Forum Discussion

OM's avatar
OM
Icon for Nimbostratus rankNimbostratus
Dec 09, 2015

splunk attack signature id

hi,

 

when splunk receives the ASM logs, the signature of the attack is missing. I also checked the asm logs (/var/log/asm), same result. These logs are called local-syslog. However, the database logs of the asm has all attack signature details. These logs are called local-db.

 

I am trying to figure out how the asm database logs (local-db) are converted to syslogs (local-syslog), and why some some details are missing in the syslogs.

 

thanks.

 

O.

 

2 Replies

  • I do not believe asm will log (or can even be configured to log) all the violation/attack signature details to /var/log/asm. If there is an option to enable this I have never seen it. You could open case with F5 support to see if it's possible. However, logging detailed violation information with syslog is not a good idea. Too much performance overhead. Beginning with v11.6.0 asm does not log any security violation events [SECEV] to /var/log/asm by default and that is the recommended best practice. See SOL16053.

     

    This is best handled by creating remote logging profile in the ASM config: Security>Event Logs>Logging Profiles. Send illegal requests to your Splunk server.

     

  • Create a logging profile to direct them to your syslog server (eg. Splunk)