Forum Discussion
NimbostratusSend Access Policy traffic to Syslog
I have configured my VE APM to send HSL syslog to a remote SIEM server. However, other than admin access to the F5 itself, there doesn't seem to be any of the Access policy logging that is sent to the remote box. Are there suggestions, or other options. Currently we generate an email when users login to their ssl vpn, but this just means that admins' email accounts get filled with emails.
Thanks!
5 Replies
Amit_KarnikYou can add a custom log event via VPE to send logging to SIEM but that is based on updating the logging profile.
Or if you really need it, you can raise an iRule event and do a HSL.
Best
RyanDM2_175490Thanks for the reply... I have tried the iRule method, based on other examples I've seen on devcentral, but I can't say that I really know what I'm doing.
The other method...do you have a kb link for how to do that?
Thanks,
- RyanDM2_175490In fact, in following this: https://support.f5.com/kb/en-us/solutions/public/5000/500/sol5527.html What I get using my test account is the following from a tcpdump of syslog messages: "Syslog message: LOCAL7.INFO..etc...LOGOF:success r.m.ilt9:ssid ....etc" where it shows only the logof value.
- RyanDM2_175490
This seems to be the way to do it. where you ensure all logging is sent to remote resource: https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13080.html
This way, all syslog messages are sent:
https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13317.html
- RyanDM2_175490
The best answer, where I was able to see in the tcpdump the apm policies being sent is found here: https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13333.html
