topic Re: F5 BIG IP'S Security iRule in Dashboards & Visualizations

F5 BIG IP'S Security iRule

wagnerbianchi — Thu, 02 May 2013 12:02:08 GMT

Hello Splunkers, how have you been?

We've been taking with F5 BIG IP Security (WAF) app and we've been observing some strange behavior on panel's dashboards, most of that connected with Attacks and Signatures. I think the way we've configured the iRule or something on BIG IP panel is not correctly right. Just adding more information, we've configured data input via UDP.

The main concern is:
1. how to generate these logs?
2. how to configure the way BIG IP way generate these logs?
3. Is this related with iRule?

Could you guys help? Thanks a lot for any suggestion.

Re: F5 BIG IP'S Security iRule

wagnerbianchi — Thu, 02 May 2013 15:02:23 GMT

We followed the steps available on the pdf which came within the app file. But, the field attack_type is reporting just commas, " and "" - anyone know about that, is it is normal or not? Any advise? Are there anyone using this app who can collaborate?

Re: F5 BIG IP'S Security iRule

bmacias84 — Thu, 02 May 2013 16:34:22 GMT

This seem like a F5 BIG IP specific issue. You may want to also post on DevCenteral. I am only familar with the icontrol interface. What does a raw event look like

Re: F5 BIG IP'S Security iRule

wagnerbianchi — Fri, 03 May 2013 13:52:25 GMT

OK! For ones who want to keep track this conversation, I just did a recap on a thread in which is being discussed the same subject. It is at: https://devcentral.f5.com/community/group/aft/1172058/asg/39#2276926

Cheers, WB

Re: F5 BIG IP'S Security iRule

wagnerbianchi — Sat, 04 May 2013 19:16:55 GMT

So, I'm here again so as to try to be helped by you Splunk guys.

On DevCentral nobody has given a feedback yet, what follows:

Just to recap this conversation which you've started some times ago (ASM & Splunk integration), I am getting problems in get Splunk fully functional after follow the steps part of the pdf file which came with the app's package. The field attack_type, used in many queries of the first app menu's group, is presenting, I imagine, wrong data. it is presenting graphs with symbols as commas, double quotes and single quotes. I will count on your help so as to understand whether it is a problem or not...could you give me a hand on that? Thanks a lot and looking forward to hearing from you.

I confess that I am little lost in midst of this implementation, but, this time I am looking forward to gather all the stuffs I've learned and check out what is wrong with the field attach_type, present on many dashboards generated by this app. It is getting just symbols as commas and single and double quotes. It's not represent anything and this is my only concern at this time.

Is it wrong on BIG IP log profile configuration?
Is it wrong on Splunk when you uncomment a line on app's props.conf?

It will very interesting that someone who is taking or has took with this app give a little help on that, perhaps F5 can help either!

I will appreciate any help...cheers!!