The BIG-IP Application Security Manager Part 10: Event Logging
This is the last article in a 10-part series on the BIG-IP Application Security Manager (ASM). The first nine articles in this series are: What is the BIG-IP ASM? Policy Building The Importance of File Types, Parameters, and URLs Attack Signatures XML Security IP Address Intelligence and Whitelisting Geolocation Data Guard Username and Session Awareness Tracking In this, the final article in the BIG-IP ASM series, we will dive into the excitement and necessity of event logging. Throughout this ASM series, we've looked at log files from a distance but we never really talked about how to configure logging. I know...event logging might not be the most fascinating part of the ASM, but it's really important stuff! Before joining F5, I worked as a cyber threat analyst for a government organization. I saw lots of cyber attacks against various systems. After an attack would take place, my team and I would come in and study the attack vector, target points, etc and it seemingly never failed that the system logs showed at least some (but many times all) of the malicious activity. If someone had just been reviewing the logs... Logging Profiles Logging profiles specify how and where the ASM stores requests for application data. In versions prior to 11.3.0, a logging profile is associated with a security policy, but beginning in 11.3.0 the logging profile is associated with a virtual server. I'm using version 11.3.0 in these examples, so this article will associate a logging profile with a virtual server. When choosing a logging profile, you have the option of creating your own or using one of the system-supplied profiles. In addition, you can log data locally, remotely, or both using the same logging profile. Keep in mind that the system-supplied profiles are configured to only log data locally. The logging profile specifies two things: where the log data is stored (locally, remotely, both) and what data gets stored (all requests, illegal requests only, etc). Creating a Profile To create a new logging profile, navigate to Security >> Event Logs >> Logging Profiles and click the "Create" button. You will see the following screen: I named this one "Test_Log_Profile" and enabled logging for Application Security. Notice that you can enable logging for Application Security, Protocol Security, and/or Denial of Service Protection. I enabled local storage and filtered for "Illegal Requests Only". Now that I have my logging profile created, I can associate it with the virtual server. Configuring the Virtual Server Navigate to Local Traffic >> Virtual Servers >> Virtual Server List and click on the virtual server with which you want to associate the logging profile. Notice the tabs across the top part of the page...click on Security >> Policies and you will see the following screen: Now you can move the logging profile from "Available" to "Selected" in order to enable the profile for the virtual server. Also, notice that "Application Security Policy" is enabled and the name of the security policy is listed in the drop down menu. If you enable more than one profile, the ASM will apply the settings of the top profile first and then work down the list. Viewing Log Files Log data is stored in the /var/log/asm folder on the BIG-IP. You can view the details of the log data using the command line or the GUI. Command Line To view the log data via the command line, use a command like "cat" or "tail". You can also use other standard commands like "grep" to filter results or "more" to view one page at a time. GUI To view the Application Security logs in the GUI, navigate to Security >> Event Logs >> Application >> Requests and you will see the following screen: You can click on any of the application requests, and the details will load in the bottom portion of the screen. You can view the Request Details, the actual HTTP Request, or the actual HTTP Response (if response logging is enabled in your logging profile). Many times response logging is not enabled due to the large amount of data this would consume. Remote Storage The ASM provides the option of storing log data on a remote server. When configuring a logging profile, you can view the Advanced Configuration to enable remote storage and select one of three types. The first is "Remote" and this option specifies that the ASM will store all traffic on a remote logging server like syslog. The second is "Reporting Server" and this option specifies that the ASM will store all log data on a server using a preconfigured storage format. The third option is "ArcSight" and this option specifies that the ASM will store all log data on a remote server using predefined ArcSight settings for the logs (the log messages are in the Common Event Format). Speaking of remote storage...a popular remote log management tool is Splunk. In fact, Splunk offers a specific F5 app that does a fantastic job of organizing and displaying log data in a way that is easy to understand and consume. If you need more information on the Splunk app for F5 log data, check out this article written by the one and the only Jason Rahm...you'll be glad you did! Well, that wraps things up for this article. It's been a fun ride through the internal workings of the BIG-IP ASM. I hope you have enjoyed this series as much as I have. Stay tuned for my next set of articles on the awesomeness that is DNS...see you soon!! Update: Now that the article series is complete, I wanted to share the links to each article. If I add any more in the future, I'll update this list. What is the BIG-IP ASM? Policy Building The Importance of File Types, Parameters, and URLs Attack Signatures XML Security IP Address Intelligence and Whitelisting Geolocation Data Guard Username and Session Awareness Tracking Event Logging4.2KViews0likes5CommentsAPM - How to configure logging of snat addresses for network access and app tunnels
Hello everyone, we are using BIG-IP Access Policy Manager to enable administrative access to systems via App Tunnel and Network Access resources. For security reasons, we need to be able to map requests logged on backend resources/systems (e.g. in SSH audit logs) to the session or user accessing said backend resource via App Tunnel or Network Access in APM. Currently, the following request information is logged. Network Access: May 17 14:42:00 tmm0 tmm[22565]: 01580002:5: /APM/ap_rmgw:Common:c1237463: allow ACL: #app_tunnel_/APM/Some_App-Tunnel@c1237463:15 packet: tcp 192.168.12.18:58680 -> 10.0.0.1:22 App Tunnels: May 17 14:41:10 tmm1 tmm1[22565]: 01580002:5: /APM/ap_rmgw:Common:c6787463: allow ACL: #app_tunnel_/APM/Some_App-Tunnel@c6787463:0 packet: tcp 89.229.152.144:63252 -> 10.0.0.1:2 For Network Access requests, an IP address of the lease pool configured in the Network Access resource is logged as the client IP. For App Tunnel requests, the public IP of the client accessing APM is logged as the client IP. In our setup, both requests will be NATed by APM before hitting the target system (through a snat pool in case of a Network Access request, through the active appliances backend IP in case of App Tunnels). Therefore, the APM self IPs (snat pool/appliance backend) will be logged on the target host, leading to us not being able to correlate logs in APM with logs on the target systems. Is there any way to log the SNAT/NAT addresses and ports used to access target systems through APM? I've tried using ACCESS_ACL_ALLOWED in an iRule to log additional information, unfortunately this event only seems to trigger on Portal Access resources, not when using App Tunnels or Network Access resources. Thank you, Fabian2KViews0likes1CommentHow to ensure BIG-IQ can keep log from F5 AWAF for 90 day?
Hi, I config F5 AWAF logging profile to send all request to BIG-IQ How to ensure BIG-IQ can keep log from F5 AWAF for 90 day? Should I need to modify some default configuration on BIG-IQ CM? or just left it at default? KridsanaSolved2KViews0likes5CommentsF5 Sending syslogs with two hostname to remote syslog server
