F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

ar0's avatar
ar0
Icon for Nimbostratus rankNimbostratus
Jan 08, 2020

bot defense -> IBM Qradar issue

Hey all, I have a problem with data sent from BIG-IP Bot Defense module to IBM Qradar. I checked it with tcpdump and it seems that some unnecessary characters are glued at the beginning of the pa...
BIG-IP
bot defense
devops
qradar
security
ar0's avatar
ar0
Icon for Nimbostratus rankNimbostratus
Jan 21, 2020
that's how it was made
 
 
 
 
 
sys log-config publisher pub-qrad-dos {
 
  app-service none
 
  description none
 
  destinations {
 
    dest-qrad-dos2 { }
 
  }
 
 
 
sys log-config destination splunk dest-qrad-dos2 {
 
  app-service none
 
  description none
 
  forward-to dest-qrad-dos
 
}
 
 
 
sys log-config destination remote-high-speed-log dest-qrad-dos {
 
  app-service none
 
  description none
 
  distribution replicated
 
  pool-name pool-log-qrad-dos
 
  protocol udp
 
}
 
 
 
 
 
ltm pool pool-log-qrad-dos {
 
  members {
 
    qradar:514 {
 
      address 10.111.111.100
 
      session monitor-enabled
 
      state up
 
    }
 
  }
 
  monitor tcp
 
}
 
 
 
(logging profile)
 
 
 
ext-to-qradar
 
[api-status-warning] security/log/profile, properties : deprecated : application/local-storage
 
security log profile ext-to-qradar {
 
  application {
 
    ext-to-qradar {
 
      filter {
 
        request-type {
 
          values { illegal-including-staged-signatures }
 
        }
 
      }
 
      local-storage disabled
 
      logger-type remote
 
      maximum-entry-length 64k
 
      remote-storage splunk
 
      report-anomalies enabled
 
      servers {
 
        10.111.111.100:514 { }
 
      }
 
    }
 
  }
 
  bot-defense {
 
    ext-to-qradar {
 
      filter {
 
        log-alarm enabled
 
        log-block enabled
 
        log-browser-verification-action enabled
 
        log-captcha enabled
 
        log-device-id-collection-request enabled
 
        log-malicious-bot enabled
 
        log-rate-limit enabled
 
        log-suspicious-browser enabled
 
        log-tcp-reset enabled
 
        log-unknown enabled
 
        log-untrusted-bot enabled
 
 }
 
      local-publisher local-db-publisher
 
      remote-publisher pub-qrad-dos
 
    }
 
  }
 
  dos-application {
 
    ext-to-qradar {
 
      local-publisher local-db-publisher
 
      remote-publisher pub-qrad-dos
 
    }
 
  }
 
}
 
Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Jan 21, 2020

The Log Destination is of type "splunk", so I wonder whether the additional data may be splunk specific, but I am not familiar with Splunk logging.

 

Try capturing to a pcap, and take a look in Wireshark - it may provide an additional dissection information.