Forum Discussion

Nimbostratus

Dec 09, 2015

splunk attack signature id

hi, when splunk receives the ASM logs, the signature of the attack is missing. I also checked the asm logs (/var/log/asm), same result. These logs are called local-syslog. However, the database ...

application delivery

ASM Advanced WAF

gsharri

Altostratus

Dec 09, 2015

I do not believe asm will log (or can even be configured to log) all the violation/attack signature details to /var/log/asm. If there is an option to enable this I have never seen it. You could open case with F5 support to see if it's possible. However, logging detailed violation information with syslog is not a good idea. Too much performance overhead. Beginning with v11.6.0 asm does not log any security violation events [SECEV] to /var/log/asm by default and that is the recommended best practice. See SOL16053.

This is best handled by creating remote logging profile in the ASM config: Security>Event Logs>Logging Profiles. Send illegal requests to your Splunk server.

Forum Discussion

splunk attack signature id

Recent Discussions

Enterprise Security best practices with F5 WAF

Disk space full - what files, folders are safe to delete?

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

Related Content

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

Wildcard Parameter signature attack

Live Update- ASM attack signatures

The HTTP/2 CONTINUATION frame attack

Default Attack Signature Sets