splunk-connect-for-syslog
splunk-connect-for-syslog copied to clipboard
splunk
F5 Silverline Filter Support
Feature request:
We are interested in ingestion data fromF5 Silverline, which looks to be currently unsupported. The source type would be f5:silverline. Attached below are sample logs from F5 Support. The logs are in Syslog (RFC3164 - BSD) format.
F5 has five possible types of logs for Silverline:
DDoS Logs Jan 19 19:45:52 type = mitigation,addr = 192.168.51.30,blacklisted = no,countermeasure = filter,dst_port = 64163,mitigation = 172.16.208.x,prefixes = 172.16.208.0/25,protocol = 17,reason = filtered,rule = 0,src_port = 53
WAF Logs
Apr 10 22:45:35 123.456.789.xxx 1 2019-04-10T22:45:29Z lab5.f5silverline.com log_export - - - type=waf, attack_type="Information Leakage", date_time="2019-04-10 22:45:28", dest_ip=“123.456.789.xxx”, dest_port="8083", geo_location="US", http_class_name="wafpolicy1", ip_client=“32.123.43.xxx”, method="DELETE", policy_apply_date="2019-03-20 21:29:45", policy_name="wafpolicy1", protocol="HTTP", query_string="", request_status="blocked", response_code="0", severity="Critical", sig_ids="", sig_names="", src_port="4840", support_id="1715xxxxxxxxxx”, uri="/wafpolicy1", username="N/A", violations="Illegal method", web_application_name="wafpolicy1", x_forwarded_for_header_value=“32.123.43.xxx”, staged_sig_ids="", staged_sig_names="", sub_violations="HTTP protocol compliance failed:Host header contains IP address", attack_type="HTTP Parser Attack", violation_details="<BAD_MSG><violation_masks>
L7 DDoS Logs Jun 11 23:31:47 123.456.789.xxx <134>1 2020-06-11T15:22:04Z sjc1.f5silverline.com log_export - - - type=l7ddos, action="browser_challenge", client_ip_geo_location="SE", client_request_uri="/", errdefs_msgno="2300xxxx", client_ip="107.xxx.xxx.xxx", support_id="1520945084xxxxxxxxxx", request_status="challenged", reason="No Valid Cookie: Challenge possible because no Referer header arrived"\r,host=www.example.com
Threat Intelligence Logs Jun 7 14:56:43 type=ipi,action=Accept,attack_type=custom_category,bigip_mgmt_ip= ,context_name= ,date_time=Jun07201814:56:43,dest_ip= ,dest_port=80,errdefs_msg_name=IPIntelligenceEvent,errdefs_msgno=23003142,flow_id=0000000000000000,ip_intelligence_policy_name=ipi-Threat-Intel-Log-Only,ip_intelligence_threat_name= [scannerswindows_exploitsspam_sources],ip_protocol=TCP,route_domain=0,sa_translation_pool= ,sa_translation_type= ,severity=5,source_ip= ,source_port=24276,translated_dest_ip= ,translated_dest_port= ,translated_ip_protocol= ,translated_route_domain= ,translated_source_ip= ,translated_source_port= ,translated_vlan=
iRule Logs Apr 11 16:39:36 123.456.789.xxx 1 2019-04-11T16:39:32Z lab5.f5silverline.com log_export - - - type=irule, client_ip=“321.654.xxx.xxx”, client_port=436xx, data="{"action":"IP blocked","request":"GET / HTTP/1.1\r\nUser-Agent: curl/7.29.0\r\nHost: 123.456.321.xxx:8083\r\nAccept: /\r\nX-Forwarded-For:321.654.xxx.xxx\r\nVia: 1.1 lab5-bit6\r\n\r\n"}", irule="test2_IPs", irule-version="2", log_type="irule", loglevel=6, msg_type="kvp", proxy_id="5472", request_side="true", server_ip=, server_port=, service_id="7257", snat_ip=, snat_port=, tmm_unit=3, virtualserver="/Common/qastats001-5472_7257.app/qastats001-5472_wafPolicyProxy-IPv4-HTTP-TCP-8083", vs_ip=“123.456.321.xxx”, vs_port=8083
Could we get a filter/parser made for this data? F5 Silverline is enforced to use TLS/6514 by default, which is what we are using as well.
@cdh2155 Thanks for reaching out to us. I started reviewing it but it seems that the logs that you provided are somehow already formatted. Please provide .pcap files or raw logs with PRIs. You can also contact me directly on Slack usergroup so we can clear things up.
@cdh2155 I will close this issue due to the lack of response. Please feel free to re-open it if you get some time to provide the details that we asked previously.