging?

 

Scenario: In case ASM fails to download auto-signature database from F5's update server, it records these logs in /var/logs/asm How can I send these logs to my external SIEM logging server? Please consider that I am using 11.2.1 firmware version.

 

Cheers! Darshan

 

  • An issue like that will end up being logged to /var/log/asm, via normal syslog processes. The instruction for forwarding syslog's output to a remote server is in solution 13080:

     

    http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13080.html

     

    Be aware that there can be quite a bit of traffic generated when you forward all of the syslog output and you may need to filter syslog messages.

     

  • Hi Rob,

     

    Thanks for your reply. I just need to capture ASM traffic generated by BIG-IP locally i.e. Request for Signature updates and its status. Is there anyway to capture only required logs?

     

    Thanks, Darshan

     

  • I can't think of an easy way to send just one (or a small number) of log messages off to a log host.

     

    It's possible to use the alertd process to watch for specific log messages and then take an action if a log message is seen, either sending an SNMP trap, email, lcd alarm or executing an external script. You could write a filter for alertd that matches your signature update event log, and then runs an external script that sends a syslog formatted message to your SIEM server. The relevant solution is below:

     

    http://support.f5.com/kb/en-us/solutions/public/14000/300/sol14397.html?sr=32641837

     

  • Hey Rob,

     

    Thanks for the answer mate. I will give it a go and share my feedback if I find any success.

     

    Thanks, Darshan

     

  • Hello SDnath,

    What's up? Unfortunately I am failing to recall the resolution of this thread. The customer raised this requirement quite sometime back. However while tracing the same case I could see that I have suggested customer to follow the below, but thenafter customer never got back to me.

    Navigate to System > Logs > Configuration > Option > Application Security Logging should set as Informational

    After this recommendation, customer didn't confirm that worked or not. I hope this helps.

    Regards, Darshan