All Apps and Add-ons

Splunk Add-on for F5 BIG-IP v2.6.0 CIM authentication action

morganfw
Path Finder

Hello,
I've installed Splunk Add-on for F5 BIG-IP v2.6.0 and Splunk Common Information Model (CIM) v4.12.0 on Splunk Enterprise 6.6.3 when I try to search authentication logs for apm (F5 VPN)

index="f5" sourcetype="f5:bigip:apm:syslog" tag=authentication

authentication actions field reports allowed or blocked on Access Policy logs only (not in Username logs), instead of success or failure that CIM authentication dataset documentation reports.

Below log example

Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice tmm1[15435]: 01490500:5: /Common/ap_web_auth:Common:85157209: New session from client IP 1.23.45.67 (ST=WA/CC=US/C=US) at VIP 192.168.131.172 Listener /Common/ap_web_auth_vs (Reputation=Unknown)
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice tmm1[15435]: 01490506:5: /Common/ap_web_auth:Common:85157209: Received User-Agent header: Mozilla%2f4.0%20(compatible%3b%20MSIE%208.0%3b%20Windows%20NT%206.1%3b%20WOW64%3b%20Trident%2f4.0%3b%20SLCC2%3b%20.NET%20CLR%202.0.50727%3b%20.NET%20CLR%203.5.30729%3b%20.NET%20CLR%203.0.30729%3b%20Media%20Center%20PC%206.0).
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice tmm3[15435]: 01490500:5: /Common/Network_Access_02:Common:8c6be305: New session from client IP 1.23.45.67 (ST=WA/CC=US/C=US) at VIP 192.168.131.174 Listener /Common/Network_Access_02_vs (Reputation=Unknown)
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice tmm3[15435]: 01490506:5: /Common/Network_Access_02:Common:8c6be305: Received User-Agent header: Mozilla%2f4.0%20(compatible%3b%20MSIE%208.0%3b%20Windows%20NT%206.1%3b%20WOW64%3b%20Trident%2f4.0%3b%20SLCC2%3b%20.NET%20CLR%202.0.50727%3b%20.NET%20CLR%203.5.30729%3b%20.NET%20CLR%203.0.30729%3b%20Media%20Center%20PC%206.0).
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490248:5: /Common/Network_Access_02:Common:8c6be305: Received client info - Hostname:  Type: IE Version: 8 Platform: Win7 CPU: WOW64 UI Mode: Full Javascript Support: 1 ActiveX Support: 1 Plugin Support: 0
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490102:5: /Common/Network_Access_02:Common:8c6be305: Access policy result: Full
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490005:5: /Common/Network_Access_02:Common:8c6be305: Following rule 'fallback' from item 'Resource Assign' to ending 'Allow'
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490128:5: /Common/Network_Access_02:Common:8c6be305: Webtop '/Common/Network_Access_02_webtop' assigned
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490008:5: /Common/Network_Access_02:Common:8c6be305: Connectivity resource '/Common/Network_Access_02_na_res' assigned
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490010:5: /Common/Network_Access_02:Common:8c6be305: Username 'uuu'

Anyone experienced same issue?
Thank you in advanced for any help.

0 Karma

walterk82
Path Finder

Looking in the TA default/props.conf line 381

EVAL-action = if(isnull(access_policy_result), null, if(access_policy_result="Logon_Deny","blocked","allowed"))

Looks like it should default to "allowed" unless the deny action is reached.

I would raise a support case to Splunk as this is a bug -> http://docs.splunk.com/Documentation/CIM/4.12.0/User/Authentication

0 Karma

morganfw
Path Finder

Hi walterk82 and thank you for your answer.
I try to explain, I think there's another issue, in TA default/eventtypes.conf 61-62 lines there's configured:

[f5_bigip_apm_username_received]
search = sourcetype="f5:bigip:apm:syslog" ": Username"

above stanza recall authentication dataset action in default/tags.conf 117-123 lines:

[eventtype=f5_bigip_apm_username_received]
network = enabled
communicate  = enabled
session = enabled
authentication = enabled
default = enabled
web = enabled

so when I try to searching for tag=authentication the action field was populated in "Access policy result:" rows only, not in "Username" rows with field values "success" or "failure" that are CIM expected values for Authentication datasets for populate Splunk ITSI or Splunk ES Premium Apps.

May know a temporary workaround to put in the TA local/props.conf for extract Username success or failure action as expected?
Thank you in advance for any help.

0 Karma

walterk82
Path Finder

I don't know that much about ITSI or ES and CIM to answer that question. Either way this is a supported TA. Please ask support.

0 Karma

morganfw
Path Finder

Thank you for answer.
I'll submit a case to Splunk Support.

0 Karma

walterk82
Path Finder

Thanks, please let me know the outcome. There look to be errors in the AFM and ASM modules as well.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...