跳至正文
KYRA MDR KYRA MDR Docs

F5 BIG-IP ASM Integration

Overview

F5 BIG-IP Application Security Manager (ASM) provides web application firewall capabilities. KYRA MDR collects BIG-IP ASM logs via remote logging for web application security monitoring. Supports BIG-IP versions 14.x, 15.x, and 16.x.

Prerequisites

  • A KYRA MDR Collector installed and running
  • F5 BIG-IP with ASM module licensed and provisioned
  • Administrative access to the BIG-IP management interface
  • Network connectivity from BIG-IP to the collector on port 514

Configuration

Configure remote logging on F5 BIG-IP:

  1. Navigate to System > Logs > Configuration > Remote Logging
  2. Add a remote syslog destination:
SettingValue
Remote IPYour KYRA Collector IP
Remote Port514
ProtocolTCP
  1. Create an ASM logging profile:
    • Navigate to Security > Event Logs > Logging Profiles
    • Enable Application Security
    • Set Remote Storage to Remote
  2. Attach the logging profile to virtual servers
  3. Save and sync the configuration

CLI Configuration (tmsh)

You can also configure remote logging via the BIG-IP command line:

Terminal window
# Add a remote syslog destination
tmsh modify sys syslog remote-servers add {
  kyra-mdr {
    host <COLLECTOR_IP>
    remote-port 514
  }
}


# Verify the remote syslog configuration
tmsh list sys syslog remote-servers


# Create an ASM logging profile via tmsh
tmsh create security log profile kyra-asm-logging {
  application add {
    kyra-asm {
      local-storage disabled
      remote-storage remote
      servers add {
        <COLLECTOR_IP>:514 {}
      }
      filter {
        request-type {
          values add { illegal }
        }
      }
    }
  }
}


# Attach the logging profile to a virtual server
tmsh modify ltm virtual /Common/my_virtual_server \
  security-log-profiles add { kyra-asm-logging }


# Save the configuration
tmsh save sys config

Verify Log Reception

Terminal window
# On the KYRA Collector, verify incoming syslog from BIG-IP
sudo tcpdump -i any port 514 -A | grep -i "ASM"


# Test syslog from BIG-IP CLI
logger -n <COLLECTOR_IP> -P 514 --tcp "BIG-IP test message from $(hostname)"

Collected Log Types

Log TypeDescriptionSecurity Use
ASM ViolationsWAF policy violation eventsWeb attack detection
Bot DefenseBot detection and mitigationAutomated threat protection
Brute ForceLogin attempt trackingCredential stuffing detection
DoS ProtectionApplication DoS eventsApplication layer DDoS
IP IntelligenceIP reputation matchesKnown threat actor detection
Request LoggingFull request/response dataForensic investigation

Troubleshooting

No ASM logs: Verify the logging profile is attached to the virtual server.

Missing violation details: Include request details in the logging profile.

High volume: Filter by violation rating (critical, warning) to manage volume.

Contact kyra@seekerslab.com for support.