ASM Signature Download logs to Remote SIEM server.

Hello SDnath,

What's up? Unfortunately I am failing to recall the resolution of this thread. The customer raised this requirement quite sometime back. However while tracing the same case I could see that I have suggested customer to follow the below, but thenafter customer never got back to me.

Navigate to System > Logs > Configuration > Option > Application Security Logging should set as Informational

After this recommendation, customer didn't confirm that worked or not. I hope this helps.

Regards, Darshan

Hi Darshan,

 

Were you able to implement the same.

 

Hey Rob,

 

Thanks for the answer mate. I will give it a go and share my feedback if I find any success.

 

Thanks, Darshan

 

I can't think of an easy way to send just one (or a small number) of log messages off to a log host.

 

It's possible to use the alertd process to watch for specific log messages and then take an action if a log message is seen, either sending an SNMP trap, email, lcd alarm or executing an external script. You could write a filter for alertd that matches your signature update event log, and then runs an external script that sends a syslog formatted message to your SIEM server. The relevant solution is below:

 

http://support.f5.com/kb/en-us/solutions/public/14000/300/sol14397.html?sr=32641837

 

Hi Rob,

 

Thanks for your reply. I just need to capture ASM traffic generated by BIG-IP locally i.e. Request for Signature updates and its status. Is there anyway to capture only required logs?

 

Thanks, Darshan

 

An issue like that will end up being logged to /var/log/asm, via normal syslog processes. The instruction for forwarding syslog's output to a remote server is in solution 13080:

 

http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13080.html

 

Be aware that there can be quite a bit of traffic generated when you forward all of the syslog output and you may need to filter syslog messages.