Forum Discussion

MvdG's avatar
Icon for Cirrus rankCirrus
Jun 03, 2024

Remote log WAF based on number of violations

Hi All,

At a customer I have configured a WAF to protect their web applications. Also configured a Logging Profile to send the logging to a remote server. This works fine.

But customer would like to have some control on what is being send to the remote server and when. 

So the log of a violation that only occurs once (within a certain time frame) does not need to go to the remote log server.
But a (identical) violation that occurs serveral times and has a high security violation needs to be send to the remote server

I know I can configure a filter to include or exclude what is being send to the remote server. But can the F5 WAF send logs to a remote server based on number of events within a time frame?

Hope you can help or point me to some useful links or documents.


2 Replies

  • You may be able to use iRules with tables for this: For custom items not supported by the F5 BIG-IP, you can update a table within the iRule event for a WAF: If the table reaches a custom threshold amount, have the iRule send an HSL (high speed logging) syslog type of event with custom messaging. This may take some development time and testing, but certainly would be doable... suggest using a test virtual server!

  • Hi,

    I have a follow up question. Is there an option to send only High and Medium violations within WAF to the remote syslog servers and don't send the Low violations? Or do I need to create an iRule and this is not an standard option within the F5 web GUI.