cancel
Showing results for 
Search instead for 
Did you mean: 

F5 BIG-IP Automatic email notification for system live update (ASM/AWAF signature)

Spike_Li
F5 Employee
F5 Employee

Recently had some request from Security team asking an email to be sent from the F5 BIG-IP when it installs an live update such as ASM signature updates via the automatic schedule. upon looking at KBs it doesn't seem to be a natively embedded function for now.

So my idea is to trace system log for signature updates, and generate an SNMP message to trigger email notification.

Most syslogs and updates could be found from /log/var/ directory while as some event based log such as Signature updates are located in a different place.

https://support.f5.com/csp/article/K82512024

The system live update info is located in /var/log/tomcat/liveupdate.log

So the thinking is once the system generate a log after the signature Update, you could try to grab log info and use a unique key word to identify completion of update, and use the key word a customised OID to trigger SNMP trap for system notification.

Once you schedule or completed an installation:

Hefei_Li_0-1655679027101.png

 

You should be able to see the log generated with following info:

cat /var/log/tomcat/liveupdate.log | grep modifiedEntitiesCount

XXXX…

{"link":"https://localhost/mgmt/tm/asm/signatures/y5tmU8gG6VdfPFaVbRSPLg","name":"Java code injection - java.util.concurrent.ScheduledThreadPoolExecutor"},{"link":"https://localhost/mgmt/tm/asm/signatures/7KeqKA8hHqv2cfJBXRMz9Q","name":"Java code injection - oracle.jms.AQjmsQueueConnectionFactory"},{"link":"https://localhost/mgmt/tm/asm/signatures/-NXlVMOujg3EvdVKd7PVQA","name":"btoa() (URI)"},{"link":"https://localhost/mgmt/tm/asm/signatures/sqa3ct3N1gOjMZLc3KiNsw","name":"SQL-INJ \"UNION SELECT\" (3) (URI)"},{"link":"https://localhost/mgmt/tm/asm/signatures/J4R4I5KgY8akJtm3TOc55w","name":"\"/etc/php4/apache2/php.ini\" access (Parameter)"},{"link":"https://localhost/mgmt/tm/asm/signatures/S2IcFP11pOpAHjFOSBIi3Q","name":"\"mail\" execution attempt (2) (Header)"},{"link":"https://localhost/mgmt/tm/asm/signatures/HUqMOwJ9SHU6mJF0y3HjBg","name":"SQL-INJ convert(db_name) (Header)"}],"modifiedEntitiesCount":1599}

 

The word: modifiedEntitiesCount seemed to only poppulate upon a installation of signature update completion. so we could use the log key world modifiedEntitiesCount to customise a System OID associate with email alerts

https://support.f5.com/csp/article/K3727

 

add something like the following in to/config/user_alert.conf:

alert ASM_update_STATUS " modifiedEntitiesCount(.*)" {
 snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.xxx"
}

 

and create an email alert with SNMP Trap

https://support.f5.com/csp/article/K3667

alert BIGIP_SIG_UPDATE_COMPLETE {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.XXX";
email toaddress="demo@askf5.com"
fromaddress="root"
body="The Signature has been updated!"
}

 

This tricks could also apply to any event based notification you 'd like to sent using keyword from log files.

https://support.f5.com/csp/article/K16197

If you would like to put some feed from BIG-IP notification instead of using you log server to filter some tailored events, I hope this could be helpful.

Any comments for improvement or correction would be highly appreciated

1 REPLY 1

Spike_Li
F5 Employee
F5 Employee

Updates:

A better tracking mechanism is to use /var/log/asm logging file. As it generate a log including key words "Signatures update successfully" from asm log upon system update completion, it 's easier to trace and has less resource consumed compared to reading tomcat log fie.