Click here for the most updated version of this documentation.
Blumira’s modern cloud SIEM platform integrates with F5 Big-IP APM to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected.
When configured, the Blumira integration with F5-IP APM will stream security event logs to the Blumira service for threat detection and actionable response.
Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.
The F5 BIG-IP Load balancer supports logging syslog out to one or multiple remote syslog servers. The methodology to update your F5 will depend on if you’re on version 10.x – 13.x or if you’re on an older version such as 9.x. None of the changes below should impact your system.
Due to the version of your device, you can utilize the Configuration Utility to add a new remote syslog server via GUI if desired.
If you are on 10.x, or, you prefer to use CLI-based changes to the device for security and change control purposes, perform the following commands.
tmsh
modify /sys syslog remote-servers add { blumirasensor { host <Blumira Sensor IP> remote-port 514 }}
For example, to add Blumira Sensor at 10.1.1.1, type the following command:
modify /sys syslog remote-servers add { blumirasensor { host 10.1.1.1 remote-port 514 }}
save /sys config
In some cases, as referred to in the GUI-based steps, you may need to define the Local IP of the BIG-IP system. Here is the CLI method for identifying what IP Syslog binds to for sending logs.
tmsh
modify /sys syslog remote-servers modify { blumirasensor { local-ip <IP address> }}
For example, to configure the BIG-IP syslog to bind to 172.1.1.1 when sending logs to the Blumira sensor, type the following command:
modify /sys syslog remote-servers modify { blumirasensor{ local-ip 172.1.1.1 }}
Note: For BIG-IP systems in a HA configuration, the non-floating self IP address is recommended if using a TMM based IP address.
save /sys config
Refer to https://support.f5.com/csp/article/K5527 for the specific version being run. If you are using these versions, we strongly recommend updating because they are at end-of-life per https://support.f5.com/csp/article/K5903.