Forum Discussion

dbaimakov's avatar
dbaimakov
Icon for Altocumulus rankAltocumulus
Jan 30, 2024

Troubleshooting F5 WAF Log Shipping to Microsoft Sentinel SIEM: Issues Isolating ASM Logs

We have an issue with shipping logs from F5 WAF to Microsoft Sentinel SIEM. The issue is peculiar.

We do not want to ship either F5Telemetry_system_CL logs or F5Telemetry_LTM_CL logs, only F5Telemetry_ASM_CL logs.

We have simplified the command to the most basic one, at first it was working and we managed to ship LTM and ASM logs but when we tried to granulate for just LTM Logs, nothing is being sent.

I will include the commands we used at the bottom. Any help would be appreciated, as well as some guidance differentiating between ASM and LTM logs.

Command working for LTM and ASM not system logs

curl -ku <username>:<password> -H 'Content-Type: application/json' https://192.0.0.0/mgmt/shared/telemetry/declare --data-raw \
'{
   "class": "Telemetry",
   "My_Listener": {
       "class": "Telemetry_Listener",
       "port": 6514
   }
   "Pull_Consumer": {
       "class": "Telemetry_Pull_Consumer",
       "type": "default",
       "systemPoller": ["Poller"]
   },
   "My_Consumer": {
       "class": "Telemetry_Consumer",
       "type": "Azure_Log_Analytics",
       "workspaceId": "secret",
       "passphrase": {
           "cipherText": "secret"
       },
   }
}'

New command was successful, but nothing is being sent

curl -ku <username>:<password> -H 'Content-Type: application/json' https://192.0.0.0/mgmt/shared/telemetry/declare --data-raw \
' {
    "class": "Telemetry",
    "controls": {
        "class": "Controls",
        "logLevel": "info",
        "debug": false
    },
    "My_Consumer": {
        "class": "Telemetry_Consumer",
        "type": "Azure_Log_Analytics",
        "workspaceId": secret",
        "passphrase": {
            "cipherText": "secret"
        }
    }
}

No RepliesBe the first to reply