No Event logs for particular policy

Question

Hi,&nbsp;
We are facing a strange issue where for one particular ASM policy, we are not getting any Event logs or there are no alerts in Manual traffic learning. However, all the logs from ASM are pushed to Arcsight. &nbsp;
We have dedicated Arcsight team, who are raising alerts saying from "x.x.x.x" source ip we are seeing SQLi, path traversal, xss attack and so on. When we navigate to event logs to filter the illegal request from "x.x.x.x", we are not seeing any events / alerts. We checked the manual traffic learning also, nothing is populated there also. Kindly some one give any pointers on how to solve this issue? Let us know if anything else is needed. &nbsp;
PS:The ASM policy is currently in Transparent mode and the response code for the above mentioned attack are 404. &nbsp;
Best,
Raghav&nbsp;

boneyard · Answer

could be several things.&nbsp;
are you logging locally on the big-ip at all?&nbsp;
the arcsight team could be reporting a different IP then logged in the ASM logs, do they or you use x-forwarded-for headers?&nbsp;

Forum Discussion

No Event logs for particular policy

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Leveraging Ansible Rulebooks for Streamlined Event Triggers: Advantages and Benefits

Log separation by event

Access policy, LTM policy and iRules

Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 2 - Policy Import)

asmevents tool to retrieve events from an ASM device

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS