Implementing BIG-IP WAF logging and visibility with ELK

Scope This technical article is useful for BIG-IP users familiar with web application security and the implementation and use of the Elastic Stack. This includes, application security professionals,...
Published Sep 21, 2020
Version 1.0
ASM Advanced WAF
dashboard
elastic
Elastic Stack
elk
logging
NGINX WAF
security
series-visibility-and-orchestration-with-f5
Mayur_T's avatar
Mayur_T
Icon for Employee rankEmployee
Jan 28, 2022

Is there anything for Custom APM logging to ELK?

We integrated APM with ELK & its working, can see User-ID, Session-ID, App being accessed by User etc..
Now having requirement to send customized logs to ELK that 'should include/append "User-id" along with endpoint/posture check result be it Successful/Fail.

My VPE is: PrivacyAcceptancePage > SAML Auth > EndpointChecks > Logon > SSO-Credential-Mapping (NTLM-SSO) > Adv.Resource.Assign

Can extract user-id from SAML.
Below Log is after SAML-Auth & Before Endpoint check:
-------------------
<141>1 2022-01-27T17:30:14.149174+05:30 f5demo.mylab.com apmd 14296 01490265:5: [F5@12276 hostname="f5demo.mylab.com" errdefs_msgno="01490265:5:" partition_name="Common" session_id="06df096f" Access_Profile="/Common/My_Access_Policy_NTLM_SSO" Partition="Common" Session_Id="06df096f" SPname="/Common/Access_Policy_v1__sp" IdpName="/Common/Access_Policy_v1_ProductionPilot" SubjType="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" SubjVal="User1@mylab.com"] /Common/My_Access_Policy_NTLM_SSO:Common:06df096f: BIG-IP as SP (/Common/Access_Policy_v1__sp) have received SAML Assertion from IdP (/Common/Access_Policy_v1_ProductionPilot) for subject type (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) value (User1@mylab.com)
-------------------

Endpoint checks status be Pass/fail, it should append Username/User-id in logs, so that ELK can use that info & publish on ELK Custom Dashboard along with User-ID:
Below log is about Endpoint Check status currently without User-id info in it:
-------------------
<142>1 2022-01-13T15:01:36.195716+05:30 f5demo.mylab.com apmd 14265 01490006:6: [F5@12276 hostname="f5demo.mylab.com" errdefs_msgno="01490006:6:" partition_name="Common" session_id="8242cf14" Access_Profile="/Common/My_Access_Policy_NTLM_SSO" Partition="Common" Session_Id="8242cf14" Rule_Caption="Successful" Current_Node="Firewall" Next_Node="Antivirus - Windows"] /Common/My_Access_Policy_NTLM_SSO:Common:8242cf14: Following rule 'Successful' from item 'Firewall' to item 'Antivirus - Windows'
-------------------