Manual Chapter : Configuring Application Security Event Logging

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

About logging profiles

Logging profiles determine where events are logged, and which items (such as which parts of requests, or which type of errors) are logged. Events can be logged either locally on the system and viewed in the Event Logs screens, or remotely by the client’s server. The system forwards the log messages to the client’s server using the Syslog service.

You can use one logging profile for Application Security, Protocol Security, Advanced Firewall, and DoS Protection. By default, the system includes two logging profiles that log data locally for Application Security: one to log all requests and another to log illegal requests. You can use the system-supplied logging profiles, or you can create a custom logging profile.

The logging profile records requests to the virtual server. By default when you create a security policy using the Deployment wizard, the system associates the log illegal requests profile to the virtual server associated with the policy. You can change which logging profile is associated with the security policy by editing the virtual server.

Note: If running Application Security Manager on a BIG-IP system using Virtualized Clustered Multiprocessing (vCMP), for best performance, F5 recommends configuring remote logging to store Application Security Manager logs remotely rather than locally.

A logging profile has two parts: the storage configuration and the storage filter. The storage configuration specifies where to store the logs, either locally and/or remotely. The storage filter determines what information gets stored. For remote logging, you can send logging files for storage on a remote system (such as a syslog server), on a reporting server (as key/value pairs), or on an ArcSight server (in CEF format). Note that configuring external logging servers is not the responsibility of F5 Networks.

Creating a logging profile

You can create a custom logging profile to log application security events.
  1. On the Main tab, click Security > Event Logs > Logging Profiles. The Logging Profiles list screen opens.
  2. Click Create. The New Logging Profile screen opens.
  3. In the Profile Name field, type a unique name for the profile.
  4. Select the Application Security check box. The screen displays additional fields.
  5. On the Application Security tab, for Configuration, select Advanced.
  6. By default, logs are stored locally. The Local Storage check box is selected and cannot be cleared unless you enable Remote Storage to store logs remotely. This prevents you from creating a logging profile that does not log any traffic.
    • To store logs locally only, leave the Local Storage check box selected.
    • To store logs remotely, select the Remote Storage check box.
    • To store logs both places, select both check boxes.
  7. Optional for local logging: To ensure that the system logs requests for the security policy, even when the logging utility is competing for system resources, select the Guarantee Local Logging check box.
  8. From the Response Logging list, select one of the following options.
    Option Description
    Off Do not log responses.
    For Illegal Requests Only Log responses for illegal requests.
    For All Requests Log responses for all requests. when the Storage Filter Request Type is set to All Requests. (Otherwise, logs only illegal requests.)
    By default, the system logs the first 10000 bytes of responses, up to 10 responses per second. You can change the limits by using the response logging system variables.
  9. By default, the system logs all requests. To limit the type of requests that the system or server logs, set up the Storage Filter.
  10. If setting up local event logging only, click Finished. To set up remote logging, continue to set up remote logging.

When you store the logs locally, the logging utility may compete for system resources. Using the Guarantee Logging setting ensures that the system logs the requests in this situation but may result in a performance reduction in high-volume traffic applications.

Setting up remote logging

To set up remote logging, you need to have created a logging profile.
You can configure a custom logging profile to log application security events remotely on syslog or reporting servers.
  1. On the Main tab, click Security > Event Logs > Logging Profiles. The Logging Profiles list screen opens.
  2. Click the name of the logging profile for which you want to set up remote logging.
  3. Select the Remote Storagecheck box.
  4. From the Remote Storage Type list, select the appropriate type:
    • To store traffic on a remote logging server like syslog, select Remote. Messages are in syslog format.
    • To store traffic on a reporting server (for example, Splunk) using a pre-configured storage format, select Reporting Server. Key/value pairs are used in the log messages.
    • If your network uses ArcSight logs, select ArcSight. Log messages are in Common Event Format (CEF).
  5. For the Protocol setting, select the protocol that the remote storage server uses: TCP (the default setting), TCP-RFC3195, or UDP.
  6. If setting up local event logging only, click Finished. To set up remote logging, continue to set up remote logging. The selected protocol applies to all remote server settings on this screen, including all server IP addresses.
  7. For Server Addresses, specify one or more remote servers, reporting servers, or ArcSight servers on which to log traffic. Type the IP Address, Port Number (default is 514), and click Add.
  8. If using the Remote storage type, for Facility, select the facility category of the logged traffic. The possible values are LOG_LOCAL0 through LOG_LOCAL7.
    Tip: If you have more than one security policy you can use the same remote logging server for both applications, and use the facility filter to sort the data for each.
  9. If using the Remote storage type, in the Storage Format setting, you can specify how the log displays information, which traffic items the server logs, and what order it logs them:
    1. To determine how the log appears, select Field-List to display the items in the Selected Items list in CSV format with a delimiter you specify; select User-Defined to display the items in the Selected Items list in addition to any free text you type in the Selected Items list.
    2. To specify which items appear in the log, move items from the Available Items list into the Selected Items list.
    3. To control the order in which predefined items appear in the server logs, select an item in the Selected Items list, and click the Up or Down button.
  10. For Maximum Query String Size, specify how much of a request the server logs.
    • To log the entire request, select Any.
    • To limit the number of bytes that are logged per request, select Length and type the maximum number of bytes to log.
  11. For Maximum Entry Length, specify how much of the entry length the server logs. The default length is 1K for remote servers that support UDP, and 2K for remote servers that support TCP and TCP-RFC3195. You can change the default maximum entry length for remote servers that support TCP.
  12. If you want the system to send a report string to the remote system log when a brute force attack or web scraping attack starts and ends, select Report Detected Anomalies
  13. In the Storage Filter area, make any changes as required.
  14. Click Update (or Finished, whichever is appropriate).
When you create a logging profile for remote storage, the system stores the data for the associated security policy on one or more remote systems. The system stores the data in Comma Separated Value (CSV) format or another format that you defined.

