Forum Discussion

Mark_Wallis_833's avatar
Mark_Wallis_833
Icon for Nimbostratus rankNimbostratus
Jun 06, 2015

v11.5.3, ASM and Splunk

Hi everyone,

 

Has anyone managed to get the remote logging profile on v11.5.3 working with the Splunk for F5 Security app ? The transformers don't seem to match the data and I can't seem to force the sourcetype correctly when I have a mixture of syslog data coming out of the same source.

 

M.

 

ASM Advanced WAF
management
security
splunk

3 Replies

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Jun 15, 2015

    it seems to behave relatively well with 11.6 for me when i just tested it. Top Attackers shows the data i expected. what is failing for you?

     

    the second issue seems more a splunk one then BIG-IP i believe, perhaps you could do something with different ports?

     

  • Mark_Wallis_833's avatar
    Mark_Wallis_833
    Icon for Nimbostratus rankNimbostratus
    Jun 15, 2015

    Hi.

     

    I think the latter problem is causing the former in my case. Can you confirm what 'sourcetype' is being applied to your ASM events for me ? I'll see if I can force it and make everything happier

     

    Thanks Mark