Investigation/identification of WAF violations from archived F5 ASM security logs
Hi,
In our infrastructure, F5 ASM application events are available only for 2 hrs, logs which are older that 2 hrs is getting purged out. Please let me know how to identify/investigate violations for eg: invalid meta character from archived F5 ASM logs.
For eg: how to identify from below logs, which parameter metacharacter is getting block.
<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>7300e85b1979c8-4003000000000000</block><alarm>7702e85b1979c8-4003000000000000</alarm><learn>7300e85b1979c8-4000000000000000</learn><staging>0-0</staging></violation_masks><request-violations><violation><viol_index>24</viol_index><viol_name>VIOL_PARAMETER_VALUE_METACHAR</viol_name><parameter_data><value_error/><enforcement_level>URL</enforcement_level><name>TE9BRF9QT1JU</name><value>QkVORUZJQ0lBUlknUyBXQVJFSE9VU0UgSU4gVUFFIEFORC9PUiBLVVdBSVQ=</value></parameter_data><staging>0</staging><language_type>4</language_type><metachar_index>39</metachar_index></violation><violation><viol_index>24</viol_index><viol_name>VIOL_PARAMETER_VALUE_METACHAR</viol_name><parameter_data><value_error/><enforcement_level>URL</enforcement_level><name>REVTVF9QT1JU</name><value>QVBQTElDQU5UJ1MgV0FSRUhPVVNFIElOIEFCVSBESEFCSQ==</value></parameter_data><staging>0</staging><language_type>4</language_type><metachar_index>39</metachar_index></violation></request-violations></BAD_MSG>