Overview
Blumira’s modern cloud SIEM platform integrates with F5 BIG-IP Access Policy Manager (APM) to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected.
When configured, the Blumira integration with F5-IP APM will stream security event logs to the Blumira service for threat detection and actionable response.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Obtain the IP address of your Blumira sensor to use when configuring the external service.
To gather the IP address of the sensor:
- In Blumira, navigate to Settings > Sensors.
- Click the sensor row to open the details page.
- Under Overview, in the Host Details box, copy the IP value.
Configuring log forwarding in F5 BIG-IP APM
The F5 BIG-IP Load balancer supports logging syslog out to one or multiple remote syslog servers. The methodology to update your F5 will depend on if you’re on version 10.x – 13.x or if you’re on an older version such as 9.x. None of the changes below should impact your system.
BIG-IP 11.1.0 – 13.x
Due to the version of your device, you can utilize the Configuration Utility to add a new remote syslog server via GUI if desired.
- Log on to the Configuration utility.
- Navigate to System > Logs > Configuration > Remote Logging.
- In the Remote IP text box, type the Blumira sensor's IP address.
- In the Remote Port text box, type 514 (Default UDP).
- In the Local IP text box, type the local IP address of the BIG-IP system.
Note: For BIG-IP systems in a high availability (HA) configuration, the non-floating self IP address is recommended if using a Traffic Management Microkernel (TMM) based IP address. - Click Add.
- Click Update.
- For BIG-IP systems in a high availability (HA) configuration, repeat all previous steps for each device in the device group.
Big-IP 10.x – 13.x
If you are on 10.x, or, you prefer to use CLI-based changes to the device for security and change control purposes, perform the following commands.
- Log in to the TMOS Shell (tmsh) by typing the following command:
tmsh
- To add a single remote syslog server, use the following command syntax:
modify /sys syslog remote-servers add { blumirasensor { host <Blumira Sensor IP> remote-port 514 }}
For example, to add Blumira Sensor at 10.1.1.1, type the following command:
modify /sys syslog remote-servers add { blumirasensor { host 10.1.1.1 remote-port 514 }}
- To save the configuration, type the following command:
save /sys config
- For BIG-IP systems in a HA configuration, repeat all previous steps for each device in the device group.
In some cases, as referred to in the GUI-based steps, you may need to define the Local IP of the BIG-IP system. Here is the CLI method for identifying what IP Syslog binds to for sending logs.
- Log in to tmsh by typing the following command:
tmsh
- To configure the IP address that the BIG-IP syslog binds to when sending logs to the remote syslog server, use the following command syntax:
modify /sys syslog remote-servers modify { blumirasensor { local-ip <IP address> }}
For example, to configure the BIG-IP syslog to bind to 172.1.1.1 when sending logs to the Blumira sensor, type the following command:
modify /sys syslog remote-servers modify { blumirasensor{ local-ip 172.1.1.1 }}
Note: For BIG-IP systems in a HA configuration, the non-floating self IP address is recommended if using a TMM based IP address.
- To save the configuration, type the following command:
save /sys config
- For BIG-IP systems in a HA configuration, repeat all previous steps for each device in the device group.
Big-IP 9.x
Refer to https://support.f5.com/csp/article/K5527 for the specific version being run. If you are using these versions, we strongly recommend updating because they are at end-of-life per https://support.f5.com/csp/article/K5903.