F5 Connector not mapping Source and Destination Address
i have configured a Syslog Daemon software connector in a windows 2003 server. This connector is configured to listen to syslog events from various sources among which cisco, F5 etc. The issue is with the F5 events, when i create a active channel with device product = Big IP i get all the events for F5, but when i investigate the event i dont see the mapping for source address, destination address, source port, destination port, xffip mapped to right field in ArcSight CEF events.
Please find the attached screenshot.
F5 provides a number of different modules for BIG-IP: ASM, APM, LTM, GTM, AFM, etc.
Currently - ASM (Application Security Manager) supports CEF formatting when the BIG-IP is configured to send via the CEF Publisher. ASM added CEF support in 10.2, IIRC.
AFM (Advanced Firewall Manager) added support for CEF in 11.4.1, which is currently under submission for Certification by ArcSight.
The event log in your jpgs appear to illustrate a "Request violation." for "HTTP protocol compliance."
1. Is this an ASM log event (it appears to be)?
2. What version of ASM (just to ensure CEF is supported)?
3. Is your configuration for the ASM logging set for CEF formatted event logging? If not, it will publish in the native format.
If you need some additional help understanding the ASM configuration there is a document published here:
There has been discussion on LTM, et al. I don't have a timeline or expectation for delivery. If you have an F5 FSE or Acct Mgr, I would encourage you to engage them, in order to remain updated on the status of each module.
Hi Jeff ,
Thanks for your info !
Same issue - Does Latest Version of connector supports "LTM" module ! I can see one of Product announcements of Connector Version 6.0.2.xxx
New Product Version Support
- F5 BIG-IP Syslog, LTM 8900 version 10.2
In this post it listed that LTM is fully supported by syslog connector ?
Thanks in advance.