F5 ASM file tt logs its admin activities

We use F5 application security manager asm as WAF.

Q1:
Which log or file in asm logs down the asm admin's activities?  

Q2:
Can this logs/events be forwarded to Splunk or a syslog?
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
1. ASM logs system and administrative events in /var/log/asm and syslog. The matter of fact, the /var/log/asm will log all the ASM events and to dissect it to admin is sheer manual eyeballing. See the storage format https://support.f5.com/csp/article/K9435

In a larger picture all log files for various event types are in the /var/log directory. Not to miss out admin access and action, other logs for management access and audit should be reviewed too..
The audit log messages generated by the BIG-IP system include the following types of information:

<time stamp> <host name> <level> <service[pid]> <message code> <user> <event>
https://support.f5.com/csp/article/K16197

So example of admin logon passed or failed is found in audit log. See example of unsuccessful command-line login attempts simultaneously generate two messages,

Logged to the /var/log/audit file:
root    0-0    sshd(pam_audit): User=root tty=ssh host=192.168.10.10 failed to login after 1 attempts (start="Mon Jul 6 10:19:10 2009" end="Mon Jul 6 10:19:14 2009").:

Logged to the /var/log/secure file:
Jul  6 10:19:14 local/abasm err sshd[24600]: error: PAM: Authentication failure for root from 192.168.10.10

https://support.f5.com/csp/article/K13426

2. To send logging data to a log server or maybe SIEMS like Arcsight, you need to create a logging profile and select Arcsight (Common Event Format) as the logging format. Go to Security > Event Logs > Logging Profiles, enable Application Security, enable Remote Storage, and then select your destination server. But the matter of fact is this can only log security-related events to a remote destination.
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/12.html

Best effort to achieve your idea state. Do open a case with F5 support and I am sure they can drill down the specific to cater to such needs, should not be news and not introduce another privileged identity mgmt soln where possible.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.