15-Sep-2023 13:45
dears,
I configured a custom log profile on F5 WAF, to send the logs for waf policy to Siem solution, but I have an issue as still no logs appear on Seim solution, how can I solve this issue
Solved! Go to Solution.
18-Sep-2023 00:07 - edited 18-Sep-2023 00:08
Hi @Amr_Ali,
try this (replace the IP with the IP of your SIEM solution):
tcpdump -nni 0.0:nnnp host 192.168.100.100 and udp port 514
If something goes from your BIG-IP to your SIEM, you will see it with the tcpdump. And you can confirm the issue is not on your side.
KR
Daniel
btw. telnet is TCP, syslog is UDP. telnet is not a good test.
15-Sep-2023 18:27
Hi @Amr_Ali ,
I am sure you have created the remote logging profile correct and assigned it to the virutual server.
-ust you need to check your routes back and forth.
-Perform traceroute from your bigip selfip that sends traffic to the SIEM solution ( use ip route get ) utility on bash to get the vlan & selfip address which should send Logs to SIEM.
Ask network admins to open icmp to be able to trace your packet to SIEM.
- Make sure that SIEM admins created a logging profile for Bigip to allow bigip to send these logs to SIEM Collectors.
- make sure thay Port 514 udp & TCP is opened accross firewalls for your selfip/mamt interface whatever which interface should send Logs to SIEM
I hope this helps u.
This is the main points you need to check
16-Sep-2023 00:22
sure Mohamed, i checked the route and made telnet on port 514 to check the connectivity, but still there was no log appearance on Siem solution,
I just need to confirm that the issue is not From the F5 waf side,
17-Sep-2023 02:31
Hi @Amr_Ali ,
so you should check from SIEM side , I think they need to define your bigip by creating profile to allow it to send logs
18-Sep-2023 00:07 - edited 18-Sep-2023 00:08
Hi @Amr_Ali,
try this (replace the IP with the IP of your SIEM solution):
tcpdump -nni 0.0:nnnp host 192.168.100.100 and udp port 514
If something goes from your BIG-IP to your SIEM, you will see it with the tcpdump. And you can confirm the issue is not on your side.
KR
Daniel
btw. telnet is TCP, syslog is UDP. telnet is not a good test.
20-Sep-2023 02:38
what SIEM is it SPLUNK or ARCSIGHT
20-Sep-2023 23:51
@F5_Design_Engineer Yes it is Splunk, but the issue was solved from SIEM solution team side,