All Apps and Add-ons

F5 WAF logs: Why can't I search on "blocked request"?

skyred5
Engager

I have data piped to Splunk from F5 and is configured to generate WAF reports and it is being sent to Splunk. 

When I do a search on "blocked request" I am not able to find any data related to it. However, if I find any data within 5mins, I click on the show source and I am able to find the information I need. In addition, it seems like the search result is showing per line from the WAF report. 

I need some advice on how to enhance the search query and find the information that I need, specifically the blocked requests. 

Labels (1)
0 Karma

sajidalisajid
New Member

index=f5_index sourcetype=* req_status="blocked" attack_type=* | chart count(req_status) by attack_type

or
index=f5_index sourcetype=* attack_type=* req_status="blocked" | table f5_bigip_server_host, support_id, req_status, attack_type, violations, ip_client

0 Karma

skyred5
Engager

My search query looks similar to this. There's no search results for req_status=blocked. Even for req_status=* also nothing. 

 

I have just done a simple search. Index and sourcetype. There are alot of one liner results;

 

Http_class="/common/www.<Url>"

Policy_name="/common/www.<Url>"

I can also see entries where the connections coming into F5 is accepted and details like the browser and phone models that the connection is coming in. 

There is just no data found for anything related to "req_status"

0 Karma

sajidalisajid
New Member

Hi

In that case, review your WAF setting as per the F5 Add-on +Splunk documentation

Configure F5 Logging Profiles for ASM

docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Setup 

 

Regards,

Sajid

0 Karma

glc_slash_it
Path Finder

Without having a sample of the events is hard to tell what is the problem.

Here are some ideas:

1- Have you tried to expand the time interval?

2- Does this query return any data? If so, check if the values of req_status and attack_type are what you expect. 

index=f5_index sourcetype=* req_status="blocked" attack_type=*

The chart and table commands seems fine but they will only work if the first part of the query returns results.

0 Karma

glc_slash_it
Path Finder

Hi!

Can you post some events(anonymized) and the spl you are running?

Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...