Manual Chapter : Logging Application Security Events

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

About logging profiles

Logging profiles determine where events are logged, and which items (such as which parts of requests, or which type of errors) are logged. Events can be logged either locally on the system and viewed in the Event Logs, or remotely by the client’s server. The system forwards the log messages to the client’s server using the Syslog service. Each logging profile can specify local or remote logging, but not both.

You can use one logging profile for Application Security, Protocol Security, Network Firewall, DoS Protection and Bot Defense. The system includes two logging profiles that log data locally for Application Security: one to log all requests and another to log illegal requests. Other logging profiles are included for global-network and local-dos. You can use the system-supplied logging profiles, or you can create a custom logging profile. The system-supplied logging profiles cannot be edited.

The logging profile records requests to the virtual server. By default, when you create a security policy, the system associates the log illegal requests profile to the virtual server associated with the policy. You can change which logging profile is associated with the security policy by editing the virtual server.

Note: If running Application Security Manager™ on a BIG-IP® system using Virtualized Clustered Multiprocessing (vCMP), for best performance, F5 recommends configuring remote logging to store Application Security Manager logs remotely rather than locally.

A logging profile has two parts: the storage configuration and the storage filter. The storage configuration specifies where to store the logs, either locally or remotely. The storage filter determines what information is stored. For remote logging, you can send logging files for storage on a remote system (in CSV format), on a reporting server (as key/value pairs), or on an ArcSight server (in CEF format). Note that configuring external logging servers is not handled by F5 Networks.

How to use multiple logging profiles

You can assign multiple logging profiles to one virtual server. Here are some examples of how to use multiple logging profiles:

Log Illegal Requests locally, All requests remotely

You can log all requests locally using just one logging profile. But you can save resources by logging illegal requests locally and logging all requests remotely. You would create two logging profiles:

  • Local storage with illegal requests
  • Remote storage of all requests

Multiple SIEM Systems

If your company uses multiple security information and event management (SIEM) systems to collect logs and other security related information (for example, Splunk and ArcSight), you could set up three logging profiles.

  • Local storage with illegal requests
  • Remote filter in Splunk format (user-defined format with Splunk field names).
  • Remote filter in Arcsight format (user-defined format with ArcSight field names)

Creating a logging profile for local storage

You can create a custom logging profile to log application security events locally on the BIG-IP® system.
  1. On the Main tab, click Security > Event Logs > Logging Profiles .
    The Logging Profiles list screen opens.
  2. Click Create.
    The Create New Logging Profile screen opens.
  3. In the Profile Name field, type a unique name for the profile.
  4. Select the Application Security check box.
    The screen displays additional fields.
  5. On the Application Security tab, for Configuration, select Advanced.
  6. In the Storage Destination list, be sure that Local Storage is selected.
  7. Optional: To ensure that the system logs requests for the security policy, even when the logging utility is competing for system resources, select the Guarantee Local Logging check box.
  8. From the Response Logging list, select one of the following options.
    Option Description
    Off Do not log responses.
    For Illegal Requests Only Log responses for illegal requests.
    For All Requests Log responses for all requests. Used when the Storage Filter Request Type is set to All Requests. (Otherwise, logs only illegal requests.)
    By default, the system logs the first 10000 bytes of responses, up to 10 responses per second. You can change the limits by using the response logging system variables.
  9. To further specify the types of requests that the system or server logs, set up the Storage Filter. From the Request Type list, select one of the following options.
    Option Description
    Illegal requests only Log illegal requests only.
    Illegal requests, and requests that include staged attack signatures

    Log illegal requests and requests that trigger attack signatures in staging (even though those requests are allowed).

    All requests Log all requests.
    To further filter what gets logged, use the Advanced storage filter options.
  10. Click Finished.

When you store the logs locally, the logging utility may compete for system resources. Using the Guarantee Local Logging setting ensures that the system logs the requests in this situation, but may result in a performance reduction in high-volume traffic applications.

After creating the logging profile, you need to associate it with the virtual server used by the security policy. You can associate only one local logging profile with the virtual server.

