Forum Discussion

Greg_130338's avatar
Greg_130338
Icon for Nimbostratus rankNimbostratus
Aug 18, 2015

Syslog to McAfee SIEM

Anyone integrate LTM and APM logging with a McAfee SIEM receiever (or any syslog receiver for that matter)? I am configuring I have the remote logging server configured in my log settings on the device. I want to make sure I am receiving logs from all my VS in LTM and all my access policies in APM. The only log setting I see within APM for each access policy is to slide over the default-log-setting in each. Where is this log setting configured? Can I create others? Or should I just be good by using this profile in each access profile and have all logs generated from APM and LTM sent over syslog to my receiver?

 

Thanks all

 

APM
application delivery
logging
LTM
remote logging
security

10 Replies

Sort By
  • SDnath_82757's avatar
    SDnath_82757
    Icon for Nimbostratus rankNimbostratus
    Aug 21, 2015

    Even i am trying to integrate. Currently we see the log in McAfee ESM as unknown. McAfee says no issue at there end. If you have successfully integrated, please share some pointers.

     

    • Greg_130338's avatar
      Greg_130338
      Icon for Nimbostratus rankNimbostratus
      Aug 21, 2015
      The erc has device types for ltm apm and asm but all the rules apply to each one. So i just added my bigip internal ip address as a data source, enabled logging on ltm in system config and moved the default logging profile over from available on each apm policy. That seemed to capture and parse everything. What are your versions on bigip and esm?
    • Greg_130338's avatar
      Greg_130338
      Icon for Nimbostratus rankNimbostratus
      Aug 21, 2015
      Sorry i neant i just added bigip internal ip as f5 ltm and it encompassed all ltm apm and asm parsers
    • SDnath_82757's avatar
      SDnath_82757
      Icon for Nimbostratus rankNimbostratus
      Aug 24, 2015
      Is that the SIEM default F5 parsing rules were able to get the logs parsed. Is that all type of logs were visible to the Mcafee Siem
  • SDnath_82757's avatar
    SDnath_82757
    Icon for Nimbostratus rankNimbostratus
    Aug 21, 2015

    We have multiple LTM devices with different versions. But currently the 1st one i am trying to integrate is in 11.4.1

     

    • Greg_130338's avatar
      Greg_130338
      Icon for Nimbostratus rankNimbostratus
      Aug 25, 2015
      Sorry for getting back to you so late. We are running ESM 9.5.0 MR4 and BigIP 11.5.2. Do you have any BigIP's on that version? I would try that first to rule out version issues if you can. I read something previously about needing irules to convert F5 syslog into some sort of format that the ERC could understand and parse but need to dig around again to see. To answer your previous question, I am able to parse LTM, APM, and ASM logs currently without any custom irule or ESM/RC config.
    • Greg_130338's avatar
      Greg_130338
      Icon for Nimbostratus rankNimbostratus
      Aug 25, 2015
      and actually now that we're collecting more logs it appears I do have a lot of unknown events as well. Not sure if that's expected or if you are getting ALL unknown events and nothing parsed still?
  • SDnath_82757's avatar
    SDnath_82757
    Icon for Nimbostratus rankNimbostratus
    Nov 04, 2015

    i could finally implement it succesfully. I had put a filter in syslog which allows me more selective output

     

    Mcafee siem parser had to be tweeked a bit to make all work but the best part is

     

  • Andy's avatar
    Andy
    Icon for Nimbostratus rankNimbostratus
    Jan 25, 2017

    Can you let me know what you have filtered any dashboard views on at all?