Forum Discussion

Pascal_J's avatar
Pascal_J
Icon for Nimbostratus rankNimbostratus
Dec 26, 2019

Logging Dos Events

Hi

I have a question about setting up alerts on DOS events.

All the ASM logs are forwarded to a splunk server and i want to redirect (if possible) all dos events to splunk server.

i tried to configure a log destination and a remote publisher (on the same destination as asm) to do that but it doesn't work, maybe beacause i've seen after this limitation : The BIG-IP Advanced Firewall Manager™ (AFM™) must be licensed and provisioned before you can configure DoS Protection event logging.

Then i tried an irule (https://devcentral.f5.com/s/question/0D51T00006i7d7y/how-can-i-alert-on-an-asm-denial-of-service-event) but this one write an event for each request in ltm.log.

What could be a solution to just to be notified in case of dos attack event ?

Thanks pour your help

Regards

2 Replies

  • Hi Pascal J,

    Can you try this iRule for send logs to splunk server?

    when IN_DOSL7_ATTACK {
        log <splunkIP:port> local0.info "Attacker IP: $DOSL7_ATTACKER_IP, Mitigation: $DOSL7_MITIGATION"
    }
  • Hi eaa

    thanks for your help but it doesn't seem to work.

    I've tried tu use :

    • the standard remote log config (that copy ltm.log)
    • the asm logging profile

    no trace of events on either side

    regards