Forum Discussion
Remote log WAF based on number of violations
Hi All,
At a customer I have configured a WAF to protect their web applications. Also configured a Logging Profile to send the logging to a remote server. This works fine.
But customer would like to have some control on what is being send to the remote server and when.
So the log of a violation that only occurs once (within a certain time frame) does not need to go to the remote log server.
But a (identical) violation that occurs serveral times and has a high security violation needs to be send to the remote server
I know I can configure a filter to include or exclude what is being send to the remote server. But can the F5 WAF send logs to a remote server based on number of events within a time frame?
Hope you can help or point me to some useful links or documents.
Regards,
Martijn
You may be able to use iRules with tables for this: https://clouddocs.f5.com/api/irules/table.html. For custom items not supported by the F5 BIG-IP, you can update a table within the iRule event for a WAF: https://clouddocs.f5.com/api/irules/ASM_REQUEST_VIOLATION.html. If the table reaches a custom threshold amount, have the iRule send an HSL (high speed logging) syslog type of event with custom messaging. This may take some development time and testing, but certainly would be doable... suggest using a test virtual server!
- MvdGCirrus
Hi,
I have a follow up question. Is there an option to send only High and Medium violations within WAF to the remote syslog servers and don't send the Low violations? Or do I need to create an iRule and this is not an standard option within the F5 web GUI.
Regards,
Martijn.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com