• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

How can I check f5 plugin parsing is proper working or not ??

mmheinmmhein

New Life Form
* I check like that event are occuring. 
tail -f  /var/log/alienvault/agent/agent.log | grep f5

Alienvault-Agent[INFO]: f5[1614] Total lines [14431] TotalEvents:[14431]  EPS: [5.40] elapsed [10.01] seconds
Alienvault-Agent[INFO]: f5[1614] Total lines [14431] TotalEvents:[14431]  EPS: [5.30] elapsed [10.00] seconds

* /var/log/f5.log are also arrived.

$ But in SIEM dashboard only show event type id 200000. How can I see Login / Logout authentication in SIEM dashborad.

Tagged:

Share post:

Answers

  • I already test with raw logs and regular experssion , it is also match...How can I troubleshoot ??


    Capture
  • Greetings @mmhein,

    I don't quite know the whole scenario. Do you have the per-asset plugin f5 enabled on your asset? If so, is it Receiving Data? If the plugin does exist and it IS receiving data then the problem is with the parsing. Try going to SIEM events, and filtering by Payload and include a phrase in that log (i.e partition=[All]) and try seeing if such an event exists. 

    Best Regards.
    Lord Odin
  • Yes , Data is receiving as  a raw log .I also think the main problem may be parsing ...how can I check for this bro. Could you give me idea how can I do for that.? Thanks a lot to you.

    Best Regards,
    Myo Min Hein
  • Greetings @mmhein,

    If you can see the raw logs, then the plugin is not parsing the data to be viewed in SIEM. It MIGHT be related to the name of your device not being resolved to an IP. Try 'nslookup asset_name' command on your CLI to see if alienvault is resolving this asset name to a valid IP address, if u get a server error, then you would know its a DNS resolving issue.


    Best Regards.
    Lord Odin
Sign In or Register to comment.