NimbostratusHello all,
I am new to F% and BIG IP. I am currently on version 11.3. I am trying to send logs from the BIG IP to my McAfee SIEM. After talking with McAfee they say that the format of the logs needs to be in NEDS format. Would someone be able to help me out with creating an iRule to send all logs to my SIEM?
Any help would be appreciated.
Thanks.
NimbostratusMaybe this will be of use to you?
https://devcentral.f5.com/articles/big-ip-logging-and-reporting-toolkit-part-one
Specifically this: https://devcentral.f5.com/wiki/iRules.NEDSRule.ashx
NimbostratusNimbostratusHere is code that i have attempted. Would someone be able to help me with this?
when RULE_INIT {
set ::inbound_vlan "4094"
set ::device_id "clcappfw01.ssd.com"
set ::strlimit 256
set ::doAES 0
set ::AESKey "H&^)(D(*CEH(c0jhcds9h)(&&%%$%$@"
}
when CLIENT_ACCEPTED {
set secs [clock seconds]
set usecs [expr {[clock clicks] - [expr {$secs * 1000000}]}]
if { $usecs > 1000000 } {
set usecs "999999"
} else {
set usecs [format "%06u" $usecs]
}
set conn_start_time $secs.$usecs
set log_event "neds.f5.conn.end.v1"
set log_content "\"$::device_id\","
set clientside_client_addr [IP::client_addr]
set clientside_client_port [TCP::client_port]
set clientside_server_addr [IP::local_addr]
set clientside_server_port [TCP::local_port]
set clientflow "$clientside_client_addr:$clientside_client_port"
append clientflow "-$clientside_server_addr:$clientside_server_port@$conn_start_time"
set vlanid "[LINK::vlan_id]"
if { [string compare $vlanid $::inbound_vlan] } {
set direction "Inbound"
} else {
set direction "Outbound"
}
set log_event "neds.f5.conn.start.v1"
set log_content "\"$::device_id\","
append log_content "\"$clientflow\","
append log_content "$conn_start_time,"
append log_content "\"[LINK::vlan_id]\","
append log_content "[IP::protocol],"
append log_content "[IP::tos],"
append log_content "[IP::ttl],"
append log_content "\"[virtual]\","
append log_content "\"$direction\""
log syslogserver:514 local7.info \"$log_event\",$log_content
}
when CLIENT_CLOSED {
set secs [clock seconds]
set usecs [expr {[clock clicks] - [expr {$secs * 1000000}]}]
if { $usecs > 1000000 } {
set usecs "999999"
} else {
set usecs [format "%06u" $usecs]
}
set conn_end_time $secs.$usecs
set log_event "neds.f5.conn.end.v1"
set log_content "\"$::device_id\","
append log_content "\"$clientflow\",$conn_end_time,"
append log_content "[lindex [IP::stats pkts] 0],"
append log_content "[lindex [IP::stats pkts] 1],"
append log_content "[lindex [IP::stats bytes] 0],"
append log_content "[lindex [IP::stats bytes] 1]"
log syslogserver:514 local7.info \"$log_event\",$log_content
}
when HTTP_REQUEST {
set secs [clock seconds]
set usecs [expr {[clock clicks] - [expr {$secs * 1000000}]}]
if { $usecs > 1000000 } {
set usecs "999999"
} else {
set usecs [format "%06u" $usecs]
}
set http_request_time $secs.$usecs
set http_host [string range [HTTP::host] 0 $::strlimit]
set http_host [string map {{"} {""}} $http_host]
set http_request_uri [string range [HTTP::uri] 0 $::strlimit]
set http_request_uri [string map {{"} {""}} $http_request_uri]
set http_username [string range [HTTP::username] 0 $::strlimit]
set http_username [string map {{"} {""}} $http_username]
set http_user_agent [string range [HTTP::header User-Agent] 0 $::strlimit]
set http_user_agent [string map {{"} {""}} $http_user_agent]
set log_event "neds.f5.conn.end.v1"
set log_content "\"$::device_id\","
append log_content "\"$clientflow\","
append log_content "$http_request_time,"
append log_content "[HTTP::request_num],"
append log_content "\"$http_host\","
append log_content "\"$http_request_uri\","
append log_content "\"$http_username\","
append log_content "\"$http_user_agent\""
log syslogserver:514 local7.info \"$log_event\",$log_content
}
when HTTP_RESPONSE {
set secs [clock seconds]
set usecs [expr {[clock clicks] - [expr {$secs * 1000000}]}]
if { $usecs > 1000000 } {
set usecs "999999"
} else {
set usecs [format "%06u" $usecs]
}
set http_reply_time $secs.$usecs
set content_length ""
if { [HTTP::header exists "Content-Length"] } {
set content_length [HTTP::header "Content-Length"]
}
set lb_server "[LB::server addr]:[LB::server port]"
if { [string compare "$lb_server" ""] == 0 } {
set lb_server ""
}
set status_code [HTTP::status]
set status_code [string map {{"} {""}} $status_code]
set content_type [HTTP::header "Content-type"]
set content_type [string map {{"} {""}} $content_type]
set serverside_client_addr [IP::local_addr]
set serverside_client_port [TCP::local_port]
set serverside_server_addr [IP::remote_addr]
set serverside_server_port [TCP::remote_port]
set serverflow "$serverside_client_addr:$serverside_client_port"
append serverflow "-$serverside_server_addr:$serverside_server_port"
set log_event "neds.f5.http.resp.v1"
set log_content "\"$::device_id\","
append log_content "\"$clientflow\","
append log_content "$http_reply_time,"
append log_content "[HTTP::request_num],"
append log_content "\"$status_code\","
append log_content "\"$content_type\","
append log_content "\"$content_length\","
append log_content "\"$lb_server\","
append log_content "\"$serverflow\""
log syslogserver:514 local7.info \"$log_event\",$log_content
}
NimbostratusNimbostratusI have tried this, and it does not work.
NimbostratusI am trying to use the request logging profile and am trying to sort the McAfee parsing.