F5 Application Security Module (ASM)

SamurAI [Local] Collector	SamurAI [Cloud] Collector

This guide describes the steps required to configure F5 Application Security Module to send logs to a Samurai Local Collector deployed in your network.

Ensure correct network connectivity

You must ensure the following connectivity requirements are fulfilled:

Source	Destination	Ports	Description
BIG-IP ASM	Samurai Local Collector	TCP/514	For log transmission

To send ASM logs to a Samurai Local Collector

Follow the steps outlined in the F5 documentation:

Creating a logging profile

Follow each section outlined below. If you have already created a logging profile navigate to the next section:

Creating a logging profile
Setting up remote logging
Associating a logging profile with a security policy

Perform the below settings adjustments as you work through the steps. In case a setting property is not referenced below, simply use the default value.

Application Security: Application Security Checkbox (Enabled)

When enabled, additional Application Security fields will be displayed. Use the parameters outlined below when completing the additional fields:

Remote Storage: Checkbox enabled
Logging Format: Key-Value Pairs
Protocol: TCP
Server Addresses: IP address of your Samurai local collector
Server Addresses Port: 514
Storage Filter Request Type: All Requests

Ensure you associate the logging profile with the relevant security policy by following the steps in the F5 documentation.

Please note that All Requests may fill up local storage, causing logs to be rotated out rapidly, therefore ensure remote logging is enabled as above and advised by F5 best practices. You can read more at ASM Event Logging - Best Practices and General Recommendations

For integrations that utilize a Local Collector where we ingest syslog only, you do not need to follow specific steps in the SamurAI MDR portal as we auto detect the vendor and product. The only reason you need to use the SamurAI MDR portal is if you need to determine the Local Collector IP address. Of course you will still need to ensure the integration is functioning! See Integrations for more information on checking status.

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the SamurAI MDR Portal and we shall get it updated.