Manual Chapter :
Logging Application Security Events
Applies To:
Show VersionsBIG-IP ASM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0
Logging Application Security Events
About logging profiles
Logging profiles determine where events are logged, and which items (such as which parts of requests, or which type of errors) are logged. Events can be logged either locally on the system and viewed in the Event Logs, or remotely by the client’s server. The system forwards the log messages to the client’s server using the Syslog service. Each logging profile can specify local or remote logging, but not both.
You can use one logging profile for Application Security, Protocol Security, Network Firewall, DoS Protection and Bot Defense. The system includes two logging profiles that log data locally for Application Security: one to log all requests and another to log illegal requests. Other logging profiles are included for global-network and local-dos. You can use the system-supplied logging profiles, or you can create a custom logging profile. The system-supplied logging profiles cannot be edited.
Application Security and Protocol Security should not be enabled simultaneously in logging profile configuration.
The logging profile records requests to the virtual server. By default, when you create a security policy, the system associates the log illegal requests profile to the virtual server associated with the policy. You can change which logging profile is associated with the security policy by editing the virtual server.
If running Application Security Manager™ on a BIG-IP system using Virtualized Clustered Multiprocessing (vCMP), for best performance, F5 recommends configuring remote logging to store Application Security Manager logs remotely rather than locally.
A logging profile has two parts: the storage configuration and the storage filter. The storage configuration specifies where to store the logs, either locally or remotely. The storage filter determines what information is stored. For remote logging, you can send logging files for storage on a remote system (in CSV format), on a reporting server (as key/value pairs), or on an ArcSight server (in CEF format). Note that configuring external logging servers is not handled by F5 Networks.
How to use multiple logging profiles
You can assign multiple logging profiles to one virtual server. Here are some examples of how
to use multiple logging profiles:
Log Illegal Requests locally, All requests remotely
You can log all requests locally using just one logging profile. But you can save resources by
logging illegal requests locally and logging all requests remotely. You would create two logging
profiles:
- Local storage with illegal requests
- Remote storage of all requests
Multiple SIEM Systems
If your company uses multiple security information and event management (SIEM) systems to collect
logs and other security related information (for example, Splunk and ArcSight), you could set up
three logging profiles.
- Local storage with illegal requests
- Remote filter in Splunk format (user-defined format with Splunk field names).
- Remote filter in Arcsight format (user-defined format with ArcSight field names)
Creating a logging profile for local storage
You can create a custom logging profile to log application security events locally
on the BIG-IP system.
- On the Main tab, click.The Logging Profiles list screen opens.
- ClickCreate.The Create New Logging Profile screen opens.
- In theProfile Namefield, type a unique name for the profile.
- Select theApplication Securitycheck box.The screen displays additional fields.
- On the Application Security tab, forConfiguration, selectAdvanced.
- In theStorage Destinationlist, be sure thatLocal Storageis selected.
- Optional: To ensure that the system logs requests for the security policy, even when the logging utility is competing for system resources, select theGuarantee Local Loggingcheck box.
- From theResponse Logginglist, select one of the following options.OptionDescriptionOffDo not log responses.For Illegal Requests OnlyLog responses for illegal requests.For All RequestsLog responses for all requests. Used when the Storage FilterRequest Typeis set toAll Requests. (Otherwise, logs only illegal requests.)By default, the system logs the first 10000 bytes of responses, up to 10 responses per second. You can change the limits by using the response logging system variables.
- To further specify the types of requests that the system or server logs, set up the Storage Filter. From theRequest Typelist, select one of the following options.OptionDescriptionIllegal requests onlyLog illegal requests only.Illegal requests, and requests that include staged attack signaturesLog illegal requests and requests that trigger attack signatures in staging (even though those requests are allowed).All requestsLog all requests.To further filter what gets logged, use the Advanced storage filter options.
- ClickFinished.
When you store the logs locally, the logging utility may compete for system
resources. Using the
Guarantee Local Logging
setting ensures
that the system logs the requests in this situation, but may result in a performance
reduction in high-volume traffic applications.After creating the logging profile,
you need to associate it with the virtual server used by the security policy. You can
associate only one local logging profile with the virtual server.
