APM iRule to send information to NITRO SIEM

Question

looking for an iRule that will capture the username/IP address when someone logs into APM and sends that to the SIEM. Also should include auth failures so I can set an alert for number of failed logins

ap_129594 · Answer

Kevin,
Instead of having a pool of SIEM pool, how do I set my log to hit an individual SIEM IP address?&nbsp;
set hsl [HSL::open -proto UDP -pool syslog-ubuntu-pool]&nbsp;
Thanks&nbsp;

boneyard · Answer

HSL doesn't support that, you could work with HSL::open -publisher  from 11.3 if you can configure a publisher.&nbsp;
but why cant you create that pool and put one member in it?&nbsp;

Forum Discussion

APM iRule to send information to NITRO SIEM

2 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

Find CVE information on AskF5

Traffic Policies: More detailed information on Actions

Best way to pass http header by iRule containing Client TLS information

iRules Style Guide

ASM custom response page add additional information