The IBM
QRadar F5
Networks BIG-IP Application Security Manager (ASM) DSM collects web
application security events from BIG-IP ASM appliances by using syslog.
About this task
To forward syslog events from an F5 Networks BIG-IP ASM
appliance to QRadar,
you must configure a logging profile.
A logging profile can
be used to configure remote storage for syslog events, which can be
forwarded directly to QRadar.
Procedure
- Log in to the F5 Networks BIG-IP ASM appliance user interface.
-
In the navigation pane, select .
- Click Logging Profiles.
- Click Create.
- From the Configuration list, select Advanced.
- Type a descriptive name for the Profile Name property.
- Optional: Type a Profile Description.
If you do not want data logged both locally and remotely,
clear the Local Storage check box.
- Select the Remote Storage check
box.
-
From the Type list, select 1 of the following options:
-
In BIG-IP ASM V12.1.2 or earlier, select Reporting Server.
-
In BIG-IP ASM V13.0.0 or later, select key-value pairs.
- Or, select Common Event Format. Log messages are in Common
Event Format (CEF).
- From the Protocol list, select TCP.
-
In the IP Address field, type the IP address of the QRadar
Console and in the
Port field, type a port value of 514.
- Select the Guarantee Logging check
box.
Note: Enabling the Guarantee
Logging option ensures the system log requests continue
for the web application when the logging utility is competing for
system resources. Enabling the Guarantee Logging option
can slow access to the associated web application.
- Select the Report Detected Anomalies check
box to allow the system to log details.
- Click Create.
The
display refreshes with the new logging profile. The log source is
added to
QRadar as
F5 Networks BIG-IP ASM events are automatically discovered. Events
that are forwarded by F5 Networks BIG-IP ASM are displayed on the
Log Activity tab of QRadar.