We have F5 ASM (version 10) forwarding logs to Splunk. We are able to view the logs on the splunk server. But the built-in dashboards are not being populated even after we gave it sufficient time.
Could this be because splunk has not parsed the various fields in the logs files correctly? Does the "storage format" in the f5 logging profile need be in a particular order?
For example i am able to filter the logs based on source/host but i am unable to find the field Web_application_name.
Thanks in advance.
It seems that current version of F5 Security application is made for ASM v10.x NOT v11.x.
Actually, in ASM v11.x, the field "web_application_name" was deleted from its log format. That's why the current version of F5 Security App (v1.1) can't show the result on dashborad.
So if you want F5 Security App to work with ASM v11, you need to modify the app to use "http_class_name" instead of "web_application_name". My quick hack version of the app appears to be working fine at least in my environment.
Daiji @ F5 Presales Engineer
The sourcetype of your ASM log needs to be set to asm_log.
And for version 10 you need to copy
splunk_home/etc/apps/SplunkforF5Security/local/ and uncomment the following:
[asm_log] REPORT-fields = asm_extract_10
Inside the app there is pdf with instruction on how to configure the ASM for logging,but it seems you did it:
To create a logging profile for Splunk in ASM
On the Main tab, expand Application Security, point to Options, and then click
The Logging Profiles screen opens.
Above the Logging Profiles area, click the Create button.
The Create New Logging Profile screen opens.
For the Configuration setting, select Advanced.
The screen refreshes to display additional settings.
For the Profile Name setting, type a unique name for the logging profile.
Select the Remote Storage check box, and for the Type setting, select Reporting
The screen displays additional settings.
If you do not want data logged locally as well as remotely, click to clear the Local
Storage check box.
For the Protocol setting, select the protocol that the remote storage server uses: TCP
(the default setting), TCP-RFC3195, or UDP.
For the Server IP setting, type the IP address of Splunk server.
For the Server Port setting, type a port number or use the default value, 514.
To ensure that the system logs requests for the web application (when logging locally
as well as remotely), select the Guarantee Logging check box.
Note: Enabling this setting may slow access to the associated web application.
Optionally, adjust the maximum request, header, query string size, and maximum
entry length settings. (Refer to online help for details on the settings.)
If you want the system to log details (including the start and end time, number of
dropped requests, attacking IP addresses, and so on) about brute force attacks, DoS
attacks, IP enforcer attacks, or web scraping attacks, select the Report Detected
Click the Create button.
The screen refreshes, and displays the new logging profile on the Logging Profiles
Assign the logging profile you’ve created to your web application. On the Main tab,
expand Application Security, point to Web Applications, and then select the Web
Application you want to assign the logging profile to.
Web Application Properties screen opens.
Select the logging profile you’ve created in the Logging Profile drop down menu,
click Save button and Apply Policy
Thanks for your reply.
Here are the steps i have already performed.
1.Created logging profile on F5 and ASM log is forwarded over to splunk over tcp 9998
2.Splunk configured to listed on 9998 and logs sent to file asm_log
3.Edited /etc/apps/SplunkforF5Security/default/props.conf and uncommented REPORT-fields = asm_extract_10
4.Edited \etc\apps\splunkforf5security\default\transforms.conf and changed the order of fields under [asm_extract_10] to reflect the order of "storage format" under the logging profile in f5.
FIELDS = "request", "response_code", "method", "protocol", "uri", "query_string", "ip_client", "web_application_name", "violations", "unit_hostname", "management_ip_address", "policy_name", "policy_apply_date", "x_forwarded_for_header_value", "support_id", "request_status", "sig_ids", "sig_names", "date_time", "severity", "attack_type", "src_port", "dest_port", "dest_ip", "geo_location", "sub_violations", "violation_details"
After this i was able to get the Web_application_name etc listed correctly in the log search screen. However, the dashboard was not getting updated.
Based on your comment, i copied the props.conf file from /default to the /local directory and restarted splunk but still none of the dashboard gets updated.