For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

OM's avatar
OM
Icon for Altocumulus rankAltocumulus
Dec 09, 2015

splunk attack signature id

hi,   when splunk receives the ASM logs, the signature of the attack is missing. I also checked the asm logs (/var/log/asm), same result. These logs are called local-syslog. However, the database ...
application delivery
ASM Advanced WAF
gsharri's avatar
gsharri
Icon for Altostratus rankAltostratus
Dec 09, 2015

I do not believe asm will log (or can even be configured to log) all the violation/attack signature details to /var/log/asm. If there is an option to enable this I have never seen it. You could open case with F5 support to see if it's possible. However, logging detailed violation information with syslog is not a good idea. Too much performance overhead. Beginning with v11.6.0 asm does not log any security violation events [SECEV] to /var/log/asm by default and that is the recommended best practice. See SOL16053.

 

This is best handled by creating remote logging profile in the ASM config: Security>Event Logs>Logging Profiles. Send illegal requests to your Splunk server.