cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

F5 ASM event correlation incident alerting

Marvin
Cirrostratus
Cirrostratus

Dear all,

 

I simple question I hope but we are looking for a way to automatically send an alert (via email or perhaps syslog or local log entry) when F5 detects a serious security incident using its event correlation database. We dont have the capabilities to perform this on an external SIEM solution and why should we as F5 already has its internal correlation security incidents, right?

 

So does someone has a solution to automatically send a syslog message, or use bash script that reads /var/log/* for specific strings or perhaps simply send it via email when a F5 event correlation security incident occurs?

 

Second question is that would it also be possible for the same correlation engine to automatically update the F5 AFM blacklist IP?

4 REPLIES 4

I had similar question and you may look at it for ideas:

 

 

F5 WAF/ASM block users that trigger too many violations by source ip/device id using the correlation...

 

 

 

 

You also try the custom SNMP to trigger email alerts based on correlation incident info in /var/log/asm:

 

 

https://support.f5.com/csp/article/K3667

 

https://support.f5.com/csp/article/K15281

Marvin
Cirrostratus
Cirrostratus

Are these correlation incidents logged in /var/log/asm as a correlated incident log entry? not seperate violation log entries?

Some info is : Limit of unique sessions for this incident reached (f5.com) but also the main log is /var/log/ts/correlation.log as mentioned in BIG-IP ASM daemons (11.x - 16.x) (f5.com) .

 

 

Look at it and try using the SNMP custom trap alarms to trigger email.

the info in correlation.log does not contain security incident specific information unfortunately