topic Re: Splunk Add-on for F5 BIG-IP v2.6.0 CIM authentication action in All Apps and Add-ons

Splunk Add-on for F5 BIG-IP v2.6.0 CIM authentication action

morganfw — Fri, 09 Nov 2018 22:05:21 GMT

Hello,
I've installed Splunk Add-on for F5 BIG-IP v2.6.0 and Splunk Common Information Model (CIM) v4.12.0 on Splunk Enterprise 6.6.3 when I try to search authentication logs for apm (F5 VPN)

index="f5" sourcetype="f5:bigip:apm:syslog" tag=authentication

authentication actions field reports allowed or blocked on Access Policy logs only (not in Username logs), instead of success or failure that CIM authentication dataset documentation reports.

Below log example

Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice tmm1[15435]: 01490500:5: /Common/ap_web_auth:Common:85157209: New session from client IP 1.23.45.67 (ST=WA/CC=US/C=US) at VIP 192.168.131.172 Listener /Common/ap_web_auth_vs (Reputation=Unknown)
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice tmm1[15435]: 01490506:5: /Common/ap_web_auth:Common:85157209: Received User-Agent header: Mozilla%2f4.0%20(compatible%3b%20MSIE%208.0%3b%20Windows%20NT%206.1%3b%20WOW64%3b%20Trident%2f4.0%3b%20SLCC2%3b%20.NET%20CLR%202.0.50727%3b%20.NET%20CLR%203.5.30729%3b%20.NET%20CLR%203.0.30729%3b%20Media%20Center%20PC%206.0).
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice tmm3[15435]: 01490500:5: /Common/Network_Access_02:Common:8c6be305: New session from client IP 1.23.45.67 (ST=WA/CC=US/C=US) at VIP 192.168.131.174 Listener /Common/Network_Access_02_vs (Reputation=Unknown)
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice tmm3[15435]: 01490506:5: /Common/Network_Access_02:Common:8c6be305: Received User-Agent header: Mozilla%2f4.0%20(compatible%3b%20MSIE%208.0%3b%20Windows%20NT%206.1%3b%20WOW64%3b%20Trident%2f4.0%3b%20SLCC2%3b%20.NET%20CLR%202.0.50727%3b%20.NET%20CLR%203.5.30729%3b%20.NET%20CLR%203.0.30729%3b%20Media%20Center%20PC%206.0).
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490248:5: /Common/Network_Access_02:Common:8c6be305: Received client info - Hostname:  Type: IE Version: 8 Platform: Win7 CPU: WOW64 UI Mode: Full Javascript Support: 1 ActiveX Support: 1 Plugin Support: 0
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490102:5: /Common/Network_Access_02:Common:8c6be305: Access policy result: Full
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490005:5: /Common/Network_Access_02:Common:8c6be305: Following rule 'fallback' from item 'Resource Assign' to ending 'Allow'
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490128:5: /Common/Network_Access_02:Common:8c6be305: Webtop '/Common/Network_Access_02_webtop' assigned
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490008:5: /Common/Network_Access_02:Common:8c6be305: Connectivity resource '/Common/Network_Access_02_na_res' assigned
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490010:5: /Common/Network_Access_02:Common:8c6be305: Username 'uuu'

Anyone experienced same issue?
Thank you in advanced for any help.

Re: Splunk Add-on for F5 BIG-IP v2.6.0 CIM authentication action

walterk82 — Mon, 12 Nov 2018 13:55:46 GMT

Looking in the TA default/props.conf line 381

EVAL-action = if(isnull(access_policy_result), null, if(access_policy_result="Logon_Deny","blocked","allowed"))

Looks like it should default to "allowed" unless the deny action is reached.

I would raise a support case to Splunk as this is a bug -> http://docs.splunk.com/Documentation/CIM/4.12.0/User/Authentication

Re: Splunk Add-on for F5 BIG-IP v2.6.0 CIM authentication action

morganfw — Mon, 12 Nov 2018 15:51:40 GMT

Hi walterk82 and thank you for your answer.
I try to explain, I think there's another issue, in TA default/eventtypes.conf 61-62 lines there's configured:

[f5_bigip_apm_username_received]
search = sourcetype="f5:bigip:apm:syslog" ": Username"

above stanza recall authentication dataset action in default/tags.conf 117-123 lines:

[eventtype=f5_bigip_apm_username_received]
network = enabled
communicate  = enabled
session = enabled
authentication = enabled
default = enabled
web = enabled

so when I try to searching for tag=authentication the action field was populated in "Access policy result:" rows only, not in "Username" rows with field values "success" or "failure" that are CIM expected values for Authentication datasets for populate Splunk ITSI or Splunk ES Premium Apps.

May know a temporary workaround to put in the TA local/props.conf for extract Username success or failure action as expected?
Thank you in advance for any help.

Re: Splunk Add-on for F5 BIG-IP v2.6.0 CIM authentication action

walterk82 — Mon, 12 Nov 2018 15:58:32 GMT

I don't know that much about ITSI or ES and CIM to answer that question. Either way this is a supported TA. Please ask support.

Re: Splunk Add-on for F5 BIG-IP v2.6.0 CIM authentication action

morganfw — Mon, 12 Nov 2018 16:18:26 GMT

Thank you for answer.
I'll submit a case to Splunk Support.

Re: Splunk Add-on for F5 BIG-IP v2.6.0 CIM authentication action

walterk82 — Mon, 12 Nov 2018 18:35:38 GMT

Thanks, please let me know the outcome. There look to be errors in the AFM and ASM modules as well.