This is community supported repo providing ELK based dashboards for F5 WAFs.

ELK stands for elasticsearch, logstash, and kibana. Logstash receives logs from the F5 WAF, normalizes them and stores them in the elasticsearch index. Kibana allows you to visualize and navigate through logs using purpose built dashboards.

The provided Kibana dashboards require a minimum version of 7.4.2. If you are using the provided docker-compose.yaml file, this version requirement is met.

It is assumed you will be running ELK using the Quick Start directions below. The template in "logstash/conf.d" will create a new logstash pipeline to ingest logs and store them in elasticsearch. If you use the supplied docker-compose.yaml, this template will be copied into the docker container instance for you. Once the WAF logs are being ingested into the index, you will need to import files from the kibana folder to create all necessary objects including the index pattern, visualization and dashboards.

Use docker-compose to deploy your own ELK stack.

$ docker-compose -f docker-compose.yaml up -d

NOTE

The ELK stack docker container will likely exceed the default host's virtual memory system limits. Use these directions to increase this limit on the docker host machine. If you do not, the ELK container will continually restart itself and never fully initialize.

Import dashboards to kibana through UI (Kibana->Management->Saved Objects) or use API calls below.

KIBANA_URL=https://your.kibana:5601
jq -s . kibana/overview-dashboard.ndjson | jq '{"objects": . }' | \
curl -k --location --request POST "$KIBANA_URL/api/kibana/dashboards/import" \
    --header 'kbn-xsrf: true' \
    --header 'Content-Type: text/plain' -d @- \
    | jq

jq -s . kibana/false-positives-dashboards.ndjson | jq '{"objects": . }' | \
curl -k --location --request POST "$KIBANA_URL/api/kibana/dashboards/import" \
    --header 'kbn-xsrf: true' \
    --header 'Content-Type: text/plain' -d @- \
    | jq

The logstash log ingestion pipeline in this solution assumes that you have configured NGINX App Protect to use the default log format, which is essentially a comma-delimited scheme. If you are using a custom logging profile JSON file, be sure that the default format is being used. Also, ensure that the logging destination in the app_protect_security_log directive in your nginx.conf file is configured with the hostname or ip address of the logstash instance, and the correct TCP port (the default in this solution is 5144). Take a look to official docs for examples.

NOTE The logstash listener in this solution is configured to listen for TCP syslog messages on a custom port (5144). If you have deployed NGINX App Protect on an SELinux protected system (such has Red Hat or CentOS), you will need to configure SELinux to allow remote syslog messages on a custom port. See the configuration instructions for an example of how to accomplish this.

BIG-IP logging profile must be configured to use "splunk" logging format.

# tmsh list security log profile LOG_TO_ELK

security log profile LOG_TO_ELK {
    application {
            ...omitted...
            remote-storage splunk
            servers {
                logstash.domain:logstash-port { }
            }
        }
    }
}

• NGINX App Protect
• BIG-IP ASM, Advanced WAF