HI All, we have F5 Device (LTM + AFM), we configured syslog sever splunk via linux syslog server as forwarder. in Linux server each F5 creating two syslog files, only with just host name and another one is FQDN name. Both are different logs , not duplicate . I am not sure, where to merge it or make it single, any one guide me please!Solved1.6KViews0likes2CommentsQuery on GTM irule based on Pool Availability
Hello, I am very beginner to iRule creation. In GTM I tried to create irule as below. But getting error. Our intention is we need to reroute the DNS query to different pool based on client IP and pool availability. Condition: If the client IP match and the pool is available then need to go normal pool If the client IP match and the pool is not available then need to go failback pool Pool EUR_LDS0_ITHUBPR_POOL with TTL 300 pool GLOBAL_LDS0_POOL with TTL 300 pool GLOBAL_FAILBACK_LDS0_POOL with TTL 60 when DNS_REQUEST { if [{ [IP::addr [IP::client_addr] equals 10.235.24.64/27] and ([active_members EUR_LDS0_ITHUBPR_POOL] > 0) } { pool EUR_LDS0_ITHUBPR_POOL } else { pool GLOBAL_FAILBACK_LDS0_POOL } } else { pool GLOBAL_LDS0_POOL } } Appreciate any help on this.Solved1.6KViews0likes12CommentsiRule causing http connection resets
I have an iRule that is set up to do redirects based on host and uri. Whenever I try to access sites on the virtual server that the iRule is attached to, I immediately get a "connection reset" error in the browser. Fiddler shows "[Fiddler] ReadResponse() failed: The server did not return a complete response for this request. Server returned 0 bytes." I've turned on RST logging, and attached a screenshot of the relevant section of the log. aaa.aaa.aaa.aaa is the main external IP address (no virtual servers assigned to it). bbb.bbb.bbb.bbb is the external IP address of the virtual server having the issue. This is a virtual edition running in Azure. Any ideas? un2 18:03:50 nameofF5VE err tmm2[17730]: 01230140:3: RST sent from aaa.aaa.aaa.aaa:30968 to 169.254.169.254:80, [0x29da995:271] {peer} handshake timeout Jun2 18:03:50 nameofF5VE err tmm2[17730]: 01230140:3: RST sent from 169.254.169.254:80 to aaa.aaa.aaa.aaa:54230, [0x29da995:271] handshake timeout Jun2 18:03:51 nameofF5VE.westeurope.cloudapp.azure.com warning httpd[3451]: 0118000a:4: The Service Check Date check was skipped. Jun2 18:03:53 nameofF5VE err tmm2[17730]: 01220001:3: TCL error: /Common/iRule_SelectURL_PRD_mydomain_com_443 <HTTP_REQUEST> - Can't call after responding - ERR_NOT_SUPPORTED (line 2)invoked from within "HTTP::uri"("csr.mydomain.com" arm line 12)invoked from within "switch [ string tolower [HTTP::host]] {"timesheet.mydomain.com" {#log local0. "BGI Timesheet PRD: [HTTP::host] uri : [HTTP::uri]"if {[a..." Jun2 18:03:53 nameofF5VE warning tmm2[17730]: 01260020:4: SSL Connection terminated for TCP 99.55.158.9:61481 -> bbb.bbb.bbb.bbb:443 Jun2 18:03:53 nameofF5VE err tmm2[17730]: 01230140:3: RST sent from bbb.bbb.bbb.bbb:443 to 99.55.158.9:61481, [0x2a155c4:1878] iRule execution error Jun2 18:03:53 nameofF5VE err tmm1[17730]: 01220001:3: TCL error: /Common/iRule_SelectURL_PRD_mydomain_com_443 <HTTP_REQUEST> - Can't call after responding - ERR_NOT_SUPPORTED (line 2)invoked from within "HTTP::uri"("csr.mydomain.com" arm line 12)invoked from within "switch [ string tolower [HTTP::host]] {"timesheet.mydomain.com" {#log local0. "BGI Timesheet PRD: [HTTP::host] uri : [HTTP::uri]"if {[a..." Jun2 18:03:53 nameofF5VE warning tmm1[17730]: 01260020:4: SSL Connection terminated for TCP 99.55.158.9:37962 -> bbb.bbb.bbb.bbb:443 Jun2 18:03:53 nameofF5VE err tmm1[17730]: 01230140:3: RST sent from bbb.bbb.bbb.bbb:443 to 99.55.158.9:37962, [0x2a155c4:1878] iRule execution error Jun2 18:03:53 nameofF5VE err tmm2[17730]: 01220001:3: TCL error: /Common/iRule_SelectURL_PRD_mydomain_com_443 <HTTP_REQUEST> - Can't call after responding - ERR_NOT_SUPPORTED (line 2)invoked from within "HTTP::uri"("csr.mydomain.com" arm line 12)invoked from within "switch [ string tolower [HTTP::host]] {"timesheet.mydomain.com" {#log local0. "BGI Timesheet PRD: [HTTP::host] uri : [HTTP::uri]"if {[a..." Jun2 18:03:53 nameofF5VE warning tmm2[17730]: 01260020:4: SSL Connection terminated for TCP 99.55.158.9:44158 -> bbb.bbb.bbb.bbb:443 