All Apps and Add-ons

Splunk Add-on for F5 BIG-IP v2.6.0 CIM authentication action

morganfw
Path Finder

Hello,
I've installed Splunk Add-on for F5 BIG-IP v2.6.0 and Splunk Common Information Model (CIM) v4.12.0 on Splunk Enterprise 6.6.3 when I try to search authentication logs for apm (F5 VPN)

index="f5" sourcetype="f5:bigip:apm:syslog" tag=authentication

authentication actions field reports allowed or blocked on Access Policy logs only (not in Username logs), instead of success or failure that CIM authentication dataset documentation reports.

Below log example

Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice tmm1[15435]: 01490500:5: /Common/ap_web_auth:Common:85157209: New session from client IP 1.23.45.67 (ST=WA/CC=US/C=US) at VIP 192.168.131.172 Listener /Common/ap_web_auth_vs (Reputation=Unknown)
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice tmm1[15435]: 01490506:5: /Common/ap_web_auth:Common:85157209: Received User-Agent header: Mozilla%2f4.0%20(compatible%3b%20MSIE%208.0%3b%20Windows%20NT%206.1%3b%20WOW64%3b%20Trident%2f4.0%3b%20SLCC2%3b%20.NET%20CLR%202.0.50727%3b%20.NET%20CLR%203.5.30729%3b%20.NET%20CLR%203.0.30729%3b%20Media%20Center%20PC%206.0).
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice tmm3[15435]: 01490500:5: /Common/Network_Access_02:Common:8c6be305: New session from client IP 1.23.45.67 (ST=WA/CC=US/C=US) at VIP 192.168.131.174 Listener /Common/Network_Access_02_vs (Reputation=Unknown)
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice tmm3[15435]: 01490506:5: /Common/Network_Access_02:Common:8c6be305: Received User-Agent header: Mozilla%2f4.0%20(compatible%3b%20MSIE%208.0%3b%20Windows%20NT%206.1%3b%20WOW64%3b%20Trident%2f4.0%3b%20SLCC2%3b%20.NET%20CLR%202.0.50727%3b%20.NET%20CLR%203.5.30729%3b%20.NET%20CLR%203.0.30729%3b%20Media%20Center%20PC%206.0).
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490248:5: /Common/Network_Access_02:Common:8c6be305: Received client info - Hostname:  Type: IE Version: 8 Platform: Win7 CPU: WOW64 UI Mode: Full Javascript Support: 1 ActiveX Support: 1 Plugin Support: 0
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490102:5: /Common/Network_Access_02:Common:8c6be305: Access policy result: Full
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490005:5: /Common/Network_Access_02:Common:8c6be305: Following rule 'fallback' from item 'Resource Assign' to ending 'Allow'
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490128:5: /Common/Network_Access_02:Common:8c6be305: Webtop '/Common/Network_Access_02_webtop' assigned
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490008:5: /Common/Network_Access_02:Common:8c6be305: Connectivity resource '/Common/Network_Access_02_na_res' assigned
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490010:5: /Common/Network_Access_02:Common:8c6be305: Username 'uuu'

Anyone experienced same issue?
Thank you in advanced for any help.

0 Karma

walterk82
Path Finder

Looking in the TA default/props.conf line 381

EVAL-action = if(isnull(access_policy_result), null, if(access_policy_result="Logon_Deny","blocked","allowed"))

Looks like it should default to "allowed" unless the deny action is reached.

I would raise a support case to Splunk as this is a bug -> http://docs.splunk.com/Documentation/CIM/4.12.0/User/Authentication

0 Karma

morganfw
Path Finder

Hi walterk82 and thank you for your answer.
I try to explain, I think there's another issue, in TA default/eventtypes.conf 61-62 lines there's configured:

[f5_bigip_apm_username_received]
search = sourcetype="f5:bigip:apm:syslog" ": Username"

above stanza recall authentication dataset action in default/tags.conf 117-123 lines:

[eventtype=f5_bigip_apm_username_received]
network = enabled
communicate  = enabled
session = enabled
authentication = enabled
default = enabled
web = enabled

so when I try to searching for tag=authentication the action field was populated in "Access policy result:" rows only, not in "Username" rows with field values "success" or "failure" that are CIM expected values for Authentication datasets for populate Splunk ITSI or Splunk ES Premium Apps.

May know a temporary workaround to put in the TA local/props.conf for extract Username success or failure action as expected?
Thank you in advance for any help.

0 Karma

walterk82
Path Finder

I don't know that much about ITSI or ES and CIM to answer that question. Either way this is a supported TA. Please ask support.

0 Karma

morganfw
Path Finder

Thank you for answer.
I'll submit a case to Splunk Support.

0 Karma

walterk82
Path Finder

Thanks, please let me know the outcome. There look to be errors in the AFM and ASM modules as well.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.