Dashboards & Visualizations

F5 BIG IP'S Security iRule

wagnerbianchi
Splunk Employee
Splunk Employee

Hello Splunkers, how have you been?

We've been taking with F5 BIG IP Security (WAF) app and we've been observing some strange behavior on panel's dashboards, most of that connected with Attacks and Signatures. I think the way we've configured the iRule or something on BIG IP panel is not correctly right. Just adding more information, we've configured data input via UDP.

The main concern is:
1. how to generate these logs?
2. how to configure the way BIG IP way generate these logs?
3. Is this related with iRule?

Could you guys help? Thanks a lot for any suggestion.

Tags (1)
0 Karma

wagnerbianchi
Splunk Employee
Splunk Employee

So, I'm here again so as to try to be helped by you Splunk guys.

On DevCentral nobody has given a feedback yet, what follows:

Just to recap this conversation which you've started some times ago (ASM & Splunk integration), I am getting problems in get Splunk fully functional after follow the steps part of the pdf file which came with the app's package. The field attack_type, used in many queries of the first app menu's group, is presenting, I imagine, wrong data. it is presenting graphs with symbols as commas, double quotes and single quotes. I will count on your help so as to understand whether it is a problem or not...could you give me a hand on that? Thanks a lot and looking forward to hearing from you.

I confess that I am little lost in midst of this implementation, but, this time I am looking forward to gather all the stuffs I've learned and check out what is wrong with the field attach_type, present on many dashboards generated by this app. It is getting just symbols as commas and single and double quotes. It's not represent anything and this is my only concern at this time.

  • Is it wrong on BIG IP log profile configuration?
  • Is it wrong on Splunk when you uncomment a line on app's props.conf?

It will very interesting that someone who is taking or has took with this app give a little help on that, perhaps F5 can help either!

I will appreciate any help...cheers!!

0 Karma

wagnerbianchi
Splunk Employee
Splunk Employee

OK! For ones who want to keep track this conversation, I just did a recap on a thread in which is being discussed the same subject. It is at: https://devcentral.f5.com/community/group/aft/1172058/asg/39#2276926

Cheers, WB

0 Karma

bmacias84
Champion

This seem like a F5 BIG IP specific issue. You may want to also post on DevCenteral. I am only familar with the icontrol interface. What does a raw event look like

0 Karma

wagnerbianchi
Splunk Employee
Splunk Employee

We followed the steps available on the pdf which came within the app file. But, the field attack_type is reporting just commas, " and "" - anyone know about that, is it is normal or not? Any advise? Are there anyone using this app who can collaborate?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...