McAfee SIEM and ASM

Hi,

 

I am trying to integrate McAfee SIEM and F5 ASM running 11.2.1. It appears to me that McAfee is not parsing the logs correctly. I have already raised a case with McAfee and they have come back that the issue is due to using ';' as a delimiter instead of '|' .

 

Unfortunately, the ASMs are managed by customer's third party who are interesting to deal with. (The joy of working in a multi-vendor environment).

 

Below is the snippet of the logs, could you please confirm if this is the correct log format ?

<130>May 18 14:37:43 ASM.test.net ASM:ID=17934223281240667815;TYPE=Session Hijacking;DATE=2015-05-18 14:37:43;DEST_IP=10.X.X.X;DEST_PORT=443;GEO=NZ;HEADERS=Host: abcd.com\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\nConnection: keep-alive\r\nCookie: systemonline=rd1894o00000000000000000000ffff0ae82510o8081; TS23170d=b7a4548f02236bf5190c7a96708fe5af43b1ac33e4d3adb955595077a59b3514f8bf1008; TS553073=b9c1bdd560eba8c7c65346b59981217b361524825b09819e55595073a59b3514f8bf1008fd3b4071173028d4; __utma=18589601.539768155.1431916378.1431916378.1431916378.1; __utmb=18589601.6.10.1431916378; __utmc=18589601; __utmt=1; __utmz=18589601.1431916378.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/600.3.18 (KHTML, like Gecko) Version/8.0.3 Safari/600.3.18\r\nAccept-Language: ja-jp\r\nReferer: https://xyz.com/system\r\nAccept-Encoding: gzip, deflate\r\nX-Forwarded-For: 1.2.3.4\r\nX-Forwarded-For: 1