Forum Discussion

Amr_Ali's avatar
Amr_Ali
Icon for MVP rankMVP
Sep 15, 2023

configure custom log profile for F5 WAF

dears,

I configured a custom log profile on F5 WAF, to send the logs for waf policy to Siem solution, but I have an issue as still no logs appear on Seim solution, how can I solve this issue 

F5 WAF
security
  • Daniel_Wolf's avatar
    Daniel_Wolf
    Sep 18, 2023

    Hi Amr_Ali,

    try this (replace the IP with the IP of your SIEM solution):

     

    tcpdump -nni 0.0:nnnp host 192.168.100.100 and udp port 514

     

    If something goes from your BIG-IP to your SIEM, you will see it with the tcpdump. And you can confirm the issue is not on your side.

    KR
    Daniel

    btw. telnet is TCP, syslog is UDP. telnet is not a good test.

  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Icon for MVP rankMVP
    Sep 16, 2023

    Hi Amr_Ali , 

    I am sure you have created the remote logging profile correct and assigned it to the virutual server. 

    -ust you need to check your routes back and forth. 

    -Perform traceroute from your bigip selfip that sends traffic to the SIEM solution ( use ip route get ) utility on bash to get the vlan & selfip address which should send Logs to SIEM.
    Ask network admins to open icmp to be able to trace your packet to SIEM. 

    - Make sure that SIEM admins created a logging profile for Bigip to allow bigip to send these logs to SIEM Collectors. 

    - make sure thay Port 514 udp & TCP is opened accross firewalls for your selfip/mamt interface whatever which interface should send Logs to SIEM

    I hope this helps u.
    This is the main points you need to check

    • Amr_Ali's avatar
      Amr_Ali
      Icon for MVP rankMVP
      Sep 16, 2023

      sure Mohamed, i checked the route and made telnet on port 514 to check the connectivity, but still there was no log appearance on Siem solution, 

      I just need to confirm that the issue is not From the F5 waf side, 

       

      • Daniel_Wolf's avatar
        Daniel_Wolf
        Icon for MVP rankMVP
        Sep 18, 2023

        Hi Amr_Ali,

        try this (replace the IP with the IP of your SIEM solution):

         

        tcpdump -nni 0.0:nnnp host 192.168.100.100 and udp port 514

         

        If something goes from your BIG-IP to your SIEM, you will see it with the tcpdump. And you can confirm the issue is not on your side.

        KR
        Daniel

        btw. telnet is TCP, syslog is UDP. telnet is not a good test.