Setting up remote logging
To set up remote logging for Application Security Manager, you
need to have created a logging profile with Application Security enabled.
You can configure a custom logging profile to log application security events
remotely on syslog or other reporting servers.
- On the Main tab, click.The Logging Profiles list screen opens.
- ClickCreate.The Create New Logging Profile screen opens.
- In theProfile Namefield, type a unique name for the profile.
- Select theApplication Securitycheck box.The screen displays additional fields.
- On the Application Security tab, forConfiguration, selectAdvanced.
- From theStorage Destinationlist, selectRemote Storage.Additional fields related to remote logging are displayed.
- From theLogging Formatlist, select the appropriate type:
- To store traffic on a remote logging server in CSV format, selectComma Separated Values.
- To store traffic on a reporting server (such as Splunk) using a preconfigured storage format with key-value pairs in the log messages, selectKey-Value Pairs.
- If your network uses ArcSight logs, selectCommon Event Format (ArcSight). Log messages are in Common Event Format (CEF).
- To store logs on the BIG-IQ system, selectBIG-IQ.
- For theProtocolsetting, select the protocol that the remote storage server uses:TCP(the default setting),TCP-RFC3195, orUDP.
- ForServer Addresses, specify one or more remote servers, reporting servers, or ArcSight servers on which to log traffic. Type theIP Address,Port(default is514), and clickAdd.
- If using theComma-Separated Valueslogging format, forFacility, you can optionally select the facility category of the logged traffic. The possible values areLOG_LOCAL0throughLOG_LOCAL7.If you have more than one security policy you can use the same remote logging server for both applications, and use the facility filter to sort the data for each.
- If you are using theComma-Separated Valueslogging format, in theStorage Formatsetting, you can specify how the log displays information, which traffic items the server logs, and what order it logs them:
- To determine how the log appears, selectField-Listto display the items in theSelected Itemslist in CSV format with a delimiter you specify; selectUser-Definedto display the items in theSelected Itemslist in addition to any free text you type in theSelected Itemslist.
- To specify which items appear in the log, move items from theAvailable Itemslist into theSelected Itemslist.
- To control the order in which predefined items appear in the server logs, select an item in theSelected Itemslist, and click theUporDownbutton.
- If you want the system to send a report string to the remote system log when a brute force attack or web scraping attack starts and ends, selectReport Detected Anomalies.
- To further specify the types of requests that the system or server logs, set up the Storage Filter. From theRequest Typelist, select one of the following options.OptionDescriptionIllegal requests onlyLog illegal requests only.Illegal requests, and requests that include staged attack signaturesLog illegal requests and requests that trigger attack signatures in staging (even though those requests are allowed).All requestsLog all requests.To further filter what gets logged, use the Advanced storage filter options.
- ClickFinished.
When you create a logging profile for remote storage, the system stores the data for
the associated security policy on one or more remote systems.
Next, you need to associate the
logging profile with the virtual server used by the security policy.
Associating a
logging profile with a security policy
A logging profile determines where events are
logged and what details are included. By default, when you create a security policy, the
system associates the Log Illegal Requests profile with the virtual server used by the
policy. You can change which logging profile is associated with the security policy or
assign a new one to the virtual server.
- Click
- Click the name of the virtual server used by the security policy.The system displays the general properties of the virtual server.
- From the Security menu, choose Policies.The system displays the policy settings for the virtual server.
- Ensure that theApplication Security Policysetting isEnabled, and thatPolicyis set to the security policy you want.
- For theLog Profilesetting:
- Check that it is set toEnabled.
- From theAvailablelist, select the profile to use for the security policy, and move it into theSelectedlist.
You can assign only one local logging profile to a virtual server, but it can have multiple remote logging profiles. - ClickUpdate.
Information related to traffic controlled by the security policy
is logged using the logging profile or profiles specified in the virtual server.
About logging
responses
If you enable response logging in the logging profile, the system can log
only responses that include the following content headers:
- "text/..."
