3 Replies Latest reply on Jan 20, 2015 12:25 PM by mikef

    Alternative options for NEDS from F5 to SIEM

    mikef

      We have recently upgraded to the 11+ code line on our LTMs now we had NEDS logging working fine on the 10. versions But since we moved to 11 the logs are pretty much useless and the the NEDS config is horrendous

       

      Is there any way to get useful logs to the SIEM without doing all the config listed below under 11. My network team is not very keen on implementing the massive iRule

       

      Version 10

       

       

      syslog {

        remote server {

         qradar {

            host 10.11.100.31

          }

        }

      }

       

      Version 11

       

       

      syslog {

        remote server {

         qradar {

            host 10.11.100.31

          }

        }

      }

       

       

      and all this below

       

      when RULE_INIT {

       

       

      002    set ::inbound_vlan "4094"

       

       

      003    set ::device_id "mybigip.test.net"

       

       

      004    set ::strlimit 256

       

       

      005    set ::doAES 0

       

       

      006    set ::AESKey "F(NY$*@&TYY%($&@(%SLJSDLF"

       

       

      007}

       

       

      008when CLIENT_ACCEPTED {

       

       

      009    set secs [clock seconds]

       

       

      010    set usecs [expr {[clock clicks] - [expr {$secs * 1000000}]}]

       

       

      011    # Since the seconds counter can increment between the two clock

       

       

      012    # calls above, we need to correct for values over 1000000.

       

       

      013    # This may adjust the measured time to be somewhere between

       

       

      014    # the two calls (instead of using the second measurement).

       

       

      015    # All other rollover conditions will not cause a problem.

       

       

      016    if { $usecs > 1000000 } {

       

       

      017        set usecs "999999"

       

       

      018    } else {

       

       

      019        set usecs [format "%06u" $usecs]

       

       

      020    }

       

       

      021    set conn_start_time $secs.$usecs

       

       

      022

       

       

      023    set clientside_client_addr [IP::client_addr]

       

       

      024    set clientside_client_port [TCP::client_port]

       

       

      025    set clientside_server_addr [IP::local_addr]

       

       

      026    set clientside_server_port [TCP::local_port]

       

       

      027

       

       

      028    set clientflow "$clientside_client_addr:$clientside_client_port"

       

       

      029    append clientflow "-$clientside_server_addr:$clientside_server_port@$conn_start_time"

       

       

      030

       

       

      031    set vlanid "[LINK::vlan_id]"

       

       

      032    if { [string compare $vlanid $::inbound_vlan] } {

       

       

      033        set direction "Inbound"

       

       

      034    } else {

       

       

      035        set direction "Outbound"

       

       

      036    }

       

       

      037

       

       

      038    set log_event "neds.f5.conn.start.v1"

       

       

      039    set log_content "\"$::device_id\","

       

       

      040    append log_content "\"$clientflow\","

       

       

      041    append log_content "$conn_start_time,"

       

       

      042    append log_content "\"[LINK::vlan_id]\","

       

       

      043    append log_content "[IP::protocol],"

       

       

      044    append log_content "[IP::tos],"

       

       

      045    append log_content "[IP::ttl],"

       

       

      046    append log_content "\"[virtual]\","

       

       

      047    append log_content "\"$direction\""

       

       

      048    if { $::doAES } {

       

       

      049        append log_event ".AES+base64"

       

       

      050        set log_content [b64encode [AES::encrypt $::AESKey $log_content]]

       

       

      051    }

       

       

      052

       

       

      053    log local0. \"$log_event\",$log_content

       

       

      054}

       

       

      055

       

       

      056when CLIENT_CLOSED {

       

       

      057    set secs [clock seconds]

       

       

      058    set usecs [expr {[clock clicks] - [expr {$secs * 1000000}]}]

       

       

      059    if { $usecs > 1000000 } {

       

       

      060        set usecs "999999"

       

       

      061    } else {

       

       

      062        set usecs [format "%06u" $usecs]

       

       

      063    }

       

       

      064    set conn_end_time $secs.$usecs

       

       

      065

       

       

      066    set log_event "neds.f5.conn.end.v1"

       

       

      067    set log_content "\"$::device_id\","

       

       

      068    append log_content "\"$clientflow\",$conn_end_time,"

       

       

      069    append log_content "[lindex [IP::stats pkts] 0],"

       

       

      070    append log_content "[lindex [IP::stats pkts] 1],"

       

       

      071    append log_content "[lindex [IP::stats bytes] 0],"

       

       

      072    append log_content "[lindex [IP::stats bytes] 1]"

       

       

      073    if { $::doAES } {

       

       

      074        append log_event ".AES+base64"

       

       

      075        set log_content [b64encode [AES::encrypt $::AESKey $log_content]]

