F5 Networks BIG-IP ASM

The IBM QRadar F5 Networks BIG-IP Application Security Manager (ASM) DSM collects web application security events from BIG-IP ASM appliances by using syslog.

About this task

To forward syslog events from an F5 Networks BIG-IP ASM appliance to QRadar, you must configure a logging profile.

A logging profile can be used to configure remote storage for syslog events, which can be forwarded directly to QRadar.

Procedure

  1. Log in to the F5 Networks BIG-IP ASM appliance user interface.
  2. In the navigation pane, select Application Security > Options.
  3. Click Logging Profiles.
  4. Click Create.
  5. From the Configuration list, select Advanced.
  6. Type a descriptive name for the Profile Name property.
  7. Optional: Type a Profile Description.

    If you do not want data logged both locally and remotely, clear the Local Storage check box.

  8. Select the Remote Storage check box.
  9. From the Type list, select 1 of the following options:
    1. In BIG-IP ASM V12.1.2 or earlier, select Reporting Server.
    2. In BIG-IP ASM V13.0.0 or later, select key-value pairs.
    3. Or, select Common Event Format. Log messages are in Common Event Format (CEF).
  10. From the Protocol list, select TCP.
  11. In the IP Address field, type the IP address of the QRadar Console and in the Port field, type a port value of 514.
  12. Select the Guarantee Logging check box.
    Note: Enabling the Guarantee Logging option ensures the system log requests continue for the web application when the logging utility is competing for system resources. Enabling the Guarantee Logging option can slow access to the associated web application.
  13. Select the Report Detected Anomalies check box to allow the system to log details.
  14. Click Create.

    The display refreshes with the new logging profile. The log source is added to QRadar as F5 Networks BIG-IP ASM events are automatically discovered. Events that are forwarded by F5 Networks BIG-IP ASM are displayed on the Log Activity tab of QRadar.