Log separation by event
Los logs waf se están enviando a un SIEM, pero al momento de registrarlos, está registrando más de un evento por sección, este acto provoca que se pierda información ya que al juntarse tantos eventos se convierte en una cadena muy grande y provoca que comiencen a saltar líneas, como se muestra en la imagen. Por eso el cliente me pide que los separe para evento, ¿alguien sabe si hay solución?
AFM reporting no data
Hi! I have an AFM installation here that seems to be working very well as firewall and ddos protection, but the problem is that none of the reports are working. I have a logging profile created for all the VSs and the publisher is set as local-db-publisher everywhere. Logs working: Reports not working: It is also possible to observe some javascript errors being report in console: My logging profile: security log profile Log_Local { dos-network-publisher local-db-publisher ip-intelligence { log-publisher local-db-publisher } network { Log_Local { filter { log-ip-errors enabled log-tcp-errors enabled } publisher local-db-publisher } } port-misuse { log-publisher local-db-publisher } protocol-dns-dos-publisher local-db-publisher protocol-inspection { log-publisher local-db-publisher } protocol-sip-dos-publisher local-db-publisher traffic-statistics { active-flows enabled log-publisher local-db-publisher missed-flows enabled reaped-flows enabled syncookies enabled syncookies-whitelist enabled } } Am I doing something wrong? Thanks!IRULE TO REMOVE LOGS FROM FORWARD PROXY IRULE
What irule can be used to remove logs from an irule. The situation is that, the irule applied to a virtual server is filling up the /var/log folder and tmm is rebooting. example, if { $static::enable_logging_L4_VIP_GPRS_TRANSPARENT } { set logging_handle [HSL::open -proto UDP -pool ${static::log_destination_L4_VIP_GPRS_TRANSPARENT} ] i WANT ALL logs removed or tmm not to activate themIRULE TO REMOVE LOGS FROM FORWARD PROXY IRULE
What irule can be used to remove logs from an irule. The situation is that, the irule applied to a virtual server is filling up the /var/log folder and tmm is rebooting. example, if { $static::enable_logging_L4_VIP_GPRS_TRANSPARENT } { set logging_handle [HSL::open -proto UDP -pool ${static::log_destination_L4_VIP_GPRS_TRANSPARENT} ] i WANT ALL logs removed or tmm not to activate them
Event log soap[22458]
Hello, I try to understand a log message on our F5 Big IP 13.1.1.4. Under System -> Logs -> Local Traffic, I have several entries like LogLevel:info Service:soap[22458] Event:src=127.0.0.1, user= I precise there is nothing after user :) Anyone can explain me what it means and if it is possible to filter these entries? Best regards.
Health Monitor logs not showing up
We have health monitor attached to pool member on F5-LTM version 15.1.2. A health monitor reports the status of a pool. So whenever any pool member goes down, ideally it should get logged. But I am unable to view the health monitor logs on the F5. Only when the 'Pool' goes down or comes back up, as shown below, such log messages appear. Oct 1 07:43:53 TD-F5 err tmm[11722]: 01010028:3: No members available for pool /Common/internal_nexus-lab_pool Oct 1 07:47:27 TD-F5 notice tmm1[11722]: 01010221:5: Pool /Common/internal_nexus-lab_pool now has available members But, the health monitor logs are missing. I am looking for logs that indicate when a health monitor marks pool members as down or up, something like this: Sep 19 03:30:43 TD-F5 notice mcpd[7077]: 01070638:5: Pool /Common/internal_dev_pool member /Common/10.8.16.111:9002 monitor status down. [ /Common/tcp: down ] [ was up for 46hrs:43mins:1sec ] Sep 27 05:18:24 TD-F5 notice mcpd[7077]: 01070727:5: Pool /Common/internal_dev_pool member /Common/10.8.17.2:80 monitor status up. [ /Common/tcp: up ][ was down for 244hrs:27mins:15sec ] Such log messages do not seem to be appear in the logs. I tried to view the logs using CLI as well as GUI. Can anyone help to understand how to obtain these logs or if I am missing something?
ASM Reporting in BIG IQ
Case Scenario: Single BIG IP device managed by Single BIG IQ device at a client. BIG IP was used to send daily scheduled reports including top attacks in the day, most affected virtual servers, top triggered security policies, bot traffic for the day, dos traffic for the day, top attacks by geo-location and such. Client wanted a BIG IQ, we provided and all the data is being sent to the BIG IQ. Problem Scenario: All the configurations have been properly set up and we can view all the data from BIG IQ. We also set up a scheduling report and now, unlike BIG IP, there is no way we can create such reports and schedule them. Either that or we havent found the proper ways to do so. The only report that can be sent is a very generic overview with how much traffic the whole system has been getting and nothing much. If we go back to BIG IP and send the report from there, the BIG IQ doesnot display its graphs in the monitoring tab, and removing the whole centralized monitoring part. (We get that the need of BIG IQ is not apparent in the scenario, but such is the case) Required Scenario: The BIG IQ will be used to centrally monitor the lonesome BIG IP and BIG IQ has to be able to send the scheduled report as BIG IP used to. Is there a way to do so? or is it a lost cause? If it helps, we have configured all the security policies, logging profiles and such from BIG IP and simply imported them to BIG IQ.Request logging - log backend issues
Hello everyone, been a happy user of a remote request logging profile for some time now, but recently we had an influx of issues where the backend would be failing in some way or another and the only data of this would be on the clients' side with F5 responding with 'TCP RST' packet, therefore a requirement was raised to log any errors. Looking at documentation it seemed "Error Template" was exactly for this, so I configured a simple debug profile: Then tried multiple usecases: backend responds with 200: standard "REQUEST" and "RESPONSE" gets logged backend responds with non-2xx response code: standard "REQUEST" and "RESPONSE" gets logged. backend is down: F5 responds with TCP RST and NOTHING is logged backend is shutdown just as F5 processes the request: REQUEST gets logged, but RESPONSE doesn't and F5 responds with TCP reset Can someone please share what am I doing wrong or help me understand when is the "Error Template" used? I am clearly misunderstanding it. Thanks a lot, Michal.
Using Remote Logging How Often are Log Entries Sent To Remote Logging Server
We have a F5 that sends it's syslog entries to Splunk. We only use remote logging not the analytics. How often does the F5 send the entries to the remote Spluink logging server. I think it writes the entries both locally and to the remote logging server at the same time. Is that correct? Thanks,
