Manual Chapter : Logging Application Security Events

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 16.0.1, 16.0.0, 15.1.0, 15.0.1, 15.0.0
Manual Chapter

Logging Application Security Events

About logging profiles

Logging profiles determine where events are logged, and which items (such as which parts of requests, or which type of errors) are logged. Events can be logged either locally on the system and viewed in the Event Logs, or remotely by the client’s server. The system forwards the log messages to the client’s server using the Syslog service. Each logging profile can specify local or remote logging, but not both.
You can use one logging profile for Application Security, Protocol Security, Network Firewall, DoS Protection and Bot Defense. The system includes two logging profiles that log data locally for Application Security: one to log all requests and another to log illegal requests. Other logging profiles are included for global-network and local-dos. You can use the system-supplied logging profiles, or you can create a custom logging profile. The system-supplied logging profiles cannot be edited.
The logging profile records requests to the virtual server. By default, when you create a security policy, the system associates the log illegal requests profile to the virtual server associated with the policy. You can change which logging profile is associated with the security policy by editing the virtual server.
If running Application Security Manager on a BIG-IP system using Virtualized Clustered Multiprocessing (vCMP), for best performance, F5 recommends configuring remote logging to store Application Security Manager logs remotely rather than locally.
A logging profile has two parts: the storage configuration and the storage filter. The storage configuration specifies where to store the logs, either locally or remotely. The storage filter determines what information is stored. For remote logging, you can send logging files for storage on a remote system (in CSV format), on a reporting server (as key/value pairs), or on an ArcSight server (in CEF format). Note that configuring external logging servers is not handled by F5 Networks.

How to use multiple logging profiles

You can assign multiple logging profiles to one virtual server. Here are some examples of how to use multiple logging profiles:

Log Illegal Requests locally, All requests remotely

You can log all requests locally using just one logging profile. But you can save resources by logging illegal requests locally and logging all requests remotely. You would create two logging profiles:
  • Local storage with illegal requests
  • Remote storage of all requests

Multiple SIEM Systems

If your company uses multiple security information and event management (SIEM) systems to collect logs and other security related information (for example, Splunk and ArcSight), you could set up three logging profiles.
  • Local storage with illegal requests
  • Remote filter in Splunk format (user-defined format with Splunk field names).
  • Remote filter in Arcsight format (user-defined format with ArcSight field names)

Creating a logging profile for local storage

You can create a custom logging profile to log application security events locally on the BIG-IP system.
  1. On the Main tab, click
    Security
    Event Logs
    Logging Profiles
    .
    The Logging Profiles list screen opens.
  2. Click
    Create
    .
    The Create New Logging Profile screen opens.
  3. In the
    Profile Name
    field, type a unique name for the profile.
  4. Select the
    Application Security
    check box.
    The screen displays additional fields.
  5. On the Application Security tab, for
    Configuration
    , select
    Advanced
    .
  6. In the
    Storage Destination
    list, be sure that
    Local Storage
    is selected.
  7. Optional: To ensure that the system logs requests for the security policy, even when the logging utility is competing for system resources, select the
    Guarantee Local Logging
    check box.
  8. From the
    Response Logging
    list, select one of the following options.
    Option
    Description
    Off
    Do not log responses.
    For Illegal Requests Only
    Log responses for illegal requests.
    For All Requests
    Log responses for all requests. Used when the Storage Filter
    Request Type
    is set to
    All Requests
    . (Otherwise, logs only illegal requests.)
    By default, the system logs the first 10000 bytes of responses, up to 10 responses per second. You can change the limits by using the response logging system variables.
  9. To further specify the types of requests that the system or server logs, set up the Storage Filter. From the
    Request Type
    list, select one of the following options.
    Option
    Description
    Illegal requests only
    Log illegal requests only.
    Illegal requests, and requests that include staged attack signatures
    Log illegal requests and requests that trigger attack signatures in staging (even though those requests are allowed).
    All requests
    Log all requests.
    To further filter what gets logged, use the Advanced storage filter options.
  10. Click
    Finished
    .
When you store the logs locally, the logging utility may compete for system resources. Using the
Guarantee Local Logging
setting ensures that the system logs the requests in this situation, but may result in a performance reduction in high-volume traffic applications.
After creating the logging profile, you need to associate it with the virtual server used by the security policy. You can associate only one local logging profile with the virtual server.