Jun2 18:03:53 nameofF5VE err tmm2[17730]: 01230140:3: RST sent from bbb.bbb.bbb.bbb:443 to 99.55.158.9:44158, [0x2a155c4:1878] iRule execution error Jun2 18:03:56 nameofF5VE.westeurope.cloudapp.azure.com warning httpd[30653]: 0118000a:4: The Service Check Date check was skipped. Jun2 18:03:59 nameofF5VE err tmm1[17730]: 01220001:3: TCL error: /Common/iRule_SelectURL_PRD_mydomain_com_443 <HTTP_REQUEST> - Can't call after responding - ERR_NOT_SUPPORTED (line 2)invoked from within "HTTP::uri"("csr.mydomain.com" arm line 12)invoked from within "switch [ string tolower [HTTP::host]] {"timesheet.mydomain.com" {#log local0. "BGI Timesheet PRD: [HTTP::host] uri : [HTTP::uri]"if {[a..." Jun2 18:03:59 nameofF5VE warning tmm1[17730]: 01260020:4: SSL Connection terminated for TCP 99.55.158.9:14261 -> bbb.bbb.bbb.bbb:443 Jun2 18:03:59 nameofF5VE err tmm1[17730]: 01230140:3: RST sent from bbb.bbb.bbb.bbb:443 to 99.55.158.9:14261, [0x2a155c4:1878] iRule execution error Jun2 18:04:01 nameofF5VE.westeurope.cloudapp.azure.com warning httpd[30652]: 0118000a:4: The Service Check Date check was skipped. Jun2 18:04:05 nameofF5VE err tmm[17730]: 01230140:3: RST sent from aaa.aaa.aaa.aaa:29511 to 169.254.169.254:80, [0x29da995:271] {peer} handshake timeout Jun2 18:04:05 nameofF5VE err tmm[17730]: 01230140:3: RST sent from 169.254.169.254:80 to aaa.aaa.aaa.aaa:54348, [0x29da995:271] handshake timeout Jun2 18:04:06 nameofF5VE.westeurope.cloudapp.azure.com warning httpd[30653]: 0118000a:4: The Service Check Date check was skipped.1.3KViews0likes4CommentsBlocking Traffic based on Geo Location
I have requirement to block the traffic to a particular https path (Page) via iRule on WAF device in order to restrict the access of below url from all other geo location aspect Thailand country . Can someone help on this. I have write below iRule. when HTTP_REQUEST { if { [string tolower [HTTP::uri]] equals "http://abc.com/job-request/" && [whereis [IP::client_addr] country] ne "TH" } { drop } { else { #log local0. "The page is restricted" } }1.2KViews0likes7CommentsHow to bypass log 1024 byte limit / truncation
I'm trying to log the content of excessively long Cookie HTTP headers, per the instructions in some questions such as: https://devcentral.f5.com/questions/logging-http-header-that-is-longer-than-the-maximum-allowed https://devcentral.f5.com/questions/problem-with-irule-that-logs-excessive-http-header-lengths https://devcentral.f5.com/questions/log-connections-that-exceed-maximum-header-size All of these are supposed to log the full content of the header - that's the point of them. But the log command goes through the local syslog-ng, and (per https://devcentral.f5.com/wiki/iRules.log.ashx) truncates messages at 1024 bytes. I found a few mentions that HSL may not have this limitation, but unfortunately my dev/test load balancer is running 9.4.7, so that's not possible. The production boxes are running 10.1.0, but I'm sort of hesitant to make my first use of HSL without testing it in a safe place. Is there any way to just dump this to disk somewhere, or any other way to bypass syslog?Solved1.2KViews0likes5Commentsirule to redirect traffic to multiple pools
All, We have one vip which is redirecting traffic to multiple pools via irule. rule: when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals xxxx] } { pool xxxx } elseif { [class match [IP::client_addr] equals zzzz] } { pool zzzz } elseif { [class match [IP::client_addr] equals yyyy] } { pool yyyy } else { #loglocal0. "Default pool (drop): [IP::client_addr]-->[LB::server]" drop } } All pools have same pool member (IP) but ports are different. Now we need to add one more pool member not as a load balancing but it will receive traffic at a same time. I have prepared one irule for that: when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals test_1234] } { pool test pool test2 } else { #log local0. "Default pool (drop): [IP::client_addr]-->[LB::server]" drop } } But I am not seeing traffic in both the pools. Could someone check the code and let me know the correct way to do this.1KViews0likes3Comments