F5 BigIP ASM categorization file

1 Likes
over 10 years ago

F5 BigIP ASM module can send logs using CEF format, but as for any CEF-format connector, there is no categorization so the default ArcSight content doesn't take these events into account. We also found out some messages have the same meaning but are not parsed the same way, which doesn't help categorization. This is why we created some additional map files to *correct* some fields.

Enjoy !

Comment List
Anonymous
Parents
  • Sorry to reply so late.

    There is a SmartConnector Guide from ArcSight but it only refers to the configuration for "non-CEF" syslog events. To have CEF events, my preferred way is to use ASM logging profiles:

    • Go under Security => Event Logs => Logging Profile
    • Click “Create…” button
    • Enter Name “ArcSight_profile”
    • Check “Application Security” and leave the other 2 checkboxes unchecked
    • Enable “Remote Storage”
    • Select Remote Storage Type “ArcSight”
    • Select Protocol “TCP”
    • Enter connector platform IP address under “IP Address”
    • Enter the port SmartConnector is listening on under "Port"
    • Click “Add”
    • Select Request Type “All Requests”
    • Click “Finished”
Comment
  • Sorry to reply so late.

    There is a SmartConnector Guide from ArcSight but it only refers to the configuration for "non-CEF" syslog events. To have CEF events, my preferred way is to use ASM logging profiles:

    • Go under Security => Event Logs => Logging Profile
    • Click “Create…” button
    • Enter Name “ArcSight_profile”
    • Check “Application Security” and leave the other 2 checkboxes unchecked
    • Enable “Remote Storage”
    • Select Remote Storage Type “ArcSight”
    • Select Protocol “TCP”
    • Enter connector platform IP address under “IP Address”
    • Enter the port SmartConnector is listening on under "Port"
    • Click “Add”
    • Select Request Type “All Requests”
    • Click “Finished”
Children
No Data
Related Discussions
Recommended