CirrocumulusID 741979 (DOS)
Hei Guys,
i just wanted to update you about a new F5 bug id ID 741979(just for headsup). We have issues in infra-and i raised a RFE to F5 support to resolve it in new editions. ID 741979 was assigned to track this issue, and F5 will fix this problem in the future.ID 741979 Severity in remote log message doesn't match severity on GUI reporting page. If you faced or observed it Anyware, you can follow the ID in future releases.
Adding some details of submitted RFE. You could use it if it helped you in any infrastructure.
"In our environment, we have enabled DOS protections for device and applications (Log profiles added to system and application DOS policies). Splunk is our remote log server, and we are creating a dashboard in the same to analysis the DOS syslog’s. (Use cases-For checking the attack counts, most attacked application, severity and IP status(malicious)). But when we are checking, all syslog’s severity that F5 sharing to Splunk shows as “4”. We have compared the attack id in F5 and Splunk (F5 its showing “2”, in Splunk its “4”)
Requested feature: - If F5 consider a traffic is a DOS attack, then change severity value to “1/2/3” is syslog’s. As now all the syslog severity is 4 and it’s not helped if we analysis the logs in a third-party tool.
BR
Aswin