Forum Discussion

Sathya_Balakris's avatar
Sathya_Balakris
Icon for Nimbostratus rankNimbostratus
Jun 23, 2015

F5 APM Logging to Arcsight

can anyone please let us know whether APM uses CEF format as we are sending logs from APM to Arcsight and the logs are not getting parsed properly.

 

4 Replies

  • that depends on how you set up your logging, if you got through the publishers and destinations you are to able to say it is ArcSight.
  • As per v11.6, the information from the manualis:

    Important: ArcSight formatting is only available for logs coming from Advanced Firewall Manager
    (AFM), Application Security Manager™ (ASM), and the Secure Web Gateway component of Access
    Policy Manager® (APM®). IPFIX is not available for Secure Web Gateway. Remote Syslog formatting
    is the only type supported for logs coming from APM. The Splunk format is a predefined format of key
    value pairs.
    

    At the moment it's not possible. I suggest you to open a case by F5 support. Maybe a RFE is existing and you can link your case to it or alternatively create a RFE.

  • Curt_Kersey_115's avatar
    Curt_Kersey_115
    Historic F5 Account

    An RFE is F5's term for a "Request for Enhancement". For APM, there is one that has already been created for ArcSight CEF formatting, 427106.