Forum Discussion
ar0
Nimbostratus
Nimbostratusbot defense -> IBM Qradar issue
Hey all, I have a problem with data sent from BIG-IP Bot Defense module to IBM Qradar. I checked it with tcpdump and it seems that some unnecessary characters are glued at the beginning of the pa...
ar0Nimbostratus
Nimbostratusthat's how it was made
sys log-config publisher pub-qrad-dos {
app-service none
description none
destinations {
dest-qrad-dos2 { }
}
sys log-config destination splunk dest-qrad-dos2 {
app-service none
description none
forward-to dest-qrad-dos
}
sys log-config destination remote-high-speed-log dest-qrad-dos {
app-service none
description none
distribution replicated
pool-name pool-log-qrad-dos
protocol udp
}
ltm pool pool-log-qrad-dos {
members {
qradar:514 {
address 10.111.111.100
session monitor-enabled
state up
}
}
monitor tcp
}
(logging profile)
ext-to-qradar
[api-status-warning] security/log/profile, properties : deprecated : application/local-storage
security log profile ext-to-qradar {
application {
ext-to-qradar {
filter {
request-type {
values { illegal-including-staged-signatures }
}
}
local-storage disabled
logger-type remote
maximum-entry-length 64k
remote-storage splunk
report-anomalies enabled
servers {
10.111.111.100:514 { }
}
}
}
bot-defense {
ext-to-qradar {
filter {
log-alarm enabled
log-block enabled
log-browser-verification-action enabled
log-captcha enabled
log-device-id-collection-request enabled
log-malicious-bot enabled
log-rate-limit enabled
log-suspicious-browser enabled
log-tcp-reset enabled
log-unknown enabled
log-untrusted-bot enabled
}
local-publisher local-db-publisher
remote-publisher pub-qrad-dos
}
}
dos-application {
ext-to-qradar {
local-publisher local-db-publisher
remote-publisher pub-qrad-dos
}
}
}
Simon_BlakelyEmployee
The Log Destination is of type "splunk", so I wonder whether the additional data may be splunk specific, but I am not familiar with Splunk logging.
Try capturing to a pcap, and take a look in Wireshark - it may provide an additional dissection information.
