Forum Discussion

Spike_Li's avatar
Icon for Employee rankEmployee
Jun 19, 2022

F5 BIG-IP Automatic email notification for system live update (ASM/AWAF signature)

Recently had some request from Security team asking an email to be sent from the F5 BIG-IP when it installs an live update such as ASM signature updates via the automatic schedule. upon looking at KBs it doesn't seem to be a natively embedded function for now.

So my idea is to trace system log for signature updates, and generate an SNMP message to trigger email notification.

Most syslogs and updates could be found from /log/var/ directory while as some event based log such as Signature updates are located in a different place.

The system live update info is located in /var/log/tomcat/liveupdate.log

So the thinking is once the system generate a log after the signature Update, you could try to grab log info and use a unique key word to identify completion of update, and use the key word a customised OID to trigger SNMP trap for system notification.

Once you schedule or completed an installation:


You should be able to see the log generated with following info:

cat /var/log/tomcat/liveupdate.log | grep modifiedEntitiesCount


{"link":"https://localhost/mgmt/tm/asm/signatures/y5tmU8gG6VdfPFaVbRSPLg","name":"Java code injection - java.util.concurrent.ScheduledThreadPoolExecutor"},{"link":"https://localhost/mgmt/tm/asm/signatures/7KeqKA8hHqv2cfJBXRMz9Q","name":"Java code injection - oracle.jms.AQjmsQueueConnectionFactory"},{"link":"https://localhost/mgmt/tm/asm/signatures/-NXlVMOujg3EvdVKd7PVQA","name":"btoa() (URI)"},{"link":"https://localhost/mgmt/tm/asm/signatures/sqa3ct3N1gOjMZLc3KiNsw","name":"SQL-INJ \"UNION SELECT\" (3) (URI)"},{"link":"https://localhost/mgmt/tm/asm/signatures/J4R4I5KgY8akJtm3TOc55w","name":"\"/etc/php4/apache2/php.ini\" access (Parameter)"},{"link":"https://localhost/mgmt/tm/asm/signatures/S2IcFP11pOpAHjFOSBIi3Q","name":"\"mail\" execution attempt (2) (Header)"},{"link":"https://localhost/mgmt/tm/asm/signatures/HUqMOwJ9SHU6mJF0y3HjBg","name":"SQL-INJ convert(db_name) (Header)"}],"modifiedEntitiesCount":1599}


The word: modifiedEntitiesCount seemed to only poppulate upon a installation of signature update completion. so we could use the log key world modifiedEntitiesCount to customise a System OID associate with email alerts


add something like the following in to/config/user_alert.conf:

alert ASM_update_STATUS " modifiedEntitiesCount(.*)" {
 snmptrap OID=""


and create an email alert with SNMP Trap

snmptrap OID=".";
email toaddress=""
body="The Signature has been updated!"


This tricks could also apply to any event based notification you 'd like to sent using keyword from log files.

If you would like to put some feed from BIG-IP notification instead of using you log server to filter some tailored events, I hope this could be helpful.

Any comments for improvement or correction would be highly appreciated

1 Reply

  • Updates:

    A better tracking mechanism is to use /var/log/asm logging file. As it generate a log including key words "Signatures update successfully" from asm log upon system update completion, it 's easier to trace and has less resource consumed compared to reading tomcat log fie.