cancel
Showing results for 
Search instead for 
Did you mean: 
syvtit
Level 7
Report Inappropriate Content
Message 1 of 4

Integrating F5 with SIEM McAfee

Dear All,

Who have experience about F5? pls, show me how to integrate F5 with SIEM McAfee? I configured F5 sent log to SIEM McAfee through syslog, but SIEM McAfee can't parse these logs. some people on forum recommend me "you should configure F5 to send log with NEDS format", but i don't have many experience about thi. pls help me, show me detail steps to send log with NEDS format?

thanks and best regards,

Sy Vu

3 Replies

Re: Integrating F5 with SIEM McAfee

Hi,

Can you let me know which product of F5 are you using?

I integrated F5 few weeks back, Not all events parsed but 60-70% of them did.

Regards,

Vinaya

syvtit
Level 7
Report Inappropriate Content
Message 3 of 4

Re: Integrating F5 with SIEM McAfee

Dear vinaya,

Thanks for your reply. can you show me your way. Now, i only configured to get log from F5 by creating iRule to send NEDS log to SIEM McAfee (but this way only configure with http protocol, and i want more logs). Now, im using ADM and LTM.

Best regards,

Sy Vu 

Re: Integrating F5 with SIEM McAfee

I believe F5 NEDS logs are tab delimited, and you can create a basic parser for anything delimited in some way via ([^\t]*)\t

In this case, it's looking for the following;

begin capture group (

Open char match [

negate char match ^

find tab \t

close char match ]

match previous char match any number of times [^\t]* ( * is a greedy match)

close capture group )

look for tab \t

Then copy and paste for each field in the logs (I believe it has like 15-16 fields) ([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)

This is a very ugly, quick dirty parser to get data into the SIEM parsed quickly, but then each ([^\t]*)\t can be tuned and expanded based on data in the particular field.

You will need to do the custom parser mappings based on where you want the data to be placed in regards to the SIEM database fields.