Forum Discussion
This is part of asm and if you create a better asm logging profile for remote logging, this will share to graylog. They can create alerts from greylog events.
https://my.f5.com/manage/s/article/K000138970
Logging - https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/12.html
- igor_Sep 06, 2024Cirrus
Thanks, but why can't F5 BIG-IP send an email alert in real-time, without doing this on another system? Can this be done too?
And not just setting reporting to every 6, 12, 24 hours.
BR,
Igor
- Nikoolayy1Sep 08, 2024MVP
You have to ask why F5 doesn’t want to do it. If you give the users option to send emails in real time then if you have 100 attacks a second you will get 100 emails and over utilize your F5 device as it has to generate emails and the F5 device is not made for mass sending of emails in real time. Most vendors don't even send emails in the form of reports, so for me this enough as a F5 capability. For real time emails this is what SIEM like splunk or ELK are for as to get the logs from many systems and generate alarms and emails or even nowadays XSOAR SIEM can use api to block the bad ip addresses detected by the F5 ASM/AWAF at the edge firewall or even stubbing Center level.