Forum Discussion

raghav_rao_2526's avatar
raghav_rao_2526
Icon for Nimbostratus rankNimbostratus
Aug 03, 2016

No Event logs for particular policy

Hi,

 

We are facing a strange issue where for one particular ASM policy, we are not getting any Event logs or there are no alerts in Manual traffic learning. However, all the logs from ASM are pushed to Arcsight.

 

We have dedicated Arcsight team, who are raising alerts saying from "x.x.x.x" source ip we are seeing SQLi, path traversal, xss attack and so on. When we navigate to event logs to filter the illegal request from "x.x.x.x", we are not seeing any events / alerts. We checked the manual traffic learning also, nothing is populated there also. Kindly some one give any pointers on how to solve this issue? Let us know if anything else is needed.

 

PS:The ASM policy is currently in Transparent mode and the response code for the above mentioned attack are 404.

 

Best, Raghav

 

  • could be several things.

     

    are you logging locally on the big-ip at all?

     

    the arcsight team could be reporting a different IP then logged in the ASM logs, do they or you use x-forwarded-for headers?