Forum Discussion

Pmet_260009's avatar
Pmet_260009
Icon for Nimbostratus rankNimbostratus
Feb 09, 2017

Arcsight formatted logs from LTM (only)

Hello

 

I have already read many articles regarding the remote logging and especially to Arcsight which i am trying to make it work . I am confused if finally you can send Arcsight formatted logs from LTM . From some articles it should work , from other is not supported (only for other like ASM) .

 

I want to send logs from LTM to the Arcsight Server , and logs either from the HTTP info , irules , etc . Not only audit logs for example .

 

I have tried the Filter->Publisher->HSL->Arcsight with Pool Servers , but i don't receive any logs .

 

I there an updated Document for 12.x versions for this ? Or its not possible ?

 

Thanks in advanced

 

Makis

 

application delivery
BIG-IP
LTM

3 Replies

Sort By
  • crodriguez's avatar
    crodriguez
    Ret. Employee
    Feb 09, 2017

    From all the documentation I can find on AskF5 (going back to BIG-IP v11.3), "Important: ArcSight formatting is only available for logs coming from Advanced Firewall Manager™ (AFM™), Application Security Manager™ (ASM™), and the Secure Web Gateway component of Access Policy Manager® (APM®)." Here's a link to the Configuring High Speed Logging doc for v12.0: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-12-0-0/4.html

     

  • AndOs's avatar
    AndOs
    Icon for Cirrostratus rankCirrostratus
    Feb 11, 2017

    I was looking into this aswell about a year ago, and my findings were the same as crodriguez mentiones. There does not seem to be any "native" support in just LTM for ArcSight and CEF output.

    It is possible to send CEF formatted logs over HSL, but you have to manually create the output format to be correct CEF.

    Some useful links I found for formatting the logs as CEF.

    ArcSight Common Event Format (CEF) Guide

    Apache Access Log in CEF

    System Logging: Log Messages Format for your SIEM - RFC 3164 or CEF?

    Also, have a look at this for available parameters

    Overview: Configuring a Request Logging profile

    To send CEF from a request profile this is what we use 

    Request settings / Template:    
$DATE_MON $DATE_DD $TIME_HMS $BIGIP_HOSTNAME CEF:0|F5|BIG-IP|||HTTP Request|Low| src=$CLIENT_IP spt=$CLIENT_PORT dst=$SERVER_IP dpt=$SERVER_PORT requestMethod=$HTTP_METHOD request=$HTTP_URI requestClientApplication=${User-agent}

Response settings / Template:    
$DATE_MON $DATE_DD $TIME_HMS $BIGIP_HOSTNAME CEF:0|F5|BIG-IP||$HTTP_METHOD:$HTTP_STATCODE|HTTP Response|Low| src=$CLIENT_IP spt=$CLIENT_PORT dst=$SERVER_IP dpt=$SERVER_PORT deviceSeverity=$HTTP_STATCODE requestMethod=$HTTP_METHOD request=$HTTP_URI requestClientApplication=${User-agent} in=${Content-Length} out=$RESPONSE_SIZE sourceTranslatedAddress=$SNAT_IP sourceTranslatedPort=$SNAT_PORT requestUrlQuery=$HTTP_QUERY cs2=$RESPONSE_MSECS cs2Label=time-taken

    Config

    ltm pool arcsight_log_pool {
    members {
        connector1.company.com:514 {
            address 10.10.10.10
        }
    }
}

ltm profile request-log COMPANY_request_logging_profile {
    app-service none
    defaults-from /Common/request-log
    log-response-by-default yes
    request-log-pool /Common/arcsight_log_pool
    request-log-protocol mds-udp
    request-log-template "$DATE_MON $DATE_DD $TIME_HMS $BIGIP_HOSTNAME CEF:0|F5|BIG-IP|||HTTP Request|Low| src=$CLIENT_IP spt=$CLIENT_PORT dst=$SERVER_IP dpt=$SERVER_PORT requestMethod=$HTTP_METHOD request=$HTTP_URI requestClientApplication=${User-agent}"
    request-logging enabled
    response-log-pool /Common/arcsight_log_pool
    response-log-protocol mds-udp
    response-log-template "$DATE_MON $DATE_DD $TIME_HMS $BIGIP_HOSTNAME CEF:0|F5|BIG-IP||$HTTP_METHOD:$HTTP_STATCODE|HTTP Response|Low| src=$CLIENT_IP spt=$CLIENT_PORT dst=$SERVER_IP dpt=$SERVER_PORT deviceSeverity=$HTTP_STATCODE requestMethod=$HTTP_METHOD request=$HTTP_URI requestClientApplication=${User-agent} in=${Content-Length} out=$RESPONSE_SIZE sourceTranslatedAddress=$SNAT_IP sourceTranslatedPort=$SNAT_PORT requestUrlQuery=$HTTP_QUERY cs2=$RESPONSE_MSECS cs2Label=time-taken"
    response-logging enabled
}

    This post has an example of using an irule and remote logging to send CEF. Measuring Response time based on POST and GET Parameters

    /Andreas

    • Pmet_260009's avatar
      Pmet_260009
      Icon for Nimbostratus rankNimbostratus
      Feb 13, 2017

      Andrea

       

      Thanks for your really detail answer . I need to read your links and check what logs the device could send . I will reply with my feedback

       

      Thanks again for your time .

       

      Makis