currently f5 system logs are forwarded to mcafee siem, now ASM profiles are enabled and how to identify if the asm logs are also forwarded to siem. any tcpdump to identify asm logs being forwarded.
You can use tcpdump to see if syslog messages are forwarding but you wont be able to read the contents unless open it in tools like wireshark and do a packet inspection.
I would suggest to look at it in the syslog server if you are receiving the ASM logs with a tag 'ASM' at the start.
Make sure that the SIEM is available on the TMM side ie not via the management interface. Do a tcpdump to check whether the traffic is being sent to the SIEM, make sure your SIEM has plenty of power - it's very easy to crash the SIEM server with a BIG-IP.
yes, f5 forwards logs to siem, but could see below config is not in place.
hope this should help in forwarding to remote logging server (SIEM serveR)
Log in to the F5 Networks BIG-IP ASM appliance user interface.
On the navigation pane, select Application Security > Options.
Click Logging Profiles.
From the Configuration list, select Advanced.
Configure the following parameters:
Type a Profile Name.
example, type ASM_SIEM_logging.
Note: If you do not want data logged locally as well as remotely, you must clear the
Local Storage check box.
Select the Remote Storage check box.
From the Type list, select Reporting Server.
From the Protocol list, select TCP.
Configure the Server Addresses fields:
- IP address - Type the IP address of the SIEM log server.
- Port - Type a port value of 514
Hi, can you explain this better please - what issue are you having?