Forum Discussion
MVPconfigure custom log profile for F5 WAF
dears,
I configured a custom log profile on F5 WAF, to send the logs for waf policy to Siem solution, but I have an issue as still no logs appear on Seim solution, how can I solve this issue
Hi Amr_Ali,
try this (replace the IP with the IP of your SIEM solution):
tcpdump -nni 0.0:nnnp host 192.168.100.100 and udp port 514If something goes from your BIG-IP to your SIEM, you will see it with the tcpdump. And you can confirm the issue is not on your side.
KR
Danielbtw. telnet is TCP, syslog is UDP. telnet is not a good test.
6 Replies
Hi Amr_Ali ,
I am sure you have created the remote logging profile correct and assigned it to the virutual server.
-ust you need to check your routes back and forth.-Perform traceroute from your bigip selfip that sends traffic to the SIEM solution ( use ip route get ) utility on bash to get the vlan & selfip address which should send Logs to SIEM.
Ask network admins to open icmp to be able to trace your packet to SIEM.
- Make sure that SIEM admins created a logging profile for Bigip to allow bigip to send these logs to SIEM Collectors.
- make sure thay Port 514 udp & TCP is opened accross firewalls for your selfip/mamt interface whatever which interface should send Logs to SIEM
I hope this helps u.
This is the main points you need to check
Amr_Alisure Mohamed, i checked the route and made telnet on port 514 to check the connectivity, but still there was no log appearance on Siem solution,
I just need to confirm that the issue is not From the F5 waf side,
Hi Amr_Ali ,
so you should check from SIEM side , I think they need to define your bigip by creating profile to allow it to send logs
what SIEM is it SPLUNK or ARCSIGHT
- Amr_Ali
F5_Design_Engineer Yes it is Splunk, but the issue was solved from SIEM solution team side,
