All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

F5 WAF logs: Why can't I search on "blocked request"?

skyred5
Engager
‎05-09-2023 10:45 PM

I have data piped to Splunk from F5 and is configured to generate WAF reports and it is being sent to Splunk. 

When I do a search on "blocked request" I am not able to find any data related to it. However, if I find any data within 5mins, I click on the show source and I am able to find the information I need. In addition, it seems like the search result is showing per line from the WAF report. 

I need some advice on how to enhance the search query and find the information that I need, specifically the blocked requests. 

Labels (1)
Labels
0 Karma
Reply

sajidalisajid
New Member
‎05-15-2023 01:35 AM

index=f5_index sourcetype=* req_status="blocked" attack_type=* | chart count(req_status) by attack_type

or
index=f5_index sourcetype=* attack_type=* req_status="blocked" | table f5_bigip_server_host, support_id, req_status, attack_type, violations, ip_client

0 Karma
Reply

skyred5
Engager
‎05-15-2023 02:23 AM

My search query looks similar to this. There's no search results for req_status=blocked. Even for req_status=* also nothing. 

 

I have just done a simple search. Index and sourcetype. There are alot of one liner results;

 

Http_class="/common/www.<Url>"

Policy_name="/common/www.<Url>"

I can also see entries where the connections coming into F5 is accepted and details like the browser and phone models that the connection is coming in. 

There is just no data found for anything related to "req_status"

0 Karma
Reply

sajidalisajid
New Member
‎05-15-2023 02:28 AM

Hi

In that case, review your WAF setting as per the F5 Add-on +Splunk documentation

Configure F5 Logging Profiles for ASM

docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Setup 

 

Regards,

Sajid

0 Karma
Reply

glc_slash_it
Path Finder
‎05-15-2023 02:06 AM

Without having a sample of the events is hard to tell what is the problem.

Here are some ideas:

1- Have you tried to expand the time interval?

2- Does this query return any data? If so, check if the values of req_status and attack_type are what you expect. 

index=f5_index sourcetype=* req_status="blocked" attack_type=*

The chart and table commands seems fine but they will only work if the first part of the query returns results.

0 Karma
Reply

glc_slash_it
Path Finder
‎05-09-2023 11:14 PM

Hi!

Can you post some events(anonymized) and the spl you are running?

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...