Configuring Event Logging in BIG-IP ASM

In this article, we will explore the importance and configuration of event logging in BIG-IP ASM (Application Security Manager). While event logging might not seem exciting, it plays a critical role in identifying and preventing cyber threats. System logs often capture signs of malicious activity, making proactive log review an essential part of security management.

Logging Profiles

Logging profiles in BIG-IP ASM define how and where the system stores application request data.

• Pre-11.3.0 Versions: Logging profiles were associated with a security policy.

• Version 11.3.0 and Later: Logging profiles are now associated with virtual servers.

  
  

Logging Profile Options

• Create Your Own Profile or use system-supplied profiles.

• Storage Options: Log data locally, remotely, or both.

• Data Selection: Choose to log all requests, only illegal requests, etc.

Creating a Logging Profile

1. Navigate to:

   
   

   Security → Event Logs → Logging Profiles

2. Click on the "Create" button.

3. Configure the Profile:

   • Provide a name (e.g., "Test_Log_Profile").

   • Enable logging for Application Security, Protocol Security, and/or Denial of Service Protection.

   • Select Local Storage and set filters (e.g., Illegal Requests Only).

Once the profile is created, it can be linked to a virtual server.

Associating the Profile with a Virtual Server

1. Navigate to:Local Traffic → Virtual Servers → Virtual Server List

2. Select the virtual server to configure.

3. Go to:Security → Policies

4. Move the logging profile from "Available" to "Selected".

   If multiple profiles are enabled, the ASM applies the top profile first.

   
   

   

   
   

Viewing Log Files

Command Line Access

Log files are stored in /var/log/asm. Use commands to view log data:

• cat /var/log/asm – View the full log.

• tail -f /var/log/asm – Monitor logs in real-time.

• grep "pattern" /var/log/asm – Filter logs by keywords.

• more /var/log/asm – View logs page-by-page.

GUI Access

1. Navigate to:

   
   

   Security → Event Logs → Application → Requests

2. View Details:

   • Request Details

   • HTTP Request

   • HTTP Response (if response logging is enabled)

   Response logging is often disabled to conserve storage due to high data volume.

   

Configuring Remote Storage

BIG-IP ASM supports storing log data on remote servers. In the Advanced Configuration of the logging profile, choose one of the following:

1. Remote – Logs data to a remote syslog server.

2. Reporting Server – Uses a preconfigured storage format.

3. ArcSight – Sends logs in Common Event Format (CEF) to ArcSight systems.

   
   

Integration with Log Management Tools

Popular tools like Splunk can be used for remote log management. Splunk offers a dedicated app for F5 BIG-IP, making it easier to organize and analyze logs.

By properly configuring logging in BIG-IP ASM, you can effectively monitor security events and detect potential threats. Event logging is a foundational part of proactive cybersecurity.

Stay tuned for more articles on optimizing BIG-IP ASM and other security solutions!

This version maintains the technical depth while removing any personal anecdotes or references.