cancel
Showing results for 
Search instead for 
Did you mean: 

ASM & Splunk integration

kris_52344
Nimbostratus
Nimbostratus
hi,

 

 

i have installed & configure Splunk for F5, able to get LTM self-ip, source-ip etc. logs on splunk server. So, kindly provide any document or help to integrate ASM with Splunk? does it requires iRule to be configured on ASM?

 

 

Thank You! in advance...
8 REPLIES 8

Aaron_Brailsfo1
F5 Employee
F5 Employee
You won't need any iRules to log out to a Splunk server from ASM, what you will need to do is configure a Remote Logging Profile with the relevant options and assign it to your ASM Web Application. There are some sections in the relevant Configuration Guides for ASM which describe this:

 

 

For v9.4.5-9.4.8:

 

https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm_945_config_guide/asm_sys_mgmt.html1028448

 

 

For v10.x:

 

https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm_config_10/asm_sys_mgmt.html1028448

 

 

Aaron

Wagner_Bianchi_
Nimbostratus
Nimbostratus

hello guys,

 

 

just to recap this conversation which you've started some times ago, I am getting problems in get Splunk fully functional after follow the steps part of the pdf file which came with the app's package. The field attack_type, used in many queries of the first app menu's group, is presenting, I imagine, wrong data. it is presenting graphs with symbols as commas, double quotes and single quotes. I will count on your help so as to understand whether it is a problem or not...could you give me a hand on that? Thanks a lot and looking forward to hearing from you.

 

 

Cheers, WB

 

Jim_Westwood_64
Nimbostratus
Nimbostratus

I am having the same issue. Latest splunk, latest f5 app and it fails to work as the data is in quotes?

 

Bob_Blair_10901
Nimbostratus
Nimbostratus

Make sure the logging profile is using a Remote Storage Type of Reporting Server.

 

ltwagnon
F5 Employee
F5 Employee

Here's an article that might help:

 

ASM Logging: https://devcentral.f5.com/articles/the-big-ip-application-security-manager-part-10-event-logging.Uz3...

 

I'll also take a look on my lab setup to see if I can figure out the exact details for ASM and Splunk configuration.

 

MVA
Nimbostratus
Nimbostratus

So it doesn't seem possible to have all contents of /var/log/asm sent to splunk, similar to how /var/log/ltm and /var/log/audit get sent to splunk by default?

 

dbizzle_20930
Nimbostratus
Nimbostratus

All you should have to do is define your remote logging options under system and define your inputs on Splunk. The F5 will automagically send anything that is standard syslog to that remote address. For ASM/APM you can collect data using High Speed Logging (HSL) or AVR and configure the publishers/destinations for each. Configure a pool(s) that has your indexer/port defined as a member or you could even create a VIP to handle load balancing between indexers if you wanted and your AVR/HSL destination could be a pool with the VIP address as its member.

 

I am currently working on getting ASM logs over to both Splunk (syslog format) and ArcSight (CEF format) I found this link useful for understanding Field/Value/Description for Splunk and ArcSight as well as for creating Custom Logging Profiles Thought I'd share: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-11-4-0/10.html