Logging Dos Events

Question

HiI have a question about setting up alerts on DOS events.All the ASM logs are forwarded to a splunk server and i want to redirect (if possible) all dos events to splunk server.i tried to configure a log destination and a remote publisher (on the same destination as asm) to do that but it doesn't work, maybe beacause i've seen after this limitation : The BIG-IP Advanced Firewall Manager™ (AFM™) must be licensed and provisioned before you can configure DoS Protection event logging.Then i tried an irule (https://devcentral.f5.com/s/question/0D51T00006i7d7y/how-can-i-alert-on-an-asm-denial-of-service-event) but this one write an event for each request in ltm.log.What could be a solution to just to be notified in case of dos attack event ?Thanks pour your helpRegards

enes_afsin_al · Answer

Hi Pascal J,Can you try this iRule for send logs to splunk server?when IN_DOSL7_ATTACK {
    log &lt;splunkIP:port&gt; local0.info "Attacker IP: $DOSL7_ATTACKER_IP, Mitigation: $DOSL7_MITIGATION"
}

pascal_j · Answer

Hi eaathanks for your help but it doesn't seem to work.I've tried tu use : the standard remote log config (that copy ltm.log)the asm logging profileno trace of events on either sideregards

Forum Discussion

Logging Dos Events

Recent Discussions

ppp TunnelStats: LCP_UNKNOWN_OPTIONS 1,LCP_PROTO_REJ 1,FSM_UNEXPECTED_DOWN 1,

How to Renew F5 Device Certificate

F5 ASM CEF Sending Logs in Specific TimeZone

F5 looses the token for the first call

feature request: container egress service

Related Content

AWAF - Do not log Geolocation violations from the Event Log

Log separation by event

Security event logs forwarding

iRule Event Order Flowchart

export ASM event logs in csv format

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS