Tag: F5 ASM

Intro
I write this knowing I still don’t know anything to speak of about syslog, but, sometimes you gotta act without knowing. I needed to send syslog to somewhere in a big hurry so I figured out the absolute minimum I needed to do to get it running on one of my other systems.

The details
This all started because of a deficiency in the F5 ASM. At best it’s do slow when looking through the error log. But in particular there was one error that always timed out when I tried to bring up the details, a severity 5 error, so it looked pretty important. Worse, local logging, even though it is selected, also does not work – the /var/log/asm file exists but contains basically nothing of interest. I suppose there is some super-fancy and complicated MySQL command you could run to view the logs, but that would take a long time to figure out.

So for me the simplest route was to enable remote syslog on a Linux server and send the ASM logging to it. This seems to be working, by the way.

The minimal steps
Again, this was for Suse Enterprise Linux running syslog-ng.

1. modify /etc/sysconfig/syslog as per the next step
2. SYSLOGD_PARAMS=”-r”
3. modify /etc/syslog-ng/syslog-ng.conf as per the next step
4. uncomment this line: udp(ip(“0.0.0.0”) port(514));
5. launch yast (I use curses-based yast [no X-Windows] which is really cantankerous)
6. go to Security and Users -> Firewall -> Allowed services -> Internal Zone -> Advanced
7. add udp port 514 as additional allowed Ports in internal zone and save it
8. service syslog stop
9. service syslog start
10. You should start seeing entries in /var/log/localmessages as in this suitably anonymized example (I added a couple line breaks for clarity:

Jul 27 14:42:22 f5-drj-mgmt ASM:"7653503868885627313","50.17.188.196","/Common/drjohnstechtalk.com_profile","blocked","/drjcrm/bi/tjhmore345","0","Illegal URL,Attack signature detected","200021075","Automated client access ""curl""","US","<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>44e7f1ffebff2dfb-8000000000000000</block><alarm>44f7f1ffebff2dfb-8000000000000000</alarm><learn>44e7f1ffe3ff2dfb-8000000000000000</learn><staging>0000000000000000-0000000000000000</staging></violation_masks><request-violations><violation><viol_index>42</viol_index><viol_name>VIOL_ATTACK_SIGNATURE</viol_name><context>request</context><sig_data><sig_id>200021075</sig_id>
<blocking_mask>7</blocking_mask><kw_data><buffer>VXNlci1BZ2VudDogY3VybC83LjE5LjcgKHg4Nl82NC1yZWRoYXQtbGludXgtZ251KSBsaWJjdXJsLzcuMTkuNyBOU1MvMy4yNy4xIHpsaWIvMS4yLjMgbGliaWRuLzEuMTggbGlic3NoMi8xLjQuMg0KSG9zdDogYWctaW50ZWw=</buffer>
<offset>0</offset><length>16</length></kw_data></sig_data></violation><violation><viol_index>38</viol_index>
<viol_name>VIOL_URL</viol_name></violation></request-violations></BAD_MSG>","GET /drjcrm/bi/tjhmore345 HTTP/1.1\r\nUser-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2\r\nHost: drjohnstechtalk.com\r\nAccept: */*\r\n\r\n"

Observations
Interestingly, there is no syslogd on this particular system, and yet the “-r” flag is designed for syslogd – it’s what turns it into a remote syslogging daemon. And yet it works.

It’s easy enough to log these messages to their own file, I just don’t know how to do it yet because I don’t need to. I learn as I need to. just as I learned enough to publish this tip.

Conclusion
We have demonstrated activating the simplest possible remote syslogger on Suse Linux Enterprise Server.