Setting up remote logging

To set up remote logging for Application Security Manager™, you need to have created a logging profile with Application Security enabled.
You can configure a custom logging profile to log application security events remotely on syslog or other reporting servers.
  1. On the Main tab, click Security > Event Logs > Logging Profiles .
    The Logging Profiles list screen opens.
  2. Click Create.
    The Create New Logging Profile screen opens.
  3. In the Profile Name field, type a unique name for the profile.
  4. Select the Application Security check box.
    The screen displays additional fields.
  5. On the Application Security tab, for Configuration, select Advanced.
  6. From the Storage Destination list, select Remote Storage.
    Additional fields related to remote logging are displayed.
  7. From the Logging Format list, select the appropriate type:
    • To store traffic on a remote logging server in CSV format, select Comma Separated Values.
    • To store traffic on a reporting server (such as Splunk) using a preconfigured storage format with key-value pairs in the log messages, select Key-Value Pairs.
    • If your network uses ArcSight logs, select Common Event Format (ArcSight). Log messages are in Common Event Format (CEF).
    • To store logs on the BIG-IQ system, select BIG-IQ.
  8. For the Protocol setting, select the protocol that the remote storage server uses: TCP (the default setting), TCP-RFC3195, or UDP.
  9. For Server Addresses, specify one or more remote servers, reporting servers, or ArcSight servers on which to log traffic. Type the IP Address, Port (default is 514), and click Add.
  10. If using the Comma-Separated Values logging format, for Facility, you can optionally select the facility category of the logged traffic. The possible values are LOG_LOCAL0 through LOG_LOCAL7.
    Tip: If you have more than one security policy you can use the same remote logging server for both applications, and use the facility filter to sort the data for each.
  11. If you are using the Comma-Separated Values logging format, in the Storage Format setting, you can specify how the log displays information, which traffic items the server logs, and what order it logs them:
    1. To determine how the log appears, select Field-List to display the items in the Selected Items list in CSV format with a delimiter you specify; select User-Defined to display the items in the Selected Items list in addition to any free text you type in the Selected Items list.
    2. To specify which items appear in the log, move items from the Available Items list into the Selected Items list.
    3. To control the order in which predefined items appear in the server logs, select an item in the Selected Items list, and click the Up or Down button.
  12. If you want the system to send a report string to the remote system log when a brute force attack or web scraping attack starts and ends, select Report Detected Anomalies.
  13. To further specify the types of requests that the system or server logs, set up the Storage Filter. From the Request Type list, select one of the following options.
    Option Description
    Illegal requests only Log illegal requests only.
    Illegal requests, and requests that include staged attack signatures

    Log illegal requests and requests that trigger attack signatures in staging (even though those requests are allowed).

    All requests Log all requests.
    To further filter what gets logged, use the Advanced storage filter options.
  14. Click Finished.
When you create a logging profile for remote storage, the system stores the data for the associated security policy on one or more remote systems.
Next, you need to associate the logging profile with the virtual server used by the security policy.

Associating a logging profile with a security policy

A logging profile determines where events are logged and what details are included. By default, when you create a security policy, the system associates the Log Illegal Requests profile with the virtual server used by the policy. You can change which logging profile is associated with the security policy or assign a new one to the virtual server.
  1. Click Local Traffic > Virtual Servers
  2. Click the name of the virtual server used by the security policy.
    The system displays the general properties of the virtual server.
  3. From the Security menu, choose Policies.
    The system displays the policy settings for the virtual server.
  4. Ensure that the Application Security Policy setting is Enabled, and that Policy is set to the security policy you want.
  5. For the Log Profile setting:
    1. Check that it is set to Enabled.
    2. From the Available list, select the profile to use for the security policy, and move it into the Selected list.
    You can assign only one local logging profile to a virtual server, but it can have multiple remote logging profiles.
  6. Click Update.

Information related to traffic controlled by the security policy is logged using the logging profile or profiles specified in the virtual server.

About logging responses

If you enable response logging in the logging profile, the system can log only responses that include the following content headers:

  • "text/..."
  • "application/x-shockwave-flash"
  • "application/sgml"
  • "application/x-javascript"
  • "application/xml"
  • "application/x-asp"
  • "application/x-aspx"
  • "application/xhtml+xml"
  • "application/soap+xml"
  • "application/json"

The system cannot log other responses.

