Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

F5 Networks BIG-IP ASM

 

The JSA F5 Networks BIG-IP Application Security Manager (ASM) DSM collects web application security events from BIG-IP ASM appliances by using syslog.

To forward syslog events from an F5 Networks BIG-IP ASM appliance to JSA, you must configure a logging profile.

A logging profile can be used to configure remote storage for syslog events, which can be forwarded directly to JSA.

  1. Log in to the F5 Networks BIG-IP ASM appliance user interface.
  2. On the navigation pane, select Application Security >Options.
  3. Click Logging Profiles.
  4. Click Create.
  5. From the Configuration list, select Advanced.
  6. Type a descriptive name for the Profile Name property.
  7. Type a Profile Description.

    If you do not want data logged both locally and remotely, clear the Local Storage check box.

  8. Select the Remote Storage check box.
  9. From the Type list, select one of the following options:
    • In BIG-IP ASM V12.1.2 or earlier, select Reporting Server.

    • In BIG-IP ASM V13.0.0 or later, select key-value pairs.

  10. From the Protocol list, select TCP.
  11. For the IP Address field, type the IP address of the JSA console and for the Port field, type a port value of 514.
  12. Select the Guarantee Logging check box.Note

    Enabling the Guarantee Logging option ensures the system log requests continue for the web application when the logging utility is competing for system resources. Enabling the Guarantee Logging option can slow access to the associated web application.

  13. Select the Report Detected Anomalies check box to allow the system to log details.
  14. Click Create.

    The display refreshes with the new logging profile. The log source is added to JSA as F5 Networks BIG-IP ASM events are automatically discovered. Events that are forwarded by F5 Networks BIG-IP ASM are displayed on the Log Activity tab of JSA.

Syslog Log Source Parameters for F5 Networks BIG-IP ASM

If JSA does not automatically detect the log source, add a F5 Networks BIG-IP ASM log source on the JSA Console by using the syslog protocol.

When using the syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect syslog events from F5 Networks BIG-IP ASM:

Table 1: Syslog Log Source Parameters for the F5 Networks BIG-IP ASM DSM

Parameter

Value

Log Source type

F5 Networks BIG-IP ASM

Protocol Configuration

Syslog

Log Source Identifier

Type the IP address or host name for the log source as an identifier for events from your F5 Networks BIG-IP ASM devices.

F5 Networks BIG-IP ASM Sample Event Message

Use this sample event message to verify a successful integration with JSA.

Note

Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.

F5 Networks BIG-IP ASM sample message when you use the syslog protocol

The following sample event message shows a distributed attack event.

<134>Jul 25 11:47:52 f5networks.asm.test ASM:software_version="14.1.0",current_mitigation= "alarm",unit_hostname="f5networks.asm.test",management_ip_address="10.192.138.11",management_ip_ad dres s_2="",operation_mode="Transparent",date_time="2019-07-25 11:41:38",policy_apply_date="2019-07-23 15:2 4:21",policy_name="/Common/extranet_sonstige",vs_name="/Common/extranett. qradar.example.test_443",ano maly_attack_type="Distributed Attack",uri="/ qradar.example.test",attack_status="ongoing",detection_mod e="Number of Failed Logins Increased",severity="Emergency",mitigated_entity_name="username",mitigated_ entity_value="exnyjtgk",mitigated_ipaddr_geo="N/ A",attack_id="2508639270",mitigated_entity_failed_logi ns="0",mitigated_entity_failed_logins_threshold="3",mitigated_entity_total_mitigations="0",mitigat ed_e ntity_passed_challenges="0",mitigated_entity_passed_captchas="0",mitigated_entity_rejected_logins= "0", leaked_username_login_attempts="0",leaked_username_failed_logins="0",leaked_username_time_of_last_ logi n_attempt="2497667872",normal_failed_logins="78",detected_failed_logins="70",failed_logins_thresho ld=" 100",normal_login_attempts="91",detected_login_attempts="78",login_attempts_matching_leaked_creden tial s="0",total_mitigated_login_attempts="60",total_client_side_integrity_challenges="0",total_captcha _cha llenges="0",total_blocking_page_challenges="0",total_passed_client_side_integrity_challenges="0",t otal _passed_captcha_challenges="0",total_drops="0",total_successful_mitigations="0",protocol="HTTPS",l ogin _attempts_matching_leaked_credentials_threshold="100",login_stress="73"