Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

ASM L7DOS snmp traps

Dear,

Do you know of any known issue about l7ddos snmp traps. For some reason they are not sent at all.

The log entry in /var/log/dosl7/dosl7d.log is well present, but no snmp trap is sent.

I checked the definition in the alertd config files and it looks like it is looking for a specific log entry in order to send the trap:

alert.conf

alert BIGIP_TS_TS_DOS_ATTACK_DETECTED_ERR {
        snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.91";
}

bigip_ts_error_maps.h

3 LOG_ERR 01310046 BIGIP_TS_TS_DOS_ATTACK_DETECTED_ERR "[SECEV] DoS attack: %s. HTTP classifier: %s, Operation mode: %s"

But the problem is that when testing a l7ddos, no log entry can be found in /var/log/asm, there are only logs in /var/log/dosl7/dosl7d.log

And it looks like the alertd does not process the later file (K14397)

My client is running version 11.5.4

Thanks in advance for your assistance.

Abdessamad

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Small update as we got some feedback from F5 support:

"Since messages generated by the dosl7d process are not processed by the alertd SNMP process there is no possible workaround, this functionality needs to be hard coded. Currently the only option to be notified of a DOS attack is by an external logging device."

"SNMP traps rely on the syslog facility, however ithe dosl7d daemon writes directly to its log file rather than using syslog facilities, which means that the messages it issues do not pass through the syslog pipe that is the source for almost everything in the syslog-ng configuration. As a result, the alertd daemon can't see the dosl7d messages too and therefore is unable to act on them and trigger SNMP traps.

Our solution article below about custom scripts based on a syslog message also makes reference to thishttps://support.f5.com/csp/article/K14397


Messages generated by the dosl7d process in BIG-IP ASM 11.3.0 and later are not processed by the alertd SNMP process. Layer 7 (L7) denial of service (DoS) messages,therefore, cannot be used for triggering commands or custom scripts.


A Request For Enhancement (ID486827) was raised to make it possible to configure a syslog destination for dosl7 messages (which should also help resolve the issue with trap messages). This functionality is expected to become available in the future public releases only. Product Development does not have any definite details for these releases still."

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

You can create a custom SNMP trap and some shell scripts to poll the dosl7d.log file and fire a standard logs that well be used by the custom SNMP trap.

I'll post an example here later.

Meanwhile some docs:

https://support.f5.com/csp/article/K3727

0