Forum Discussion
Syslog to McAfee SIEM
Anyone integrate LTM and APM logging with a McAfee SIEM receiever (or any syslog receiver for that matter)? I am configuring I have the remote logging server configured in my log settings on the device. I want to make sure I am receiving logs from all my VS in LTM and all my access policies in APM. The only log setting I see within APM for each access policy is to slide over the default-log-setting in each. Where is this log setting configured? Can I create others? Or should I just be good by using this profile in each access profile and have all logs generated from APM and LTM sent over syslog to my receiver?
Thanks all
- SDnath_82757Nimbostratus
Even i am trying to integrate. Currently we see the log in McAfee ESM as unknown. McAfee says no issue at there end. If you have successfully integrated, please share some pointers.
- Greg_130338NimbostratusThe erc has device types for ltm apm and asm but all the rules apply to each one. So i just added my bigip internal ip address as a data source, enabled logging on ltm in system config and moved the default logging profile over from available on each apm policy. That seemed to capture and parse everything. What are your versions on bigip and esm?
- Greg_130338NimbostratusSorry i neant i just added bigip internal ip as f5 ltm and it encompassed all ltm apm and asm parsers
- SDnath_82757NimbostratusIs that the SIEM default F5 parsing rules were able to get the logs parsed. Is that all type of logs were visible to the Mcafee Siem
- SDnath_82757Nimbostratus
The ESM version is 9.5.0 with MR2
- SDnath_82757Nimbostratus
We have multiple LTM devices with different versions. But currently the 1st one i am trying to integrate is in 11.4.1
- Greg_130338NimbostratusSorry for getting back to you so late. We are running ESM 9.5.0 MR4 and BigIP 11.5.2. Do you have any BigIP's on that version? I would try that first to rule out version issues if you can. I read something previously about needing irules to convert F5 syslog into some sort of format that the ERC could understand and parse but need to dig around again to see. To answer your previous question, I am able to parse LTM, APM, and ASM logs currently without any custom irule or ESM/RC config.
- Greg_130338Nimbostratusand actually now that we're collecting more logs it appears I do have a lot of unknown events as well. Not sure if that's expected or if you are getting ALL unknown events and nothing parsed still?
- SDnath_82757Nimbostratus
i could finally implement it succesfully. I had put a filter in syslog which allows me more selective output
Mcafee siem parser had to be tweeked a bit to make all work but the best part is
- AndyNimbostratus
Can you let me know what you have filtered any dashboard views on at all?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com