For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jban_198207's avatar
jban_198207
Icon for Cirrus rankCirrus
Jun 10, 2016

DoS dont send Syslog to Remote Highspeed logging server

Hello,

 

Anyone have issues with Remote High-Speed loging server and l4 DoS Sylog?

 

I have created under Security > Event Logs > Logging Profiles > RemoteLog > here I enable DoS Protection and I enabled network Firewall & DoS Protection with Local & Remote Publisher enabled. Application Security use Remote Storage > This works.

 

For Remote Publisher I create pool (same port & same server as for Application Security) and attached (tried with both ArcSight & Splunk) to Remote destination where I chose Pool server. Using tcpdump I only see Application Security Events but don’t see DoS started Syslog msg (in Web UI I see Dos started, I also get SNMP Alarm) , also I don’t get Network Firewall events like reject, accept (put this for test), …. Anyone have same issue?

 

AFM
ASM Advanced WAF
security

2 Replies

  • Tikka_Nagi_1315's avatar
    Tikka_Nagi_1315
    Historic F5 Account
    Jun 14, 2016

    What version of the AFM are you using? Do you see Dos started/Stopped messages in /var/log/ltm?

     

  • jban_198207's avatar
    jban_198207
    Icon for Cirrus rankCirrus
    Jun 16, 2016

    Hi,

     

    Yes, in /var/log/ltm I have Jun 16 13:24:48 hostname err tmm[22308]: 01010252:3: A NETWORK /PARTITION/VSERVER_POLICY DOS attack start was detected for vector TCP SYN flood, Attack ID 1869164187.

     

    Version: 12.1.0 0.0.1434

     

    SNMP Trap also sent, but not Syslog.

     

    Also this new version do not write Brute Force detection under Events.

     

    All this with Syslog, SNTMP Traps, Event logging is a bit ...