Setting up remote logging

To set up remote logging for Application Security Manager, you need to have created a logging profile with Application Security enabled.
You can configure a custom logging profile to log application security events remotely on syslog or other reporting servers.
  1. On the Main tab, click
    Security
    Event Logs
    Logging Profiles
    .
    The Logging Profiles list screen opens.
  2. Click
    Create
    .
    The Create New Logging Profile screen opens.
  3. In the
    Profile Name
    field, type a unique name for the profile.
  4. Select the
    Application Security
    check box.
    The screen displays additional fields.
  5. On the Application Security tab, for
    Configuration
    , select
    Advanced
    .
  6. From the
    Storage Destination
    list, select
    Remote Storage
    .
    Additional fields related to remote logging are displayed.
  7. From the
    Logging Format
    list, select the appropriate type:
    • To store traffic on a remote logging server in CSV format, select
      Comma Separated Values
      .
    • To store traffic on a reporting server (such as Splunk) using a preconfigured storage format with key-value pairs in the log messages, select
      Key-Value Pairs
      .
    • If your network uses ArcSight logs, select
      Common Event Format (ArcSight)
      . Log messages are in Common Event Format (CEF).
    • To store logs on the BIG-IQ system, select
      BIG-IQ
      .
  8. For the
    Protocol
    setting, select the protocol that the remote storage server uses:
    TCP
    (the default setting),
    TCP-RFC3195
    , or
    UDP
    .
  9. For
    Server Addresses
    , specify one or more remote servers, reporting servers, or ArcSight servers on which to log traffic. Type the
    IP Address
    ,
    Port
    (default is
    514
    ), and click
    Add
    .
  10. If using the
    Comma-Separated Values
    logging format, for
    Facility
    , you can optionally select the facility category of the logged traffic. The possible values are
    LOG_LOCAL0
    through
    LOG_LOCAL7
    .
    If you have more than one security policy you can use the same remote logging server for both applications, and use the facility filter to sort the data for each.
  11. If you are using the
    Comma-Separated Values
    logging format, in the
    Storage Format
    setting, you can specify how the log displays information, which traffic items the server logs, and what order it logs them:
    1. To determine how the log appears, select
      Field-List
      to display the items in the
      Selected Items
      list in CSV format with a delimiter you specify; select
      User-Defined
      to display the items in the
      Selected Items
      list in addition to any free text you type in the
      Selected Items
      list.
    2. To specify which items appear in the log, move items from the
      Available Items
      list into the
      Selected Items
      list.
    3. To control the order in which predefined items appear in the server logs, select an item in the
      Selected Items
      list, and click the
      Up
      or
      Down
      button.
  12. If you want the system to send a report string to the remote system log when a brute force attack or web scraping attack starts and ends, select
    Report Detected Anomalies
    .
  13. To further specify the types of requests that the system or server logs, set up the Storage Filter. From the
    Request Type
    list, select one of the following options.
    Option
    Description
    Illegal requests only
    Log illegal requests only.
    Illegal requests, and requests that include staged attack signatures
    Log illegal requests and requests that trigger attack signatures in staging (even though those requests are allowed).
    All requests
    Log all requests.
    To further filter what gets logged, use the Advanced storage filter options.
  14. Click
    Finished
    .
When you create a logging profile for remote storage, the system stores the data for the associated security policy on one or more remote systems.
Next, you need to associate the logging profile with the virtual server used by the security policy.

Associating a logging profile with a security policy

A logging profile determines where events are logged and what details are included. By default, when you create a security policy, the system associates the Log Illegal Requests profile with the virtual server used by the policy. You can change which logging profile is associated with the security policy or assign a new one to the virtual server.
  1. Click
    Local Traffic
    Virtual Servers
  2. Click the name of the virtual server used by the security policy.
    The system displays the general properties of the virtual server.
  3. From the Security menu, choose Policies.
    The system displays the policy settings for the virtual server.
  4. Ensure that the
    Application Security Policy
    setting is
    Enabled
    , and that
    Policy
    is set to the security policy you want.
  5. For the
    Log Profile
    setting:
    1. Check that it is set to
      Enabled
      .
    2. From the
      Available
      list, select the profile to use for the security policy, and move it into the
      Selected
      list.
    You can assign only one local logging profile to a virtual server, but it can have multiple remote logging profiles.
  6. Click
    Update
    .
Information related to traffic controlled by the security policy is logged using the logging profile or profiles specified in the virtual server.

