All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

F5 WAF logs: Why can't I search on "blocked request"?

skyred5
Engager
‎05-09-2023 10:45 PM

I have data piped to Splunk from F5 and is configured to generate WAF reports and it is being sent to Splunk. 

When I do a search on "blocked request" I am not able to find any data related to it. However, if I find any data within 5mins, I click on the show source and I am able to find the information I need. In addition, it seems like the search result is showing per line from the WAF report. 

I need some advice on how to enhance the search query and find the information that I need, specifically the blocked requests. 

Labels (1)
Labels
0 Karma
Reply

sajidalisajid
New Member
‎05-15-2023 01:35 AM

index=f5_index sourcetype=* req_status="blocked" attack_type=* | chart count(req_status) by attack_type

or
index=f5_index sourcetype=* attack_type=* req_status="blocked" | table f5_bigip_server_host, support_id, req_status, attack_type, violations, ip_client

0 Karma
Reply

skyred5
Engager
‎05-15-2023 02:23 AM

My search query looks similar to this. There's no search results for req_status=blocked. Even for req_status=* also nothing. 

 

I have just done a simple search. Index and sourcetype. There are alot of one liner results;

 

Http_class="/common/www.<Url>"

Policy_name="/common/www.<Url>"

I can also see entries where the connections coming into F5 is accepted and details like the browser and phone models that the connection is coming in. 

There is just no data found for anything related to "req_status"

0 Karma
Reply

sajidalisajid
New Member
‎05-15-2023 02:28 AM

Hi

In that case, review your WAF setting as per the F5 Add-on +Splunk documentation

Configure F5 Logging Profiles for ASM

docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Setup 

 

Regards,

Sajid

0 Karma
Reply

glc_slash_it
Path Finder
‎05-15-2023 02:06 AM

Without having a sample of the events is hard to tell what is the problem.

Here are some ideas:

1- Have you tried to expand the time interval?

2- Does this query return any data? If so, check if the values of req_status and attack_type are what you expect. 

index=f5_index sourcetype=* req_status="blocked" attack_type=*

The chart and table commands seems fine but they will only work if the first part of the query returns results.

0 Karma
Reply

glc_slash_it
Path Finder
‎05-09-2023 11:14 PM

Hi!

Can you post some events(anonymized) and the spl you are running?

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...