Quick Links

Integrating with F5 BIG-IP Access Policy Manager

Overview

Blumira’s modern cloud SIEM platform integrates with F5 BIG-IP Access Policy Manager (APM) to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected.

When configured, the Blumira integration with F5-IP APM will stream security event logs to the Blumira service for threat detection and actionable response.

Before you begin

This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.

Gather the IP address of your Blumira sensor to use when configuring the external service.

To find and copy the IP address of the sensor, do the following:

  1. In Blumira, navigate to Settings > Sensors.
  2. Click the sensor row to open the details page.
  3. In the Overview section, next to Host Details, copy the IP address.

Configuring log forwarding in F5 BIG-IP APM

The F5 BIG-IP Load balancer supports logging syslog out to one or multiple remote syslog servers. The methodology to update your F5 will depend on if you’re on version 10.x – 13.x or if you’re on an older version such as 9.x.  None of the changes below should impact your system.

BIG-IP 11.1.0 – 13.x

Due to the version of your device, you can utilize the Configuration Utility to add a new remote syslog server via GUI if desired.

  1. Log on to the Configuration utility.
  2. Navigate to System > Logs > Configuration > Remote Logging.
  3. In the Remote IP text box, type the Blumira sensor's IP address.
  4. In the Remote Port text box, type 514 (Default UDP).
  5. In the Local IP text box, type the local IP address of the BIG-IP system.
    Note: For BIG-IP systems in a high availability (HA) configuration, the non-floating self IP address is recommended if using a Traffic Management Microkernel (TMM) based IP address.
  6. Click Add.
  7. Click Update.
  8. For BIG-IP systems in a high availability (HA) configuration, repeat all previous steps for each device in the device group.

Big-IP 10.x – 13.x

If you are on 10.x, or, you prefer to use CLI-based changes to the device for security and change control purposes, perform the following commands.

  1. Log in to the TMOS Shell (tmsh) by typing the following command:
    tmsh
  2. To add a single remote syslog server, use the following command syntax:
    modify /sys syslog remote-servers add { blumirasensor { host <Blumira Sensor IP> remote-port 514 }}

    For example, to add Blumira Sensor at 10.1.1.1, type the following command:

    modify /sys syslog remote-servers add { blumirasensor { host 10.1.1.1 remote-port 514 }}
  3. To save the configuration, type the following command:
    save /sys config
  4. For BIG-IP systems in a HA configuration, repeat all previous steps for each device in the device group.

In some cases, as referred to in the GUI-based steps, you may need to define the Local IP of the BIG-IP system. Here is the CLI method for identifying what IP Syslog binds to for sending logs.

  1. Log in to tmsh by typing the following command:
    tmsh
  2. To configure the IP address that the BIG-IP syslog binds to when sending logs to the remote syslog server, use the following command syntax:
    modify /sys syslog remote-servers modify { blumirasensor { local-ip <IP address> }}

    For example, to configure the BIG-IP syslog to bind to 172.1.1.1 when sending logs to the Blumira sensor, type the following command:

    modify /sys syslog remote-servers modify { blumirasensor{ local-ip 172.1.1.1 }}

    Note: For BIG-IP systems in a HA configuration, the non-floating self IP address is recommended if using a TMM based IP address.

  3. To save the configuration, type the following command:
    save /sys config
  4. For BIG-IP systems in a HA configuration, repeat all previous steps for each device in the device group.

Big-IP 9.x

Refer to https://support.f5.com/csp/article/K5527 for the specific version being run. If you are using these versions, we strongly recommend updating them because they are at end-of-life per https://support.f5.com/csp/article/K5903.