Applies To:

Show Versions Show Versions

Manual Chapter: Remote Logging Formats for Anomalies
Manual Chapter
Table of Contents   |   << Previous Chapter

The Application Security Manager reports transactions and violations (in a configurable format) and it can also report anomalies that have occurred. You specify what gets logged and where the log is stored by creating a logging profile.
When you create a logging profile, you can specify that you want to store information on a remote logging server and report detected anomalies. If you choose to report detected anomalies, the system sends a report string to the remote system log when a brute force attack, Denial of Service (DoS) attack, IP Enforcer attack, or web scraping attack starts, ends, or is ongoing.
The remote storage logging formats for anomalies are predefined and are described in this appendix. There are different formats for DoS and brute force, IP Enforcer, and web scraping.
Figure G.1 shows the remote logging format that the system uses for DoS and brute force anomalies when you select Reporting Server as the remote storage type.
unit_hostname="%s",management_ip_address="%s",web_application_name="%s", policy_name="%s",policy_apply_date="%s",anomaly_attack_type="%s",uri="%s",attack_id="%llu", attack_status="%s",operation_mode="%s",detection_mode="%s", detection_average="%ld",current_mitigation="%s",ip_list="%s",url_list="%s", date_time="%s",severity="%s"
Table G.1 describes the fields in the remote logging format for DoS and brute force anomalies on reporting servers.
BIG-IP® system host name
TPS Increased or Latency Increased (related to DoS Attacks) or Number of Failed Logins Increased (related to brute force attacks)
One of the following: Source IP-Based Client Side Integrity Defense, URL-Based Client Side Integrity Defense, Source IP-Based Rate Limiting, URL-Based Rate Limiting,Transparent
Comma-separated list of attacker IP addresses in format - client_ip_addr:geo_location:drops_counter
Comma-separated list of attacked URLs in the format: client_ip_addr:geo_location:drops_counter
Figure G.2 shows the remote logging format that the system uses for anomalies when you select ArcSight as the remote storage type.
CEF:0 |F5|%s|%s|%s|%s|%d| dvchost=%s dvc=%s cs1=%s cs1Label=policy_name cs2=%s cs2Label=web_application_name deviceCustomDate1=%s deviceCustomDate1Label=policy_apply_date act=%s cn3=%llu cn3Label=attack_id cs4=%s cs4Label=attack_status request=%s src=%s cs6=%s cs6Label=geo_location cs5=%s cs5Label=detection_mode rt=%s cn1=%d cn1Label=detection_average cn2=%llu cn2Label=dropped_requests
Table G.2 describes the fields in the remote logging format for DoS and brute force anomalies when you are using the ArcSight® format.
One of the following: Source IP-Based Client Side Integrity Defense, URL-Based Client Side Integrity Defense, Source IP-Based Rate Limiting, URL-Based Rate Limiting,Transparent
TPS Increased or Latency Increased (related to DoS Attacks) or Number of Failed Logins Increased (related to brute force attacks)
Number of dropped requests since the number was last reported (delta value for drops counter)
Figure G.3 shows the remote logging format that the system uses for IP Enforcer anomalies when you select Reporting Server as the remote storage type.
unit_hostname="%s",management_ip_address="%s",web_application_name="%s",policy_name="%s",policy_apply_date="%s", anomaly_attack_type="%s", attack_id="%llu", attack_status="%s",operation_mode="%s", source_ip="%s:%s:%llu", date_time="%s", severity="%s"
Table G.3 describes the fields in the remote logging format for IP Enforcer anomalies on reporting servers.
Comma-separated list of attacked IP addresses in the format - client_ip_addr:geo_location:drops_counter
Figure G.4 shows the remote logging format that the system uses for IP Enforcer anomalies when you select ArcSight as the remote storage type.
CEF:0 |F5|%s|%s|%s|%s|%d| dvchost=%s dvc=%s cs1=%s cs1Label=policy_name cs2=%s cs2Label=web_application_name deviceCustomDate1=%s deviceCustomDate1Label=policy_apply_date act=%s cn3=%llu cn3Label=attack_id cs4=%s cs4Label=attack_status src=%s cs6=%s cs6Label=geo_location cn2=%llu cn2Label=dropped_requests rt=%s
Table G.4 describes the fields in the remote logging format for IP Enforcer anomalies when you are using the ArcSight format.
Number of dropped requests since the number was last reported (delta value for drops counter)
Figure G.5 shows the remote logging format that the system uses for web scraping anomalies when you select Reporting Server as the remote storage type.
unit_hostname="%s",management_ip_address="%s",web_application_name="%s", policy_name="%s" policy_apply_date="%s",anomaly_attack_type="%s",attack_id="%llu", attack_status="%s",operation_mode="%s",source_ip="%s:%s:%llu:%u",date_time="%s", severity="%s"
Table G.5 describes the fields in the remote logging format for web scraping anomalies on reporting servers.
Figure G.6 shows the remote logging format that the system uses for web scraping anomalies when you select ArcSight as the remote storage type.
CEF:0|F5|%s|%s|%s|%s|%d|dvchost=%s dvc=%s cs1=%s cs1Label=policy_name cs2=%s cs2Label=web_application_name deviceCustomDate1=%s deviceCustomDate1Label=policy_apply_date act=%s cn3=%llu cn3Label=attack_id cs4=%s cs4Label=attack_status src=%s cs6=%s cs6Label=geo_location rt=%s cn2=%llu cn2Label=dropped_requests flexNumber1=%u flexNumber1Label=violation_counter
Table G.6 describes the fields in the remote logging format for web scraping anomalies when using the ArcSight format.
Number of dropped requests since the number was last reported (delta value for drops counter)
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)