Integrating F5 Big-IP With Blumira

Blumira’s Next-Generation SIEM platform integrates with F5 Big-IP APM to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected.

When configured, the Blumira integration with F5-IP APM will stream security event logs to the Blumira service for threat detection and actionable response

Configuration Instructions

The F5 BIG-IP Load balancer supports logging syslog out to one or multiple remote syslog servers. The methodology to update your F5 will depend on if you’re on version 10.x – 13.x or if you’re on an older version such as 9.x.  None of the changes below should impact your system.

BIG-IP 11.1.0 – 13.x

Due to the version of your device, you can utilize the Configuration Utility to add a new remote syslog server via GUI if desired.

  1. Log on to the Configuration utility.
  2. Navigate to System > Logs > Configuration > Remote Logging.
  3. Enter the Blumira Sensor server IP address in the Remote IP text box.
  4. Enter the 514 (Default UDP) in the in the Remote Port text box for.
  5. Enter the local IP address of the BIG-IP system in the Local IP text box. Note: For BIG-IP systems in a high availability (HA) configuration, the non-floating self IP address is recommended if using a Traffic Management Microkernel (TMM) based IP address.
  6. Click Add.
  7. Click Update.
  8. For BIG-IP systems in a high availability (HA) configuration, repeat all previous steps for each device in the device group.

Big-IP 10.x – 13.x

If you are on 10.x, or, you prefer to use CLI-based changes to the device for security and change control purposes, perform the following commands.

  1. Log in to the TMOS Shell (tmsh) by typing the following command:
    tmsh
  2. To add a single remote syslog server, use the following command syntax:
    modify /sys syslog remote-servers add { blumirasensor { host <Blumira Sensor IP> remote-port 514 }}

    For example, to add Blumira Sensor at 10.1.1.1, type the following command:

    modify /sys syslog remote-servers add { blumirasensor { host 10.1.1.1 remote-port 514 }}
  3. To save the configuration, type the following command:
    save /sys config
  4. For BIG-IP systems in a HA configuration, repeat all previous steps for each device in the device group.

In some cases, as referred to in the GUI-based steps, you may need to define the Local IP of the BIG-IP system.  Here is the CLI method for identifying what IP Syslog binds to for sending logs.

  1. Log in to tmsh by typing the following command:
    tmsh
  2. To configure the IP address that the BIG-IP syslog binds to when sending logs to the remote syslog server, use the following command syntax:
    modify /sys syslog remote-servers modify { blumirasensor { local-ip <IP address> }}

    For example, to configure the BIG-IP syslog to bind to 172.1.1.1 when sending logs to the Blumira sensor, type the following command:

    modify /sys syslog remote-servers modify { blumirasensor{ local-ip 172.1.1.1 }}

    Note: For BIG-IP systems in a HA configuration, the non-floating self IP address is recommended if using a TMM based IP address.

  3. To save the configuration, type the following command:
    save /sys config
  4. For BIG-IP systems in a HA configuration, repeat all previous steps for each device in the device group.

Big-IP 9.x

Refer to https://support.f5.com/csp/article/K5527 for the specific version being run. If you are using these versions, we strongly recommend updating as they are EOL per https://support.f5.com/csp/article/K5903.