All Apps and Add-ons

Splunk for F5 Security showing logs but no dashboard data

slog
New Member

Hi,
We have F5 ASM (version 10) forwarding logs to Splunk. We are able to view the logs on the splunk server. But the built-in dashboards are not being populated even after we gave it sufficient time.

Could this be because splunk has not parsed the various fields in the logs files correctly? Does the "storage format" in the f5 logging profile need be in a particular order?

For example i am able to filter the logs based on source/host but i am unable to find the field Web_application_name.

Thanks in advance.
Haze

0 Karma

trumpjk
Explorer

I can't get this to work even with making changes suggested by Daiji. Has anyone else gotten the app to work? Using ASM 11.3

0 Karma

daijik
Engager

It seems that current version of F5 Security application is made for ASM v10.x NOT v11.x.

Actually, in ASM v11.x, the field "web_application_name" was deleted from its log format. That's why the current version of F5 Security App (v1.1) can't show the result on dashborad.

So if you want F5 Security App to work with ASM v11, you need to modify the app to use "http_class_name" instead of "web_application_name". My quick hack version of the app appears to be working fine at least in my environment.

Thanks,
Daiji @ F5 Presales Engineer

MarioM
Motivator

The sourcetype of your ASM log needs to be set to asm_log.

And for version 10 you need to copy splunk_home/etc/apps/SplunkforF5Security/default/props.conf in splunk_home/etc/apps/SplunkforF5Security/local/ and uncomment the following:

[asm_log]
REPORT-fields = asm_extract_10

Inside the app there is pdf with instruction on how to configure the ASM for logging,but it seems you did it:

To create a logging profile for Splunk in ASM

  1. On the Main tab, expand Application Security, point to Options, and then click
    Logging Profiles.
    The Logging Profiles screen opens.

  2. Above the Logging Profiles area, click the Create button.
    The Create New Logging Profile screen opens.

  3. For the Configuration setting, select Advanced.
    The screen refreshes to display additional settings.

  4. For the Profile Name setting, type a unique name for the logging profile.

  5. Select the Remote Storage check box, and for the Type setting, select Reporting
    Server.
    The screen displays additional settings.

  6. If you do not want data logged locally as well as remotely, click to clear the Local
    Storage check box.

  7. For the Protocol setting, select the protocol that the remote storage server uses: TCP
    (the default setting), TCP-RFC3195, or UDP.

  8. For the Server IP setting, type the IP address of Splunk server.

  9. For the Server Port setting, type a port number or use the default value, 514.

  10. To ensure that the system logs requests for the web application (when logging locally
    as well as remotely), select the Guarantee Logging check box.
    Note: Enabling this setting may slow access to the associated web application.

  11. Optionally, adjust the maximum request, header, query string size, and maximum
    entry length settings. (Refer to online help for details on the settings.)

  12. If you want the system to log details (including the start and end time, number of
    dropped requests, attacking IP addresses, and so on) about brute force attacks, DoS
    attacks, IP enforcer attacks, or web scraping attacks, select the Report Detected
    Anomalies box.

  13. Click the Create button.
    The screen refreshes, and displays the new logging profile on the Logging Profiles
    screen.

  14. Assign the logging profile you’ve created to your web application. On the Main tab,
    expand Application Security, point to Web Applications, and then select the Web
    Application you want to assign the logging profile to.
    Web Application Properties screen opens.
    Select the logging profile you’ve created in the Logging Profile drop down menu,
    click Save button and Apply Policy

0 Karma

slog
New Member

I got a feeling that the dashboards that come with the F5 security app in splunk are designed for logs generated by version 11 of ASM and not 10. I might have to make custom dashboards.

0 Karma

slog
New Member

Hi Mario,
Thanks for your reply.
Here are the steps i have already performed.
1.Created logging profile on F5 and ASM log is forwarded over to splunk over tcp 9998
2.Splunk configured to listed on 9998 and logs sent to file asm_log
3.Edited /etc/apps/SplunkforF5Security/default/props.conf and uncommented REPORT-fields = asm_extract_10
4.Edited \etc\apps\splunkforf5security\default\transforms.conf and changed the order of fields under [asm_extract_10] to reflect the order of "storage format" under the logging profile in f5.


FIELDS = "request", "response_code", "method", "protocol", "uri", "query_string", "ip_client", "web_application_name", "violations", "unit_hostname", "management_ip_address", "policy_name", "policy_apply_date", "x_forwarded_for_header_value", "support_id", "request_status", "sig_ids", "sig_names", "date_time", "severity", "attack_type", "src_port", "dest_port", "dest_ip", "geo_location", "sub_violations", "violation_details"


After this i was able to get the Web_application_name etc listed correctly in the log search screen. However, the dashboard was not getting updated.

Based on your comment, i copied the props.conf file from /default to the /local directory and restarted splunk but still none of the dashboard gets updated.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...