IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

F5 ASM Logging - Best Practices

  • 1.  F5 ASM Logging - Best Practices

    Posted Wed February 10, 2021 10:40 PM

    Hey everyone,

    I'm attempting to onboard a pair of F5 ASM WAFs and running into some really depressing results. After configuring the logging profile with Application Security, and using CEF (because F5 can't use LEEF???), I'm getting a ton of events but they are mostly junk snmpd debug logs without any of the alerting that I truly want. I also noticed that these payloads are not parsed correctly and if I try to manually verify in the DSM editor, I get "Parsing Failed" which is a first. Any insight is much appreciated!

    Also, not sure if I'm allowed to post this but I've started a Qradar-Casual Admin Chat slack group for anyone interested

    https://join.slack.com/t/qradaradmins/shared_invite/zt-m5ew662t-gL0eyqwtYfZfdXOHrQEMxw



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: F5 ASM Logging - Best Practices

    Posted Tue March 08, 2022 07:43 AM

    Hi!

    I'm seeing a similar or the same issue. There's plenty of logs in the F5 ASM but on QRadar there are only a few logs like these:

    Mar 8 07:43:54 bigIP-ASM-Hostname info tmm1[24799]: Rule /Common/Rulename-Mitigation <HTTP_REQUEST_DATA>: detection-ulename drop on payload

    And that's it. I cannot find anything else...

    Please advice!



    #QRadar
    #Support
    #SupportMigration