About ArcSight log message format

If your network uses ArcSight logs, you can create a logging profile so that the log information is saved using the appropriate format. Application Security Manager stores all logs on a remote logging server using the predefined ArcSight settings for the logs. The log messages are in Common Event Format (CEF).

The basic format is:

CEF:Version|Device Vendor|Device Product|Device Version 
   |Device Event Class ID|Name|Severity|Extension

About syslog request format

Application Security Manager™ can log security events to the /var/log/asm file on the system if you need to. Logging to this file is off by default. You can turn the logging on using the send_content_events system variable from the command line, or on the System Variables screen: Security > Options > Application Security > Advanced Configuration > System Variables .

Note: F5 recommends enabling the send_content_events parameter only for troubleshooting purposes due to a potential decrease in performance.

Here is the format of the syslog request followed by descriptions of the fields:

<Rejection Description> <Request Violation> <Support ID> <Source IP>  
<XFF IP> <Source Port> <Destination IP> <Destination Port> <Route Domain> 
<HTTP Classifier> <Scheme> <Geographic Location> <Request> <Username> 
<Session ID> <Violation Rating>
  
Field What it contains
Rejection Description Empty unless the request is blocked by the security policy.
Request Violations A comma separated list of the violations that occurred during enforcement of the request or response.
Support ID An ID number assigned to the request by the system to allow the system administrator to track it.
Source IP The IP address from which the request originated.
XFF IP The X-Forwarded-For (XFF) IP address located in the XFF header and which represents the end client's IP address.
Source Port The port from which the request originated.
Destination IP The IP address to which the request is sent, generally, the virtual server IP address.
Destination Port The port to which the request is sent.
Route Domain The route domain (network traffic segment) where the request originated.
HTTP Classifier The name of the ASM security policy.
Scheme Whether the request was made using HTTP or HTTPS.
Geographic Location The two-letter country code of origin based on the source IP address.
Request The actual request made including headers (up to 128 bytes).
Username Name of the user associated with the request.
Session ID ID number assigned to the request to allow the system administrator to track requests by session.
Violation Rating Rating between 1 and 5 that ranks the severity of any violations associated with the request. 1 is most likely a false positive and 5 is most likely an attack.

Filtering logging information

The storage filter of an application security logging profile determines the type of requests the system or server logs. You can create a custom storage filter for a logging profile so that the event logs include the exact information you want to see.
  1. On the Main tab, click Security > Event Logs > Logging Profiles .
    The Logging Profiles list screen opens.
  2. In the Profile Name column, click the logging profile name for which you want to set up the filter.
    Note: This profile must be one that you created and not one of the system-supplied profiles, which cannot be edited.
    The Edit Logging Profile screen opens.
  3. From the Storage Filter list, select Advanced.
    The screen displays additional settings.
  4. For the Logic Operation setting, specify the filter criteria to use.
    Option Description
    OR Select this operator to log the data that meets one or more of the criteria.
    AND Select this operator to log the data that meets all of the criteria.
  5. For the Request Type setting, select the requests that you want the system to store in the log, All Requests or Illegal Requests Only.
  6. For the Protocols setting, select whether logging occurs for both HTTP and HTTPS protocols or a specific protocol.
  7. For the Response Status Codes setting, select whether logging occurs for all response status codes or only for specific ones.
  8. For the HTTP Methods setting, select whether logging occurs for all methods or only for specific ones.
  9. For the Request Containing String setting, select whether the request logging is for any string or dependent on a specific string that you specify.
  10. Click Update.

The system logs application security data that meets the criteria specified in the storage filter.

Viewing application security logs

You can view locally stored system logs for the Application Security Manager™ on the BIG-IP® system. These are the logs that include general system events and user activity.
Tip: If you prefer to review the log data from the command line, you can find the application security log data in the /var/log/asm file.
  1. Click System > Logs
  2. Click Application Security.

The system displays application security data that meets the criteria specified in the logging profile.