Dear All, I need to send ASM event log into syslog server. I already make event log profiles for ASM (Security > Event Logs > Logging Profiles), and associate it to virtual server. But the syslog server didn't receive any log from ASM. My question is: Is there any more configuration or any pre-requisite configuration that I need to do other than only making event log profiles and associate this profile into VS?If we want to send log into syslog server, what IP did we use? Management IP or self-IP? Thanks before for your help. Ahmad

For additional information, I can reach this syslog server from my management IP, and I already try to restart syslog-ng services. Thanks, Ahmad

The syslog configuration typically takes management IP address if you havent mention any other address in the source IP details in the remote syslog server configuration. Also please make sure that you have enabled appropriate logging level for the ASM ( System ›› Logs ›› Configuration ›› Options) regards, Jinshu

Jinshu, Yes I also had enable ASM minimum logging level into "Information". So the configuration on F5 side is enough right? For information, the syslog server is Allienvault Syslog. Maybe there were anybody ever do remote logging to alienvault too. Thanks, Ahmad

Hello Ahmad, I am not sure abot the Alienvault configuration side but for F5 there is no specefic configuration for any vendor SIEM. Please go through the below link and make sure that you have done everything as needed to log remotely. I assume your version 11.6.0. https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-6-0/13.htmlconceptid Regards, Jinshu

Yap, I already done with the "Setting up remote logging" and "Associating a logging profile with a security policy", but it still not working. I'll ask the allienvault engineer to recheck their configuration. Thanks Jinshu

Remote Syslog for ASM

13 Replies

Jinshu
Cirrus
Sep 17, 2015
Hello Mate,

Create a logging profile in ASM event logging.

Follow below procedure:

Go to Security ›› Event Logs ›› Logging Profiles
Create a logging profile, select Application Security
Select Remote Storage in the configuration section
Select protocol UDP (if you are using Syslog) and Add Syslog server Ip address and port number (default port number is 514)
Storage format select appropriate or All
Select request type according to the requirement.
Finish.

That’s it. You will start getting the syslog for ASM module. It is not mandatory to have it enabled in the settings page. You can remove that remote logging configuration in the settings page , if you don’t need the ltm audit logs.

Sample log: Sep 17 09:40:07 Sep 17 09:40:11 hostname ASM:"Information Leakage","2015-09-17 09:40:10","10.x.x.x","80","N/A","/Perf_Test/test_vs","N/A",

Hope this helps.

-Jinshu
mrshaggy_169440
Nimbostratus
Sep 19, 2015
Hi All,

It's already solve. Your're right Boneyard, I still need to add a management route so my ASM will send their log into syslog server. Previously I think that the default interface that was used to send log into syslog server was management interface, but actually it was wrong.

The default interface is still the self-IP. It means that the first priority of routing table that was used for accessing the remote server is TMM routing table. Because I have a default route on my TMM, and this default route has no routing into the syslog server, so my ASM will not send the log into the syslog server. What I do then is adding one specific routing with destination to syslog server on the BIG-IP managemet routing table, and perfect, ASM start to send the log into the syslog server.

Thanks a lot everybody. Really appreciate it.

Ahmad :)
- boneyard
  MVP
  Sep 20, 2015
  great to hear, please flag the question as answered if you feel that is the case.