Forum Discussion
Troubleshooting F5 WAF Log Shipping to Microsoft Sentinel SIEM: Issues Isolating ASM Logs
We have an issue with shipping logs from F5 WAF to Microsoft Sentinel SIEM. The issue is peculiar.
We do not want to ship either F5Telemetry_system_CL logs or F5Telemetry_LTM_CL logs, only F5Telemetry_ASM_CL logs.
We have simplified the command to the most basic one, at first it was working and we managed to ship LTM and ASM logs but when we tried to granulate for just LTM Logs, nothing is being sent.
I will include the commands we used at the bottom. Any help would be appreciated, as well as some guidance differentiating between ASM and LTM logs.
Command working for LTM and ASM not system logs
curl -ku <username>:<password> -H 'Content-Type: application/json' https://192.0.0.0/mgmt/shared/telemetry/declare --data-raw \
'{
"class": "Telemetry",
"My_Listener": {
"class": "Telemetry_Listener",
"port": 6514
}
"Pull_Consumer": {
"class": "Telemetry_Pull_Consumer",
"type": "default",
"systemPoller": ["Poller"]
},
"My_Consumer": {
"class": "Telemetry_Consumer",
"type": "Azure_Log_Analytics",
"workspaceId": "secret",
"passphrase": {
"cipherText": "secret"
},
}
}'
New command was successful, but nothing is being sent
curl -ku <username>:<password> -H 'Content-Type: application/json' https://192.0.0.0/mgmt/shared/telemetry/declare --data-raw \
' {
"class": "Telemetry",
"controls": {
"class": "Controls",
"logLevel": "info",
"debug": false
},
"My_Consumer": {
"class": "Telemetry_Consumer",
"type": "Azure_Log_Analytics",
"workspaceId": secret",
"passphrase": {
"cipherText": "secret"
}
}
}
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com