For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

gutiu_220848's avatar
gutiu_220848
Icon for Nimbostratus rankNimbostratus
Sep 18, 2015

BIG-IP remote logging ASM problem

Hey I´m playing around with the f5 BIG-IP VM v11.6. I want to analyze the attacks on my BIG-IP splunk. Well I built a test environment with kali linux and the LAB lamp server. Everything works pretty fine but I got one Problem: My BIG-IP didn´t send all logged items (like the attack-signatures, signature names) although they were configured for remote logging.

 

My Big IP detects the attacks inclusive the signature names + signature IDs

 

 

This is my BIG-IP remote logging configuration inklusive sig_ids & sig_names

 

 

But the BIG-IP didn´t send all of the detected attack-information to splunk

 

 

I captured the traffic with wireshark and saw the empty fields

 

 

I followed this manual https://devcentral.f5.com/articles/the-big-ip-application-security-manager-part-10-event-logging.Uz3F5bEo7IV

 

Can anyone help me?

 

5 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Sep 18, 2015

    gutiu, i'm sure i've had these fields populated before. Anyway, the Remote Storage type for Splunk should be "Reporting Server" - have you tried this? Can't be 100% certain it's the resolution but at least it's what it should be configured as. Let me know how you get on with this.

     

    I think you can also increase the Maximum Entry Length too.

     

    Rgds

     

    N

     

  • gutiu_220848's avatar
    gutiu_220848
    Icon for Nimbostratus rankNimbostratus
    Sep 18, 2015

    I tried out both answers but I didn´t get any sig_ids & sig_names in Splunk =( I am pretty confused because the BIG-IP sends a lot of stuff (like destination IPs …) but not the attack signatures

     

  • gutiu_220848's avatar
    gutiu_220848
    Icon for Nimbostratus rankNimbostratus
    Sep 18, 2015

    I found a way to get at least some signatures. The detected signatures were in "Staging"> After I Enforce them I got the sigantures in my remote-logging (splunk)

     

     

    Is this the right way to do that?

     

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Sep 18, 2015
      I think you've hit on the issue here, as items, such as Attack Sigs, when in Staging are "legal" requests in the ASM logs. I suspect, based on this, it doesn't then log the signature itself, even if reported in the GUI.
  • Jinshu's avatar
    Jinshu
    Icon for Cirrus rankCirrus
    Sep 18, 2015

    Yes. The attack signature must be in enforce mode if your policy configured as blocking. I was in an impression that your signatures are in enforce mode. You have solved the issue.. Kudos..!!

     

    Please note, attack signatures you need to manually move to enforce mode after your readiness period as it wont turn on automatically.

     

    -Jinshu