Remote log WAF based on number of violations
Hi All, At a customer I have configured a WAF to protect their web applications. Also configured a Logging Profile to send the logging to a remote server. This works fine. But customer would like to have some control on what is being send to the remote server and when. So the log of a violation that only occurs once (within a certain time frame) does not need to go to the remote log server. But a (identical) violation that occurs serveral times and has a high security violation needs to be send to the remote server I know I can configure a filter to include or exclude what is being send to the remote server. But can the F5 WAF send logs to a remote server based on number of events within a time frame? Hope you can help or point me to some useful links or documents. Regards, Martijn
Remote logging profile changes not being applied
I've added another Splunk instance to my existing remote logging profile and the changes aren't being applied since no logs are reaching the new server. I checked over and over that the IP/port was correct and that the profile was associated with a virtual server/security policy whose traffic was being logged locally and on my existing Splunk instance. After scratching my head several times, I tried removing the working/currently functioning Splunk IP from the same remote logging profile. I saved the change and even verified it was sync'd to the standby device. Still, logs were being sent to the instance that I removed. Has anyone else experienced this type of issue - where saved changes weren't being applied? Tired of scratching my head. Thanks! Tone
Request logging - log backend issues
Hello everyone, been a happy user of a remote request logging profile for some time now, but recently we had an influx of issues where the backend would be failing in some way or another and the only data of this would be on the clients' side with F5 responding with 'TCP RST' packet, therefore a requirement was raised to log any errors. Looking at documentation it seemed "Error Template" was exactly for this, so I configured a simple debug profile: Then tried multiple usecases: backend responds with 200: standard "REQUEST" and "RESPONSE" gets logged backend responds with non-2xx response code: standard "REQUEST" and "RESPONSE" gets logged. backend is down: F5 responds with TCP RST and NOTHING is logged backend is shutdown just as F5 processes the request: REQUEST gets logged, but RESPONSE doesn't and F5 responds with TCP reset Can someone please share what am I doing wrong or help me understand when is the "Error Template" used? I am clearly misunderstanding it. Thanks a lot, Michal.Remote Logging Configuration is DSC
Hi, I'm encountering an issue while configuring the remote logging of a DSC. While I can optionally set the local IP, I cannot define which interface to use for remote logging. When no local IP is configured, the logs are send through the routing table of TMOS. I need to send the logs through the management interface, instead of the traffic interfaces. I can reach my goal when configuring the local IP as the one from the management interface. The poor thing is, that the configuration needs to be synchronized after configuration. When I then synchronize the configuration, the other nodes configuration doesn't have the management IP set, instead there is no local IP configured anymore and the traffic interfaces will be used to send out syslog traffic. Is there any way to configure remote logging in a DSC without synchronizing this part of the configuration or is there a way to change the routing of the syslog-ng to use the management interface as default? I saw very much users modifying the syslog-ng configuration itself, instead of using the builtin configuration. Unfortunately the documentation does only claim to set the local IP to a non-floating selfIP in HA configuration (https://support.f5.com/csp/article/K13080): Note: For BIG-IP systems in a high availability (HA) configuration, the non-floating self IP address is recommended if using a Traffic Management Microkernel (TMM) based IP address. From my understanding and experience this would end in the same issue, because the non-floating selfIP is not synchronized, but the remote logging configuration needs to be synchronized. I'm very thankful for every hint. Greets, svs
Session logs appended to html after logging out.
I configured remote logging to our remote syslog server yesterday, and am having a strange issue occur today that is causing a lot of grief for our users and myself as the company's support person for the F5 SSL VPN. Here's the scenario: User logs into SSL VPN using the Web Client. After some time they log out of the client by clicking on the logout button on their webtop. The user then opens a new browser window to log into the VPN again. After putting in login credentials and clicking login or refreshing the browser they are presented with all of the session logs from their previous session. After refreshing the browser they are then able to log in normally. We are on LTM/APM 12.1.2. I turned on event logging through access policy and set it to go through our remote logging publisher, and it appears that this is when it started happening. We have remote URL monitoring, and everytime this happens to the monitoring service I get a page/email. Here's what the page looks like before you click the link: As soon as the link is clicked, you get a page full of this: These are the same logs I see in our syslog server. At the bottom of the page I see this text: HTTP/1.0 302 Found Location: /renderer/apd_inspection_host_enter_page.eui APD_Result: 1,0 APD_AgentName: /Common/client_checks_1_act_hd_software_check_ag APD_SID: f03a4141 Content-Type: text/html Content-Length: 35 /apd_inspection_host_enter_page.eui I already have a case open with F5 support, but was wondering if anyone here may have experienced this before.
Syslog to McAfee SIEM
Anyone integrate LTM and APM logging with a McAfee SIEM receiever (or any syslog receiver for that matter)? I am configuring I have the remote logging server configured in my log settings on the device. I want to make sure I am receiving logs from all my VS in LTM and all my access policies in APM. The only log setting I see within APM for each access policy is to slide over the default-log-setting in each. Where is this log setting configured? Can I create others? Or should I just be good by using this profile in each access profile and have all logs generated from APM and LTM sent over syslog to my receiver? Thanks all
High Speed Logging - Not working quite as expected (Specific to ArcSight)
Introduction I'm wondering if anyone can offer any advice on how this should be working and whether I'm getting the wrong understanding of this. To be clear, it is not the iRule HSL implementations but simply the built in /sys log-config filters/publishers/destinations. My Requirements I require logs to continue to be available on the Big-IP, as though we've not configured any differences to logging. I also want to log everything (debug from all sources) out to our chosen SIEM product ArcSight. Things to Know I'm using Big-IP 11.6.0 HF3 (ENG) Resources provisioned: APM Not requiring additional logging such as request logging. https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-6-0/22.html?sr=43624187 Configuration, so far Configured a pool named SIEM-ArcSight-Logging which contains the ArcSight Server, port 514. Configured a destination SIEM-Dest-HSL, type Remote High Speed Logging (unformatted), forwards to SIEM-ArcSight-Logging pool, type UDP Configured a destination SIEM-Dest-ArcSight, type ArcSight (formatted), forwards to SIEM-Dest-HSL Configured a publisher SIEM-Pub-Default, destinations: SIEM-Dest-ArcSight SIEM-Dest-HSL alertd Configured a filter SIEM-Filter, severity Debug, source all, Publisher SIEM-Pub-Default Please note... My gut feeling says I may have set the publisher up wrong, so I have tried each of their entries just on their own. alertd, SIEM-Dest-HSL seem to work fine (I see syslog traffic leaving for the HSL) but ArcSight does not. Documentation seems somewhat unclear as to what destinations are required, i.e. do I just need to add ArcSight and let it forward itself to HSL or do I need both. Also, should I be configuring multiple filters to cover debug/all or am I correct to have just the one 'catch all'. **I have additionally seen a warning on one presentation I bumped into whilst Googling away which said "Warning, dangerous defaults 'debug/all'" but I couldn't find an explanation of why these are dangerous, so I proceeded with caution and tried upping the severity but it made no difference. Any and all feedback/advice/other would be incredibly welcomed. Many thanks, JD.
Remote Logging of Log Files
I've configured F5 Big IP to send logs to a remote location. However it sends several messages. I know it is possible to configure log levels from 'Options' (critical, emergency, etc.) What I want to learn that, is it possible to configure remote logging such that sends only LTM logs (I mean logs written to /var/log/ltm file, only)?
