F5 Networks Application Security Manager
What is Discovered and Monitored
Protocol |
Information discovered |
Metrics/Logs collected |
Used for |
---|---|---|---|
Syslog | Various application level attack scenarios - invalid directory access, SQL injections, cross site exploits. | Log analysis and compliance |
Event Types
In ADMIN > Device Support > Event Types, search for "f5-asm" to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
Syslog
FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
- For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
- For Port, enter 514.
- Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.
Example Syslog
<134>Jun 26 14:18:56 f5virtual.tdic.ae ASM:CEF:0|F5|ASM|10.2.1|Successful Request|Successful Request|2|dvchost=f5virtual.adic.com dvc=192.168.1.151 cs1=master-key_default cs1Label=policy_name cs2=master-key cs2Label=web_application_name deviceCustomDate1=Jul 13 2011 16:24:25 deviceCustomDate1Label=policy_apply_date externalId=3601068286554428885 act=passed cn1=404 cn1Label=response_code src=10.10.77.54 spt=49399 dst=10.10.175.82 dpt=443 requestMethod=POST app=HTTPS request=/ipp/port1 cs5=N/A cs5Label=x_forwarded_for_header_value rt=Jun 26 2012 14:18:55 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=N/A cs6Label=geo_location cs3Label=full_request cs3=POST /ipp/port1 HTTP/1.1\r\nHost: 127.0.0.1:631\r\nCache-Control: no-cache\r\nContent-Type: application/ipp\r\nAccept: application/ipp\r\nUser-Agent: Hewlett-Packard IPP\r\nContent-Length: 9\r\n\r\n