F5 BIG-IP ASM Integration

Overview

F5 BIG-IP Application Security Manager (ASM) provides web application firewall capabilities. KYRA MDR collects BIG-IP ASM logs via remote logging for web application security monitoring. Supports BIG-IP versions 14.x, 15.x, and 16.x.

Prerequisites

• A KYRA MDR Collector installed and running
• F5 BIG-IP with ASM module licensed and provisioned
• Administrative access to the BIG-IP management interface
• Network connectivity from BIG-IP to the collector on port 514

Configuration

Configure remote logging on F5 BIG-IP:

1. Navigate to System > Logs > Configuration > Remote Logging
2. Add a remote syslog destination:

Setting	Value
Remote IP	Your KYRA Collector IP
Remote Port	514
Protocol	TCP

3. Create an ASM logging profile:
   • Navigate to Security > Event Logs > Logging Profiles
   • Enable Application Security
   • Set Remote Storage to Remote
4. Attach the logging profile to virtual servers
5. Save and sync the configuration

CLI Configuration (tmsh)

You can also configure remote logging via the BIG-IP command line:

# Add a remote syslog destination
tmsh modify sys syslog remote-servers add {
  kyra-mdr {
    host <COLLECTOR_IP>
    remote-port 514
  }
}

# Verify the remote syslog configuration
tmsh list sys syslog remote-servers

# Create an ASM logging profile via tmsh
tmsh create security log profile kyra-asm-logging {
  application add {
    kyra-asm {
      local-storage disabled
      remote-storage remote
      servers add {
        <COLLECTOR_IP>:514 {}
      }
      filter {
        request-type {
          values add { illegal }
        }
      }
    }
  }
}

# Attach the logging profile to a virtual server
tmsh modify ltm virtual /Common/my_virtual_server \
  security-log-profiles add { kyra-asm-logging }

# Save the configuration
tmsh save sys config

Verify Log Reception

# On the KYRA Collector, verify incoming syslog from BIG-IP
sudo tcpdump -i any port 514 -A | grep -i "ASM"

# Test syslog from BIG-IP CLI
logger -n <COLLECTOR_IP> -P 514 --tcp "BIG-IP test message from $(hostname)"

Collected Log Types

Log Type	Description	Security Use
ASM Violations	WAF policy violation events	Web attack detection
Bot Defense	Bot detection and mitigation	Automated threat protection
Brute Force	Login attempt tracking	Credential stuffing detection
DoS Protection	Application DoS events	Application layer DDoS
IP Intelligence	IP reputation matches	Known threat actor detection
Request Logging	Full request/response data	Forensic investigation

Troubleshooting

No ASM logs: Verify the logging profile is attached to the virtual server.

Missing violation details: Include request details in the logging profile.

High volume: Filter by violation rating (critical, warning) to manage volume.

Contact kyra@seekerslab.com for support.