       

       

      076    }

       

       

      077

       

       

      078    log local0. \"$log_event\",$log_content

       

       

      079

       

       

      080}

       

       

      081

       

       

      082

       

       

      083   when HTTP_REQUEST {

       

       

      084    set secs [clock seconds]

       

       

      085    set usecs [expr {[clock clicks] - [expr {$secs * 1000000}]}]

       

       

      086    if { $usecs > 1000000 } {

       

       

      087        set usecs "999999"

       

       

      088    } else {

       

       

      089        set usecs [format "%06u" $usecs]

       

       

      090    }

       

       

      091    set http_request_time $secs.$usecs

       

       

      092

       

       

      093    set http_host [string range [HTTP::host] 0 $::strlimit]

       

       

      094    set http_host [string map {{"} {""}} $http_host]

       

       

      095    set http_request_uri [string range [HTTP::uri] 0 $::strlimit]

       

       

      096    set http_request_uri [string map {{"} {""}} $http_request_uri]

       

       

      097    set http_username [string range [HTTP::username] 0 $::strlimit]

       

       

      098    set http_username [string map {{"} {""}} $http_username]

       

       

      099    set http_user_agent [string range [HTTP::header User-Agent] 0 $::strlimit]

       

       

      100    set http_user_agent [string map {{"} {""}} $http_user_agent]

       

       

      101

       

       

      102    set log_event "neds.f5.http.req.v1"

       

       

      103    set log_content "\"$::device_id\","

       

       

      104    append log_content "\"$clientflow\","

       

       

      105    append log_content "$http_request_time,"

       

       

      106    append log_content "[HTTP::request_num],"

       

       

      107    append log_content "\"$http_host\","

       

       

      108    append log_content "\"$http_request_uri\","

       

       

      109    append log_content "\"$http_username\","

       

       

      110    append log_content "\"$http_user_agent\""

       

       

      111    if { $::doAES } {

       

       

      112        append log_event ".AES+base64"

       

       

      113        set log_content [b64encode [AES::encrypt $::AESKey $log_content]]

       

       

      114    }

       

       

      115    log local0. \"$log_event\",$log_content

       

       

      116

       

       

      117}

       

       

      118

       

       

      119when HTTP_RESPONSE {

       

       

      120    set secs [clock seconds]

       

       

      121    set usecs [expr {[clock clicks] - [expr {$secs * 1000000}]}]

       

       

      122    if { $usecs > 1000000 } {

       

       

      123        set usecs "999999"

       

       

      124    } else {

       

       

      125        set usecs [format "%06u" $usecs]

       

       

      126    }

       

       

      127    set http_reply_time $secs.$usecs

       

       

      128

       

       

      129    set content_length ""

       

       

      130    if { [HTTP::header exists "Content-Length"] } {

       

       

      131        set content_length [HTTP::header "Content-Length"]

       

       

      132    }

       

       

      133    set lb_server "[LB::server addr]:[LB::server port]"

       

       

      134    if { [string compare "$lb_server" ""] == 0 } {

       

       

      135        set lb_server "<forwarded>"

       

       

      136    }

       

       

      137    set status_code [HTTP::status]

       

       

      138    set status_code [string map {{"} {""}} $status_code]

       

       

      139    set content_type [HTTP::header "Content-type"]

       

       

      140    set content_type [string map {{"} {""}} $content_type]

       

       

      141

       

       

      142    set serverside_client_addr [IP::local_addr]

       

       

      143    set serverside_client_port [TCP::local_port]

       

       

      144    set serverside_server_addr [IP::remote_addr]

       

       

      145    set serverside_server_port [TCP::remote_port]

       

       

      146

       

       

      147    set serverflow "$serverside_client_addr:$serverside_client_port"

       

       

      148    append serverflow "-$serverside_server_addr:$serverside_server_port"

       

       

      149

       

       

      150

       

       

      151    set log_event "neds.f5.http.resp.v1"

       

       

      152    set log_content "\"$::device_id\","

       

       

      153    append log_content "\"$clientflow\","

       

       

      154    append log_content "$http_reply_time,"

       

       

      155    append log_content "[HTTP::request_num],"

       

       

      156    append log_content "\"$status_code\","

       

       

      157    append log_content "\"$content_type\","

       

       

      158    append log_content "\"$content_length\","

       

       

      159    append log_content "\"$lb_server\","

       

       

      160    append log_content "\"$serverflow\""

       

       

      161    if { $::doAES } {

       

       

      162        append log_event ".AES+base64"

       

       

      163        set log_content [b64encode [AES::encrypt $::AESKey $log_content]]

       

       

      164    }

       

       

      165

       

       

      166    log local0. \"$log_event\",$log_content

       

       

      167

       

       

      168}

       

      TIA