Forum Discussion
Altocumulussplunk attack signature id
hi,
when splunk receives the ASM logs, the signature of the attack is missing. I also checked the asm logs (/var/log/asm), same result. These logs are called local-syslog. However, the database logs of the asm has all attack signature details. These logs are called local-db.
I am trying to figure out how the asm database logs (local-db) are converted to syslogs (local-syslog), and why some some details are missing in the syslogs.
thanks.
O.
2 Replies
gsharriAltostratus
I do not believe asm will log (or can even be configured to log) all the violation/attack signature details to /var/log/asm. If there is an option to enable this I have never seen it. You could open case with F5 support to see if it's possible. However, logging detailed violation information with syslog is not a good idea. Too much performance overhead. Beginning with v11.6.0 asm does not log any security violation events [SECEV] to /var/log/asm by default and that is the recommended best practice. See SOL16053.
This is best handled by creating remote logging profile in the ASM config: Security>Event Logs>Logging Profiles. Send illegal requests to your Splunk server.
nolipinedaCreate a logging profile to direct them to your syslog server (eg. Splunk)
