Forum Discussion

The_Engima_Code's avatar
The_Engima_Code
Icon for Nimbostratus rankNimbostratus
May 18, 2015

F5 ASM and SIEM

Hi,

 

I am trying to integrate McAfee SIEM with F5 ASM and it seems the SIEM wouldn't parse the logs correctly. I have raised a ticket with McAfee and they confirmed that the SIEM is working fine but F5 logs are not sent properly from F5. SIEM expects the delimiter to be '|' instead of ';'

 

Could you please confirm if the below logs have the correct format for F5 running on 11.2.1?

 

Below is the snippet of the logs,

 

<130>May 18 14:37:43 ASM.test.net ASM:ID=17934223281240667815;TYPE=Session Hijacking;DATE=2015-05-18 14:37:43;DEST_IP=10.X.X.X;DEST_PORT=443;GEO=NZ;HEADERS=Host: abcd.com\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\nConnection: keep-alive\r\nCookie: systemonline=rd1894o00000000000000000000ffff0ae82510o8081; TS23170d=b7a4548f02236bf5190c7a96708fe5af43b1ac33e4d3adb955595077a59b3514f8bf1008; TS553073=b9c1bdd560eba8c7c65346b59981217b361524825b09819e55595073a59b3514f8bf1008fd3b4071173028d4; __utma=18589601.539768155.1431916378.1431916378.1431916378.1; __utmb=18589601.6.10.1431916378; __utmc=18589601; __utmt=1; __utmz=18589601.1431916378.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/600.3.18 (KHTML, like Gecko) Version/8.0.3 Safari/600.3.18\r\nAccept-Language: ja-jp\r\nReferer: https://xyz.com/system\r\nAccept-Encoding: gzip, deflate\r\nX-Forwarded-For: 1.2.3.4\r\nX-Forwarded-For: 1

 

ASM Advanced WAF
mcafee siem and asm
security

2 Replies

Sort By
  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    May 18, 2015

    Mahesh, whoever is managing the ASM need to configure the Logging Profile for your ASM policy to be in the format acceptable by McAfee SIEM - if it is a delimiter issue then it can be easily configured in the Logging Profile screen(just change semi-colon to pipe in the Delimiter field).

     

    Only McAfee can tell you what is the correct format their device is expecting - you can them ask the ASM guys to configure the logging profile to match this format.

     

    Hope this helps,

     

    Sam

     

  • Jinshu's avatar
    Jinshu
    Icon for Cirrus rankCirrus
    Mar 08, 2018

    Hi,

     

    You can select 'Remote Storage Type' in the logging profile and change the delimited value to |.

     

    • Navigate to Security ›› Event Logs : Logging Profiles ›› Edit Logging Profile
    • You can see Remote Storage Type. Select 'Remote' from drop down.
    • In the Facility field, type the delimter | instead ,
    • Select the appropriate Storage Format from the available list.
    • Update the config.

    Hope this helps.

     

    -Jinshu