Forum Discussion
Spike_Li
Employee
EmployeeF5 BIG-IP Automatic email notification for system live update (ASM/AWAF signature)
Recently had some request from Security team asking an email to be sent from the F5 BIG-IP when it installs an live update such as ASM signature updates via the automatic schedule. upon looking at KBs it doesn't seem to be a natively embedded function for now.
So my idea is to trace system log for signature updates, and generate an SNMP message to trigger email notification.
Most syslogs and updates could be found from /log/var/ directory while as some event based log such as Signature updates are located in a different place.
https://support.f5.com/csp/article/K82512024
The system live update info is located in /var/log/tomcat/liveupdate.log
So the thinking is once the system generate a log after the signature Update, you could try to grab log info and use a unique key word to identify completion of update, and use the key word a customised OID to trigger SNMP trap for system notification.
Once you schedule or completed an installation:
You should be able to see the log generated with following info:
cat /var/log/tomcat/liveupdate.log | grep modifiedEntitiesCount
XXXX…
{"link":"https://localhost/mgmt/tm/asm/signatures/y5tmU8gG6VdfPFaVbRSPLg","name":"Java code injection - java.util.concurrent.ScheduledThreadPoolExecutor"},{"link":"https://localhost/mgmt/tm/asm/signatures/7KeqKA8hHqv2cfJBXRMz9Q","name":"Java code injection - oracle.jms.AQjmsQueueConnectionFactory"},{"link":"https://localhost/mgmt/tm/asm/signatures/-NXlVMOujg3EvdVKd7PVQA","name":"btoa() (URI)"},{"link":"https://localhost/mgmt/tm/asm/signatures/sqa3ct3N1gOjMZLc3KiNsw","name":"SQL-INJ \"UNION SELECT\" (3) (URI)"},{"link":"https://localhost/mgmt/tm/asm/signatures/J4R4I5KgY8akJtm3TOc55w","name":"\"/etc/php4/apache2/php.ini\" access (Parameter)"},{"link":"https://localhost/mgmt/tm/asm/signatures/S2IcFP11pOpAHjFOSBIi3Q","name":"\"mail\" execution attempt (2) (Header)"},{"link":"https://localhost/mgmt/tm/asm/signatures/HUqMOwJ9SHU6mJF0y3HjBg","name":"SQL-INJ convert(db_name) (Header)"}],"modifiedEntitiesCount":1599}
The word: modifiedEntitiesCount seemed to only poppulate upon a installation of signature update completion. so we could use the log key world modifiedEntitiesCount to customise a System OID associate with email alerts
https://support.f5.com/csp/article/K3727
add something like the following in to/config/user_alert.conf:
alert ASM_update_STATUS " modifiedEntitiesCount(.*)" {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.xxx"
}
and create an email alert with SNMP Trap
https://support.f5.com/csp/article/K3667
alert BIGIP_SIG_UPDATE_COMPLETE {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.XXX";
email toaddress="demo@askf5.com"
fromaddress="root"
body="The Signature has been updated!"
}
This tricks could also apply to any event based notification you 'd like to sent using keyword from log files.
https://support.f5.com/csp/article/K16197
If you would like to put some feed from BIG-IP notification instead of using you log server to filter some tailored events, I hope this could be helpful.
Any comments for improvement or correction would be highly appreciated
Spike_LiUpdates:
A better tracking mechanism is to use /var/log/asm logging file. As it generate a log including key words "Signatures update successfully" from asm log upon system update completion, it 's easier to trace and has less resource consumed compared to reading tomcat log fie.