Hello Kaikai,
I believe you've identified one or more problems already. As you suspect, anything not specified (or missing in the config) at the followed action level, at the action set level, or in the base level of the action interface that's required to deliver the information to your Splunk collector/instance(s) will be a problem.
If I may recommend, starting with the definition of Action Interfaces, the creation or definition of Actions Sets, and then Followed Actions, and assigning those followed actions has long been a best practice recommendation from myself and our consulting / professional services organization as part of a new deployment, etc... It's a good place to start, and I know that all of your direct and inferred questions will be answered in that section. Example documentation portal pages to start at include:
- Working with Action Sets and Followed Actions
- https://docs.imperva.com/bundle/v15.1-web-application-firewall-user-guide/page/Working_with_Action_Sets_and_Followed_Actions.htm
- Action Interfaces
- https://docs.imperva.com/bundle/v15.1-waf-administration-guide/page/6785.htm
- Action Interface Types
- https://docs.imperva.com/bundle/v15.1-web-application-firewall-user-guide/page/2403.htm
- Logging System Events for Auditing
- https://docs.imperva.com/bundle/v15.1-waf-administration-guide/page/58987.htm
- WAF API Reference Guide (*see action interfaces, followed actions, interface types, system events, etc.)
- https://docs.imperva.com/bundle/v15.1-waf-api-reference-guide/page/61914.htm
Separately, your professional services, DSE, or TAM engineer can assist you rather quickly.
If you'd like to share any obfuscated screenshots of your interface definition/setup/etc. we'd be happy to try and help out here in the community. My recommendation would be to mask or blur out any sensitive information like the first three octets of an IP address, etc...
Looking forward to hearing back from you soon!
Thanks,
------------------------------
John Thompson
Director, Channel Presales
Imperva
San Diego CA
------------------------------
Original Message:
Sent: 04-10-2024 02:58
From: kaikai Guo
Subject: Log system event to system log
Recently, I found that the WAF system event log was not sent to splunk. It turned out that the "followed action" of the system event was not configured.However, during the configuration process, I have some questions about the configuration items in the action set:
The configuration item of Log system event to system log does not contain port or protcol, but only host. In this case, can logs be accurately sent to the correct log receiving service
What happens to the different options for "Facility", such as user, syslog, and so on?
My final goal is to forward WAF system event logs to splunk logging platform. Is there any other feasible solution?
#On-PremisesWAF(formerlySecuresphere)
#RASP
------------------------------
kaikai Guo
cyber security engineer
Wuxi Apptec
Shanghai MN
------------------------------