Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

configure custom log profile for F5 WAF

Go to solution
Amr_Ali
Cirrostratus
Cirrostratus

‎15-Sep-2023 13:45

dears,

I configured a custom log profile on F5 WAF, to send the logs for waf policy to Siem solution, but I have an issue as still no logs appear on Seim solution, how can I solve this issue 

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Daniel_Wolf
MVP
MVP
In response to Amr_Ali

‎18-Sep-2023 00:07 - edited ‎18-Sep-2023 00:08

Hi @Amr_Ali,

try this (replace the IP with the IP of your SIEM solution):

 

tcpdump -nni 0.0:nnnp host 192.168.100.100 and udp port 514

 

If something goes from your BIG-IP to your SIEM, you will see it with the tcpdump. And you can confirm the issue is not on your side.

KR
Daniel

btw. telnet is TCP, syslog is UDP. telnet is not a good test.

View solution in original post

6 REPLIES 6

Go to solution
Mohamed_Ahmed_Kansoh
MVP
MVP

‎15-Sep-2023 18:27

Hi @Amr_Ali , 

I am sure you have created the remote logging profile correct and assigned it to the virutual server. 

-ust you need to check your routes back and forth. 

-Perform traceroute from your bigip selfip that sends traffic to the SIEM solution ( use ip route get ) utility on bash to get the vlan & selfip address which should send Logs to SIEM.
Ask network admins to open icmp to be able to trace your packet to SIEM. 

- Make sure that SIEM admins created a logging profile for Bigip to allow bigip to send these logs to SIEM Collectors. 

- make sure thay Port 514 udp & TCP is opened accross firewalls for your selfip/mamt interface whatever which interface should send Logs to SIEM

I hope this helps u.
This is the main points you need to check

_______________________
Regards
Mohamed Kansoh
0 Kudos

Go to solution
Amr_Ali
Cirrostratus
Cirrostratus
In response to Mohamed_Ahmed_Kansoh

‎16-Sep-2023 00:22

sure Mohamed, i checked the route and made telnet on port 514 to check the connectivity, but still there was no log appearance on Siem solution, 

I just need to confirm that the issue is not From the F5 waf side, 

 

0 Kudos

Go to solution
Mohamed_Ahmed_Kansoh
MVP
MVP
In response to Amr_Ali

‎17-Sep-2023 02:31

Hi @Amr_Ali , 
so you should check from SIEM side , I think they need to define your bigip by creating profile to allow it to send logs 

_______________________
Regards
Mohamed Kansoh
0 Kudos

Go to solution
Daniel_Wolf
MVP
MVP
In response to Amr_Ali

‎18-Sep-2023 00:07 - edited ‎18-Sep-2023 00:08

Hi @Amr_Ali,

try this (replace the IP with the IP of your SIEM solution):

 

tcpdump -nni 0.0:nnnp host 192.168.100.100 and udp port 514

 

If something goes from your BIG-IP to your SIEM, you will see it with the tcpdump. And you can confirm the issue is not on your side.

KR
Daniel

btw. telnet is TCP, syslog is UDP. telnet is not a good test.

Go to solution
F5_Design_Engineer
MVP
MVP

‎20-Sep-2023 02:38

what SIEM is it SPLUNK or ARCSIGHT

0 Kudos

Go to solution
Amr_Ali
Cirrostratus
Cirrostratus
In response to F5_Design_Engineer

‎20-Sep-2023 23:51

@F5_Design_Engineer Yes it is Splunk, but the issue was solved from SIEM solution team side, 

 

0 Kudos
Copyright © 2023 Khoros, LLC