Forum Discussion

Priyesh_MP's avatar
Priyesh_MP
Icon for Nimbostratus rankNimbostratus
Jan 16, 2020
Solved

F5 ASM Auditlogs for all Policy Changes apart from normal Login Logout details

Dear Team,

 

Good day!

 

Can anyone confirm whether F5 ASM Auditlogs give information about configuration changes other than normal login logout data? Requirement is customer wants Auditlogs for all configuration changes also (like who has logged in and what changes he/she made etc.).

 

Thank you.

 

Best Regards,

Priyesh MP

ASM Advanced WAF
BIG-IP
security
  • Yoann_Le_Corvi1's avatar
    Yoann_Le_Corvi1
    Jan 23, 2020

    Hi

     

    Sorry for the delay. Admin/root are very likely to be linked.

    Try creating a dedicated account.

     

    Also what you are reading is the system audit log.

     

    You also have the ASM Audit Log in Security -> Application Security -> Policy -> Audit -> Logs.

     

    Yoann

7 Replies

Sort By
  • Yoann_Le_Corvi1's avatar
    Yoann_Le_Corvi1
    Icon for Cumulonimbus rankCumulonimbus
    Jan 23, 2020

    Hi

     

    Sorry for the delay. Admin/root are very likely to be linked.

    Try creating a dedicated account.

     

    Also what you are reading is the system audit log.

     

    You also have the ASM Audit Log in Security -> Application Security -> Policy -> Audit -> Logs.

     

    Yoann

    • Priyesh_MP's avatar
      Priyesh_MP
      Icon for Nimbostratus rankNimbostratus
      Jan 23, 2020

      Dear Yoann,

       

      Thank you for your reply.

       

      I got it. Will ASM forward ASM Audit Log in Security -> Application Security -> Policy -> Audit -> Logs to Syslog Server same like System Auditlogs? or it will only available locally in the device?

       

      Best Regards,

      Priyesh MP

      • Yoann_Le_Corvi1's avatar
        Yoann_Le_Corvi1
        Icon for Cumulonimbus rankCumulonimbus
        Jan 23, 2020

        Hi

        I had a quick look, but it seems to be in the SM DB, not managed by syslog.

        So as far as I can tell, it seems to be local only. Only illegal requests logs can be sent to syslog.

         

        Yoann

  • Yoann_Le_Corvi1's avatar
    Yoann_Le_Corvi1
    Icon for Cumulonimbus rankCumulonimbus
    Jan 16, 2020

    Hello

     

    It does. It logs ever modification to the policy. That also include changes made by the policy builder itself.

    URL, Response page, Attack signtature... and so on.

     

    Yoann

    • Priyesh_MP's avatar
      Priyesh_MP
      Icon for Nimbostratus rankNimbostratus
      Jan 16, 2020

      Dear Yoann,

       

      Thank you for your response. Is there any document available from F5 on this?

       

      Best Regards,

      Priyesh MP

  • Priyesh_MP's avatar
    Priyesh_MP
    Icon for Nimbostratus rankNimbostratus
    Jan 21, 2020

    Dear Yoann,

     

    Hope you are doing well!

     

    Could you please provide me any document from F5 or any test results that you have on this?

     

    Best Regards,

    Priyesh MP

  • Priyesh_MP's avatar
    Priyesh_MP
    Icon for Nimbostratus rankNimbostratus
    Jan 23, 2020

    Dear Team,

     

    I could see the configuration changes in F5 ASM Auditlogs, as given below.

     

     

    Can anyone tell me why is it showing user as root when I made this configuration changes from GUI with admin account?

     

    Thank you.

     

    Best Regards,

    Priyesh MP