F5 BIG-IP Automatic email notification for system update events (ASM/AWAF)

Recently I had some requests from customer security teams asking for an email to be sent from the F5 BIG-IP when certain events triggered, such as live update / system failure.

The idea is to trace system logs for desired events, and generate custom SNMP trap messages to trigger email notifications. Most syslogs and updates can be found in /log/var/ directory; event triggers need to be identified as key words from logging files when creating customer SNMP OID.

So the objective is to identify which key words from log files are associated with ASM signature updates. Let's run a system signature live update from System  ››  Software Management: Live Update

 And trace syslog for ASM:

[admin@ip-10-1-1-5:Active:Standalone] ~ # tail -f /var/log/asm
Jul  5 04:22:19 info perl[12566]: 01310053:6: ASMConfig change:  Sigfile Update Result [update]: Signatures updated successfully - 7663 signatures loaded (167 updated). Server Technologies updated successfully - 0 server technologies updated, 0 server technologies added, 0  server technologies deleted. { audit: component = Live Update }

As the word: Signatures updated successfully will only populate upon a completion of signature update, we could use the log key word "Signatures updated successfully" as trigger to generate a custom system OID associated with email alerts: https://support.f5.com/csp/article/K3727

For instance, you could add something like the following in to/config/user_alert.conf:

alert ASM_UPDATE_STATUS "Signatures updated successfully (.*)" {
  snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.789"
}​

and run a quick test by generating a log message into /var/log/ltm:

logger -p local0.notice "Signatures updated successfully"

from tcpdump, we could see the snmp trap has been sent to a predefined snmp server 10.1.1.16

[admin@ip-10-1-1-5:Active:Standalone] ~ # tcpdump -nni eth0 host 10.1.1.16
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
05:05:24.157832 IP 10.1.1.5.58211 > 10.1.1.16.162:  V2Trap(132)  .1.3.6.1.2.1.1.3.0=37745 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.3375.2.4.0.789 .1.3.6.1.4.1.3375.2.4.1.1="Signatures updated successfully" .1.3.6.1.6.3.1.1.4.3.0=.1.3.6.1.4.1.3375.2.4

We could now run actual live update to verify snmp trap triggered from /var/log/asm

 

It works the same way as previous testing for ltm logs, snmp traps also sent to snmp host.

[admin@ip-10-1-1-5:Active:Standalone] ~ # tcpdump -nni eth0 host 10.1.1.16
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
05:20:42.785280 IP 10.1.1.5.58211 > 10.1.1.16.162:  V2Trap(399)  .1.3.6.1.2.1.1.3.0=129608 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.3375.2.4.0.789 .1.3.6.1.4.1.3375.2.4.1.1="ASMConfig change:  Sigfile Update Result [update]: Signatures updated successfully - 7663 signatures loaded (167 updated). Server Technologies updated successfully - 0 server technologies updated, 0 server technologies added, 0  server technologies deleted. { audit: component = Live Update }" .1.3.6.1.6.3.1.1.4.3.0=.1.3.6.1.4.1.3375.2.4​

Finally, we could create an email alert with SNMP Trap like the following into /config/user_alert.conf: 

alert BIGIP_SIG_UPDATE_COMPLETE "Signatures updated successfully(.*)"{
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.789";
email toaddress="demo@askf5.com"
fromaddress="root"
body="The Signature has been updated!"
}​

How to create email notification:  https://support.f5.com/csp/article/K3667

This trick can also apply to any event-based notification you'd like to have, using preferred keywords combination from the log files. If you prefer an easy setup to recieve notifications directly from BIG-IP notification instead of using your log server with filtering for tailored events, I hope you find this helpful.

Updated Oct 12, 2023
Version 3.0
No CommentsBe the first to comment