About logging responses

If you enable response logging in the logging profile, the system can log only responses that include the following content headers:
  • "text/..."
  • "application/x-shockwave-flash"
  • "application/sgml"
  • "application/x-javascript"
  • "application/xml"
  • "application/x-asp"
  • "application/x-aspx"
  • "application/xhtml+xml"
  • "application/soap+xml"
  • "application/json"
The system cannot log other responses.

About ArcSight log message format

If your network uses ArcSight logs, you can create a logging profile so that the log information is saved using the appropriate format. Application Security Manager stores all logs on a remote logging server using the predefined ArcSight settings for the logs. The log messages are in Common Event Format (CEF).
The basic format is:
CEF:Version|Device Vendor|Device Product|Device Version |Device Event Class ID|Name|Severity|Extension

About syslog request format

Application Security Manager can log security events to the
/var/log/asm
file on the system if you need to. Logging to this file is off by default. You can turn the logging on using the
send_content_events
system variable from the command line, or on the System Variables screen:
Security
Options
Application Security
Advanced Configuration
System Variables
.
F5 recommends enabling the
send_content_events
parameter only for troubleshooting purposes due to a potential decrease in performance.
Here is the format of the syslog request followed by descriptions of the fields:
<Rejection Description> <Request Violation> <Support ID> <Source IP> <XFF IP> <Source Port> <Destination IP> <Destination Port> <Route Domain> <HTTP Classifier> <Scheme> <Geographic Location> <Request> <Username> <Session ID> <Violation Rating>
Field
What it contains
Rejection Description
Empty unless the request is blocked by the security policy.
Request Violations
A comma separated list of the violations that occurred during enforcement of the request or response.
Support ID
An ID number assigned to the request by the system to allow the system administrator to track it.
Source IP
The IP address from which the request originated.
XFF IP
The X-Forwarded-For (XFF) IP address located in the XFF header and which represents the end client's IP address.
Source Port
The port from which the request originated.
Destination IP
The IP address to which the request is sent, generally, the virtual server IP address.
Destination Port
The port to which the request is sent.
Route Domain
The route domain (network traffic segment) where the request originated.
HTTP Classifier
The name of the ASM security policy.
Scheme
Whether the request was made using HTTP or HTTPS.
Geographic Location
The two-letter country code of origin based on the source IP address.
Request
The actual request made including headers (up to 128 bytes).
Username
Name of the user associated with the request.
Session ID
ID number assigned to the request to allow the system administrator to track requests by session.
Violation Rating
Rating between 1 and 5 that ranks the severity of any violations associated with the request. 1 is most likely a false positive and 5 is most likely an attack.

Filtering logging information

The storage filter of an application security logging profile determines the type of requests the system or server logs. You can create a custom storage filter for a logging profile so that the event logs include the exact information you want to see.
  1. On the Main tab, click
    Security
    Event Logs
    Logging Profiles
    .
    The Logging Profiles list screen opens.
  2. In the Profile Name column, click the logging profile name for which you want to set up the filter.
    This profile must be one that you created and not one of the system-supplied profiles, which cannot be edited.
    The Edit Logging Profile screen opens.
  3. From the
    Storage Filter
    list, select
    Advanced
    .
    The screen displays additional settings.
  4. For the
    Logic Operation
    setting, specify the filter criteria to use.
    Option
    Description
    OR
    Select this operator to log the data that meets one or more of the criteria.
    AND
    Select this operator to log the data that meets all of the criteria.
  5. For the
    Request Type
    setting, select the requests that you want the system to store in the log,
    All Requests
    or
    Illegal Requests Only
    .
  6. For the
    Protocols
    setting, select whether logging occurs for both HTTP and HTTPS protocols or a specific protocol.
  7. For the
    Response Status Codes
    setting, select whether logging occurs for all response status codes or only for specific ones.
  8. For the
    HTTP Methods
    setting, select whether logging occurs for all methods or only for specific ones.
  9. For the
    Request Containing String
    setting, select whether the request logging is for any string or dependent on a specific string that you specify.
  10. Click
    Update
    .
The system logs application security data that meets the criteria specified in the storage filter.

Viewing application security logs

You can view locally stored system logs for the Application Security Manager on the BIG-IP system. These are the logs that include general system events and user activity.
If you prefer to review the log data from the command line, you can find the application security log data in the
/var/log/asm
file.
  1. Click
    System
    Logs
  2. Click
    Application Security
    .
The system displays application security data that meets the criteria specified in the logging profile.