- "application/x-shockwave-flash"
- "application/sgml"
- "application/x-javascript"
- "application/xml"
- "application/x-asp"
- "application/x-aspx"
- "application/xhtml+xml"
- "application/soap+xml"
- "application/json"
The system cannot log other responses.
About ArcSight log
message format
If your network uses ArcSight logs, you can create a logging profile so that
the log information is saved using the appropriate format. Application Security Manager stores
all logs on a remote logging server using the predefined ArcSight settings for the logs. The log
messages are in Common Event Format (CEF).
The basic format is:
CEF:Version|Device Vendor|Device Product|Device Version |Device Event Class ID|Name|Severity|Extension
About syslog request format
Application Security Manager™ can log security events to the
/var/log/asm
file on the system if you need to. Logging to this file is off
by default. You can turn the logging on using the send_content_events
system
variable from the command line, or on the System Variables screen: .F5 recommends enabling the
send_content_events
parameter only
for troubleshooting purposes due to a potential decrease in performance.Here is the format of the syslog request followed by descriptions of the fields:
<Rejection Description> <Request Violation> <Support ID> <Source IP> <XFF IP> <Source Port> <Destination IP> <Destination Port> <Route Domain> <HTTP Classifier> <Scheme> <Geographic Location> <Request> <Username> <Session ID> <Violation Rating>
Field |
What it contains |
---|---|
Rejection Description |
Empty unless the request is blocked by the security policy. |
Request Violations |
A comma separated list of the violations that occurred during enforcement of the
request or response. |
Support ID |
An ID number assigned to the request by the system to allow the system administrator to
track it. |
Source IP |
The IP address from which the request originated. |
XFF IP |
The X-Forwarded-For (XFF) IP address located in the XFF header and which represents the
end client's IP address. |
Source Port |
The port from which the request originated. |
Destination IP |
The IP address to which the request is sent, generally, the virtual server IP
address. |
Destination Port |
The port to which the request is sent. |
Route Domain |
The route domain (network traffic segment) where the request originated. |
HTTP Classifier |
The name of the ASM security policy. |
Scheme |
Whether the request was made using HTTP or HTTPS. |
Geographic Location |
The two-letter country code of origin based on the source IP address. |
Request |
The actual request made including headers (up to 128 bytes). |
Username |
Name of the user associated with the request. |
Session ID |
ID number assigned to the request to allow the system administrator to track requests
by session. |
Violation Rating |
Rating between 1 and 5 that ranks the severity of any violations associated with the
request. 1 is most likely a false positive and 5 is most likely an attack. |
Filtering logging information
The storage filter of an application security logging profile determines the type
of requests the system or server logs. You can create a custom storage filter for a
logging profile so that the event logs include the exact information you want to see.
- On the Main tab, click.The Logging Profiles list screen opens.
- In the Profile Name column, click the logging profile name for which you want to set up the filter.This profile must be one that you created and not one of the system-supplied profiles, which cannot be edited.The Edit Logging Profile screen opens.
- From theStorage Filterlist, selectAdvanced.The screen displays additional settings.
- For theLogic Operationsetting, specify the filter criteria to use.OptionDescriptionORSelect this operator to log the data that meets one or more of the criteria.ANDSelect this operator to log the data that meets all of the criteria.
- For theRequest Typesetting, select the requests that you want the system to store in the log,All RequestsorIllegal Requests Only.
- For theLog Challenge Failure Requestssetting, select if you want to log requests that failed a challenge.
- For theProtocolssetting, select whether logging occurs for all protocols or only for specific ones.
- For theResponse Status Codessetting, select whether logging occurs for all response status codes or only for specific ones.
- For theHTTP Methodssetting, select whether logging occurs for all methods or only for specific ones.
- For theRequest Containing Stringsetting, select whether the request logging is for any string or dependent on a specific string that you specify.
- ClickUpdate.
The system logs application security data that meets the criteria specified in the
storage filter.
Viewing application security logs
You can view locally stored system logs for the Application
Security Manager on the BIG-IP system. These are the logs
that include general system events and user activity.
If you prefer to
review the log data from the command line, you can find the application security log
data in the
/var/log/asm
file.- Click
- ClickApplication Security.
The system displays application security data that meets the criteria specified in
the logging profile.