F5 ASM and SIEM
Hi,
I am trying to integrate McAfee SIEM with F5 ASM and it seems the SIEM wouldn't parse the logs correctly. I have raised a ticket with McAfee and they confirmed that the SIEM is working fine but F5 logs are not sent properly from F5. SIEM expects the delimiter to be '|' instead of ';'
Could you please confirm if the below logs have the correct format for F5 running on 11.2.1?
Below is the snippet of the logs,
<130>May 18 14:37:43 ASM.test.net ASM:ID=17934223281240667815;TYPE=Session Hijacking;DATE=2015-05-18 14:37:43;DEST_IP=10.X.X.X;DEST_PORT=443;GEO=NZ;HEADERS=Host: abcd.com\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\nConnection: keep-alive\r\nCookie: systemonline=rd1894o00000000000000000000ffff0ae82510o8081; TS23170d=b7a4548f02236bf5190c7a96708fe5af43b1ac33e4d3adb955595077a59b3514f8bf1008; TS553073=b9c1bdd560eba8c7c65346b59981217b361524825b09819e55595073a59b3514f8bf1008fd3b4071173028d4; __utma=18589601.539768155.1431916378.1431916378.1431916378.1; __utmb=18589601.6.10.1431916378; __utmc=18589601; __utmt=1; __utmz=18589601.1431916378.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/600.3.18 (KHTML, like Gecko) Version/8.0.3 Safari/600.3.18\r\nAccept-Language: ja-jp\r\nReferer: https://xyz.com/system\r\nAccept-Encoding: gzip, deflate\r\nX-Forwarded-For: 1.2.3.4\r\nX-Forwarded-For: 1