Dashboards & Visualizations

F5 BIG IP'S Security iRule

wagnerbianchi
Splunk Employee
Splunk Employee

Hello Splunkers, how have you been?

We've been taking with F5 BIG IP Security (WAF) app and we've been observing some strange behavior on panel's dashboards, most of that connected with Attacks and Signatures. I think the way we've configured the iRule or something on BIG IP panel is not correctly right. Just adding more information, we've configured data input via UDP.

The main concern is:
1. how to generate these logs?
2. how to configure the way BIG IP way generate these logs?
3. Is this related with iRule?

Could you guys help? Thanks a lot for any suggestion.

Tags (1)
0 Karma

wagnerbianchi
Splunk Employee
Splunk Employee

So, I'm here again so as to try to be helped by you Splunk guys.

On DevCentral nobody has given a feedback yet, what follows:

Just to recap this conversation which you've started some times ago (ASM & Splunk integration), I am getting problems in get Splunk fully functional after follow the steps part of the pdf file which came with the app's package. The field attack_type, used in many queries of the first app menu's group, is presenting, I imagine, wrong data. it is presenting graphs with symbols as commas, double quotes and single quotes. I will count on your help so as to understand whether it is a problem or not...could you give me a hand on that? Thanks a lot and looking forward to hearing from you.

I confess that I am little lost in midst of this implementation, but, this time I am looking forward to gather all the stuffs I've learned and check out what is wrong with the field attach_type, present on many dashboards generated by this app. It is getting just symbols as commas and single and double quotes. It's not represent anything and this is my only concern at this time.

  • Is it wrong on BIG IP log profile configuration?
  • Is it wrong on Splunk when you uncomment a line on app's props.conf?

It will very interesting that someone who is taking or has took with this app give a little help on that, perhaps F5 can help either!

I will appreciate any help...cheers!!

0 Karma

wagnerbianchi
Splunk Employee
Splunk Employee

OK! For ones who want to keep track this conversation, I just did a recap on a thread in which is being discussed the same subject. It is at: https://devcentral.f5.com/community/group/aft/1172058/asg/39#2276926

Cheers, WB

0 Karma

bmacias84
Champion

This seem like a F5 BIG IP specific issue. You may want to also post on DevCenteral. I am only familar with the icontrol interface. What does a raw event look like

0 Karma

wagnerbianchi
Splunk Employee
Splunk Employee

We followed the steps available on the pdf which came within the app file. But, the field attack_type is reporting just commas, " and "" - anyone know about that, is it is normal or not? Any advise? Are there anyone using this app who can collaborate?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...