arcsight
5 TopicsHigh Speed Logging - Not working quite as expected (Specific to ArcSight)
Introduction I'm wondering if anyone can offer any advice on how this should be working and whether I'm getting the wrong understanding of this. To be clear, it is not the iRule HSL implementations but simply the built in /sys log-config filters/publishers/destinations. My Requirements I require logs to continue to be available on the Big-IP, as though we've not configured any differences to logging. I also want to log everything (debug from all sources) out to our chosen SIEM product ArcSight. Things to Know I'm using Big-IP 11.6.0 HF3 (ENG) Resources provisioned: APM Not requiring additional logging such as request logging. https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-6-0/22.html?sr=43624187 Configuration, so far Configured a pool named SIEM-ArcSight-Logging which contains the ArcSight Server, port 514. Configured a destination SIEM-Dest-HSL, type Remote High Speed Logging (unformatted), forwards to SIEM-ArcSight-Logging pool, type UDP Configured a destination SIEM-Dest-ArcSight, type ArcSight (formatted), forwards to SIEM-Dest-HSL Configured a publisher SIEM-Pub-Default, destinations: SIEM-Dest-ArcSight SIEM-Dest-HSL alertd Configured a filter SIEM-Filter, severity Debug, source all, Publisher SIEM-Pub-Default Please note... My gut feeling says I may have set the publisher up wrong, so I have tried each of their entries just on their own. alertd, SIEM-Dest-HSL seem to work fine (I see syslog traffic leaving for the HSL) but ArcSight does not. Documentation seems somewhat unclear as to what destinations are required, i.e. do I just need to add ArcSight and let it forward itself to HSL or do I need both. Also, should I be configuring multiple filters to cover debug/all or am I correct to have just the one 'catch all'. **I have additionally seen a warning on one presentation I bumped into whilst Googling away which said "Warning, dangerous defaults 'debug/all'" but I couldn't find an explanation of why these are dangerous, so I proceeded with caution and tried upping the severity but it made no difference. Any and all feedback/advice/other would be incredibly welcomed. Many thanks, JD.399Views0likes4CommentsSyslog Arcsight and remote destination Syslog combined
Hi All, I have a Big IP LTM + ASM installed. Within the ASM I have a logging profile configured that sends the ASM logs in CEF format to Arcsight that works perfect. I also have a standard Syslog destination configured in the System menu with the same remote log destination, because I also want standard Syslog information to be send to the same Syslog server. The problem is that it just does not work. If I generate some logs by shutting down a pool there is no traffic sent to the Syslog server. The very strange thing is when I change the IP to another IP that is different than the Arcsight IP it is being sent. So it seems like if you are not able to combine a ASM syslog CEF and a normal Syslog destination using the same IP destination. I also tried to restart the syslog-ng daemon but that also did not fix the problem. Does someone has an explanation for this?336Views0likes2CommentsWHICH VIRTUAL SERVER IS APPLIED TO AN INTERMEDIATE IRULE FOR HIGH SPEED LOGGING.
I would like to ask which virtual server, will be applied to an intermediate irule. The irule listed on Devcentral for high speed logging on f5 to arcsight or splunk on the following devcentral article https://devcentral.f5.com/articles/irules-high-speed-logging-spray-those-log-statements is ltm rule testrule { when CLIENT_ACCEPTED { set lpAll [HSL::open -publisher /Common/lpAll] } when HTTP_REQUEST { HSL::send $lpAll "<190> [IP::client_addr]:[TCP::client_port]-[IP::local_addr]:[TCP::local_port]; [HTTP::host][HTTP::uri]" } } However,i'll like to know which virtual server,the irule will be attached to. Thanks260Views0likes5CommentsNo Event logs for particular policy
Hi, We are facing a strange issue where for one particular ASM policy, we are not getting any Event logs or there are no alerts in Manual traffic learning. However, all the logs from ASM are pushed to Arcsight. We have dedicated Arcsight team, who are raising alerts saying from "x.x.x.x" source ip we are seeing SQLi, path traversal, xss attack and so on. When we navigate to event logs to filter the illegal request from "x.x.x.x", we are not seeing any events / alerts. We checked the manual traffic learning also, nothing is populated there also. Kindly some one give any pointers on how to solve this issue? Let us know if anything else is needed. PS:The ASM policy is currently in Transparent mode and the response code for the above mentioned attack are 404. Best, Raghav191Views0likes1Comment