6 Replies Latest reply on Sep 23, 2015 2:52 AM by xded

    Integrating f5 ASM & LTM with SIEM

    haroot

      Hi All,

       

       

      Does anyone have done the integration of f5 ASM & LTM with McAfee SIEM?Steps for ASM are mentioned in the User Guide but ufortunatley the guide shows the steps for Syslog configuration and the Supported matrix shows the integration  using NPP.

        • 1. Re: Integrating f5 ASM & LTM with SIEM
          artek

          Haroot,

           

          Did you try to configure F5 data sources as syslog devices? I saw, that all available F5 data sources have "(ASP)" suffix in ther names, so it should work with normal syslog.

           

          Regards,

          Artur Sadownik

          • 2. Re: Integrating f5 ASM & LTM with SIEM
            haroot

            Hi Artur,

             

            I tried to configure the f5 devices as Syslog and I am receiving logs only related to the appliance.Nothing related to the f5- ASM (traffic Logs)logs are being detected and then under data source properties ,I enabled "Support Generic Syslog" .After enabling this option i was able to see the ASM - traffic Log messages but as a generic syslog.I think the ASP rule for traffice messages isn't able to parse the messages.

             

            On further comparison at the Rule Level "F5_ASM Violation/Successful Request Messages" and the Traffic Log that am getting, it looks that the Parser might have been build for 10.x version of ASM as we are using the latest version i.e 11.x and the PCRE doesn't match the Sample log format that f5 is generating for this particular message.

             

            Regards,

             

            Haroot

            • 3. Re: Integrating f5 ASM & LTM with SIEM
              artek

              Haroot,

               

              in this case you should send the log samples to the McAfee, using this page: https://mcafee.acceptondemand.com/.

               

              Regards,

              Artur Sadownik

              1 of 1 people found this helpful
              • 4. Re: Integrating f5 ASM & LTM with SIEM
                haroot

                Thanks Arthur

                • 5. Re: Integrating f5 ASM & LTM with SIEM
                  slevesque

                  Nearly 3 years later, i'm having this exact problem. It seems improbable to me that the log samples wouldn't have been updated, which implies this isn't the answer to the problem; surely i've got something misconfigured here?

                   

                  F5 appliance with the ASM license is:  BIG-IP 11.6.0 Build 4.0.420 Hotfix HF4

                  SIEM is:  McAfee ESM 9.5.0 MR7 20150908

                   

                  When configuring the logging profile on the F5, it gives a "storage format" option with a list of fields to send and an optional delimiter to define. I selected all fields and left the default (comma) delimiter, is it possible that's not what the parsing rule on the SIEM is expecting?

                   

                  On the SIEM in the datasource properties, i've selected "BIG-IP Application Security Manager - CEF (ASP)" as the datasource model, and "default" as the data format. Is it possible somewhere to see a list of what McAfee used as the "default" format in this datasource model, to make sure the output selected on the F5 matches it?

                  • 6. Re: Integrating f5 ASM & LTM with SIEM
                    xded

                    You set in the F5 setting the delimiter to comma but the SIEM expected that the delimiter is in CEF Format [ (|) / (Pipe) ]. If you are not sure aboute the format than set this configuration on "Support generic syslog" on Log unkown syslog event. Now the SIEm logs all Logs from the F% Logs that can be parsed and Logs that cant be parsed.

                     

                    slevesque schrieb:

                     

                    On the SIEM in the datasource properties, i've selected "BIG-IP Application Security Manager - CEF (ASP)" as the datasource model, and "default" as the data format. Is it possible somewhere to see a list of what McAfee used as the "default" format in this datasource model, to make sure the output selected on the F5 matches it?

                    The default is the format you chose herer CEF because you set this to the default.