ASM Automation (API / MySQL)

Question

I'm running ASM 11.6 with EM 3.1.1. (Mainly used for config backup/pushing signatures)  &nbsp;
My syslog feed for security events goes to another group for SIEM processing. &nbsp;
I'm looking to automate some things such as searching for Support ID's for blocked events. &nbsp;
Currently we have to log into multiple devices and search manually because 11.6 no longer writes to /var/log/asm.&nbsp;
Is there a way to automate this search via API/SQL access?  Some other way I'm not thinking of?&nbsp;
I've looked through the API docs and it does not appear that this is available via API.  And I've seen references to accessing the DB directly, but little documentation. &nbsp;

samstep · Answer

Do you really need the API here? or just the ability to the dump the alerts somewhere you can use them?&nbsp;
It is trivial to set up your log publishers in such a way to log locally (be aware of the performance overhead). Or log it remotely to an additional log destination under your control so you can search it for SupportID or insert the log data  into your own database there (this can be done easily with something like Kiwi Syslog - http://www.kiwisyslog.com/help/syslog/action_log_to_odbc_database.htm )&nbsp;
Don't forget that you can always get your /var/log/asm file back by setting ASM system variable "send_content_events" to 1 in Security/Options/Application Security/Advanced Configuration menu.
Beware of the performance impact - there is a reason why F5 has disabled local logging - writing logs to local disk is SLOW, so if you are protecting a high-load website/application you may experience unnecessary latency and CPU increase introduced by local logging.&nbsp;
Hope this helps,&nbsp;
Sam&nbsp;

jstauffacher_11 · Answer

You can enable the ASM REST api. Theres a kb doc on it.&nbsp;

stewartt_232774 · Answer

I did look over the REST API, but I didn't see anything in the docs dealing with ASM Logs.

Forum Discussion

ASM Automation (API / MySQL)

3 Replies

Recent Discussions

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

About AWAF "Redirect URLs" in "Responses and Blocks"

ISP Bandwidth Utilization

Related Content

APIs Everywhere

Adaptive Apps: Automating NGINX Solution Deployments and API Publication - Solution Demo

Automating ACMEv2 Certificate Management on BIG-IP

Automate Let's Encrypt Certificates on BIG-IP

Mitigation of OWASP API Security Risk: Unsafe Consumption of API using F5 XC Platform