Associating a logging profile with a security policy

A logging profile records requests to the virtual server. By default when you create a security policy, the system associates the Log Illegal Requests profile with the virtual server used by the policy. You can change which logging profile is associated with the security policy or assign a new one by editing the virtual server.
  1. Click Local Traffic > Virtual Servers
  2. Click the name of the virtual server used by the security policy. The system displays the general properties of the virtual server.
  3. From the Security menu, select Policies. The system displays the policy settings for the virtual server.
  4. Ensure that the Application Security Policy setting is Enabled and that Policy is set to the security policy you want.
  5. For Log Profile,
    1. Check that it is set to Enabled.
    2. From the Available list, select the profile to use for the security policy, and move it into the Selected list.
  6. Click Update.

Information related to traffic controlled by the security policy is logged using the logging profile or profiles specified in the virtual server.

About logging responses

If you enable response logging in the logging profile, the system can log only responses that include the following content headers:

  • "text/..."
  • "application/x-shockwave-flash"
  • "application/sgml"
  • "application/x-javascript"
  • "application/xml"
  • "application/x-asp"
  • "application/x-aspx"
  • "application/xhtml+xml"
  • "application/soap+xml"
  • "application/json"

The system cannot log other responses.

About ArcSight log message format

If your network uses ArcSight logs, you can create a logging profile so that the log information is saved using the appropriate format. Application Security Manager stores all logs on a remote logging server using the predefined ArcSight settings for the logs. The log messages are in Common Event Format (CEF).

The basic format is:

CEF:Version|Device Vendor|Device Product|Device Version |Device Event Class ID|Name|Severity|Extension

Filtering logging information

The storage filter of an application security logging profile determines the type of requests the system or server logs. By default, the system logs illegal requests only. You can create a custom storage filter for a logging profile so that the event logs include the exact information you want to see.
  1. On the Main tab, click Security > Event Logs > Logging Profiles. The Logging Profiles list screen opens.
  2. In the Profile Name column, click the logging profile name for which you want to set up the filter.
    Note: This profile must be one that you created and not one of the system-supplied profiles, which cannot be edited.
    The Edit Logging Profile screen opens.
  3. From the Storage Filter list, select Advanced. The screen displays additional settings.
  4. For the Logic Operation setting, specify the filter criteria to use.
    Option Description
    OR Select this operator to log the data that meets one or more of the criteria.
    AND Select this operator to log the data that meets all of the criteria.
  5. For the Request Type setting, select the requests that you want the system to store in the log, All Requests or Illegal Requests Only.
  6. For the Protocols setting, select whether logging occurs for both HTTP and HTTPS protocols or a specific protocol.
  7. For the Response Status Codes setting, select whether logging occurs for all response status codes or only for specific ones.
  8. For the HTTP Methods setting, select whether logging occurs for all methods or only for specific ones.
  9. For the Request Containing String setting, select whether the request logging is for any string or dependent on a specific string that you specify.
  10. Click Update.

The system logs application security data that meets the criteria specified in the storage filter.

Viewing application security logs

You can view locally stored system logs for the Application Security Manager on the BIG-IP system. These are the logs that include general system events and user activity.
Tip: If you prefer to review the log data from the command line, you can find the application security log data in the /var/log/asm file.
  1. Click System > Logs
  2. Click Application Security.

The system displays application security data that meets the criteria specified in the logging profile.