cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
haroot
Level 9
Report Inappropriate Content
Message 1 of 7

Integrating f5 ASM & LTM with SIEM

Hi All,

Does anyone have done the integration of f5 ASM & LTM with McAfee SIEM?Steps for ASM are mentioned in the User Guide but ufortunatley the guide shows the steps for Syslog configuration and the Supported matrix shows the integration  using NPP.

6 Replies
artek
Level 11
Report Inappropriate Content
Message 2 of 7

Re: Integrating f5 ASM & LTM with SIEM

Haroot,

Did you try to configure F5 data sources as syslog devices? I saw, that all available F5 data sources have "(ASP)" suffix in ther names, so it should work with normal syslog.

Regards,

Artur Sadownik

haroot
Level 9
Report Inappropriate Content
Message 3 of 7

Re: Integrating f5 ASM & LTM with SIEM

Hi Artur,

I tried to configure the f5 devices as Syslog and I am receiving logs only related to the appliance.Nothing related to the f5- ASM (traffic Logs)logs are being detected and then under data source properties ,I enabled "Support Generic Syslog" .After enabling this option i was able to see the ASM - traffic Log messages but as a generic syslog.I think the ASP rule for traffice messages isn't able to parse the messages.

On further comparison at the Rule Level "F5_ASM Violation/Successful Request Messages" and the Traffic Log that am getting, it looks that the Parser might have been build for 10.x version of ASM as we are using the latest version i.e 11.x and the PCRE doesn't match the Sample log format that f5 is generating for this particular message.

Regards,

Haroot

artek
Level 11
Report Inappropriate Content
Message 4 of 7

Re: Integrating f5 ASM & LTM with SIEM

Haroot,

in this case you should send the log samples to the McAfee, using this page: https://mcafee.acceptondemand.com/.

Regards,

Artur Sadownik

haroot
Level 9
Report Inappropriate Content
Message 5 of 7

Re: Integrating f5 ASM & LTM with SIEM

Thanks Arthur

Re: Integrating f5 ASM & LTM with SIEM

Nearly 3 years later, i'm having this exact problem. It seems improbable to me that the log samples wouldn't have been updated, which implies this isn't the answer to the problem; surely i've got something misconfigured here?

F5 appliance with the ASM license is:  BIG-IP 11.6.0 Build 4.0.420 Hotfix HF4

SIEM is:  McAfee ESM 9.5.0 MR7 20150908

When configuring the logging profile on the F5, it gives a "storage format" option with a list of fields to send and an optional delimiter to define. I selected all fields and left the default (comma) delimiter, is it possible that's not what the parsing rule on the SIEM is expecting?

On the SIEM in the datasource properties, i've selected "BIG-IP Application Security Manager - CEF (ASP)" as the datasource model, and "default" as the data format. Is it possible somewhere to see a list of what McAfee used as the "default" format in this datasource model, to make sure the output selected on the F5 matches it?

xded
Level 12
Report Inappropriate Content
Message 7 of 7

Re: Integrating f5 ASM & LTM with SIEM

You set in the F5 setting the delimiter to comma but the SIEM expected that the delimiter is in CEF Format [ (|) / (Pipe) ]. If you are not sure aboute the format than set this configuration on "Support generic syslog" on Log unkown syslog event. Now the SIEm logs all Logs from the F% Logs that can be parsed and Logs that cant be parsed.


slevesque schrieb:



On the SIEM in the datasource properties, i've selected "BIG-IP Application Security Manager - CEF (ASP)" as the datasource model, and "default" as the data format. Is it possible somewhere to see a list of what McAfee used as the "default" format in this datasource model, to make sure the output selected on the F5 matches it?

The default is the format you chose herer CEF because you set this to the default.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community