WIXLIB

Integrate A10 ADCPublication Date: September 3, 2015

Integrate A10 ADCAbstractThis guide provides instructions to configure A10 ADC to send the event logs to EventTracker Enterprise.Once events are configured to send to EventTracker Manager, alerts, dashboards and reports can beconfigured into EventTracker.ScopeThe configurations detailed in this guide are consistent with EventTracker version 7.X and later, and A10Application Delivery Controller AX/Thunder Series with ACOS 4.0 or later.AudienceA10 ADC users, who wish to forward event logs to EventTracker Manager and monitor events usingEventTracker SIEM.The information contained in this document represents the current view of EventTracker. on theissues discussed as of the date of publication. Because EventTracker must respond to changingmarket conditions, it should not be interpreted to be a commitment on the part of EventTracker,and EventTracker cannot guarantee the accuracy of any information presented after the date ofpublication.This document is for informational purposes only. EventTracker MAKES NO WARRANTIES,EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.Complying with all applicable copyright laws is the responsibility of the user. Without limiting therights under copyright, this paper may be freely distributed without permission fromEventTracker, if its content is unaltered, nothing is added to the content and credit toEventTracker is provided.EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectualproperty rights covering subject matter in this document. Except as expressly provided in anywritten license agreement from EventTracker, the furnishing of this document does not give youany license to these patents, trademarks, copyrights, or other intellectual property.The example companies, organizations, products, people and events depicted herein are fictitious.No association with any real company, organization, product, person or event is intended orshould be inferred. 2017 EventTracker Security LLC. All rights reserved. The names of actual companies andproducts mentioned herein may be the trademarks of their respective owners.1

Integrate A10 ADCTable of ContentsAbstract . 1Scope . 1Audience . 1Overview. 4Prerequisites . 4Enable Syslog forwarding on A10 ADC . 4Configure Syslog Server . 4Configure ADC Logging . 5aFlex Script for ADC Logging. 5EventTracker Knowledge Pack (KP) . 8Categories . 8Alerts . 8Reports . 8Knowledge Objects . 9Import Knowledge Pack into EventTracker . 9Import Categories . 10Import Alerts . 11Import Tokens . 12Import Flex Reports . 13Import Token Templates . 14Import Knowledge Object . 16Verify Knowledge Pack in EventTracker . 18Verify Categories . 18Verify Alerts . 18Verify Tokens . 19Verify Flex Reports . 20Verify Token Templates . 21Verify Knowledge Object . 212

Integrate A10 ADCCreate Dashboards in EventTracker . 23Schedule Reports . 23Create Dashlets . 25Sample Reports . 29Sample Dashboards . 303

Integrate A10 ADCOverviewA10 Application Delivery Controller provides application availability and reliability by offering advancedserver load balancing and flexible health monitoring capabilities. EventTracker examines imperative logs andleverages machine learning to identify application delivery traffic, configuration changes, user behavior andload balance events.Prerequisites EventTracker v7.x and later should be installed.A10 Application Delivery Controller AX/Thunder Series running ACOS 4.0 or later should be installed.Enable Syslog forwarding on A10 ADCConfigure Syslog Server1.2.3.4.5.6.7.Log into the A10 ADC web UI.Select Config System Settings.In the menu bar, select Log.In the Log Server field, enter the IP address of your EventTracker Manager.Ensure that the Log Server Port is set to 514.Leave all other settings at their default values.Click OK.Figure 14

Integrate A10 ADCNOTE: Please add port 514 to firwall exception, if applicable.Configure ADC Logging1. Log into the A10 ADC web UI.2. Navigate to Config Mode Service aFleX.3. Type in aFleX script given below and Save.Figure 2aFlex Script for ADC LoggingTo configure application delivery logs use the aFlex Script given below:when HTTP REQUEST {# Set strings for the "client side"set time client request [clock seconds]set clicks client request [clock clicks -milliseconds]set date time request [clock format time client request -format {%Y-%m-%d %H:%M:%S} ]set c ip [IP::client addr]set cs uri stem [HTTP::host][HTTP::uri]set cs method [HTTP::method]5

Integrate A10 ADCset s ip [IP::local addr]set s port [TCP::local port]set host [HTTP::host]set vip ip [IP::local addr]set vip port [TCP::local port]if {[HTTP::query] equals ""} {set cs uri query [HTTP::query]} else { set cs uri query "-"}if {[HTTP::header exists Content-Length]} {set cs bytes [HTTP::header Content-Length]} else { set cs bytes "-"}if {[HTTP::header exists Referer]} {set cs Referer [HTTP::header "Referer"]} else { set cs Referer "-"}set cs UserAgent [string map {" " " "} [HTTP::header "User-Agent"]]}when HTTP RESPONSE {# Set strings for the "server side"set clicks server response [clock clicks -milliseconds]set sc status [HTTP::status]if {[HTTP::header exists Content-Length]} {set sc bytes [HTTP::header Content-Length]} else { set sc bytes "-"}6

Integrate A10 ADC# Correct TCL Bug with floating point valuesset time taken [expr clicks server response - clicks client request ]if { time taken 10} {set final time taken [string range "0.00 time taken" 0 4]} elseif { time taken 100 } {set final time taken [string range "0.0 time taken" 0 4]} elseif { time taken 1000} {set final time taken [string range "0. time taken" 0 4]} else {set final time taken "[string index time taken 0].[string range time taken 1 3 ]"}# Format strings for loggingset log str " date time request c ip s ip s port cs method cs uri stem cs uri query vip ip vip port sc status sc bytes cs bytes final time taken cs UserAgent cs Referer"# write to syslog with Debug levellog local0.7 log str# write to AX log (turn this for troubleshooting only, as you may have a lot of requests / second)# log log str}7

Integrate A10 ADCEventTracker Knowledge Pack (KP)Once logs are received in EventTracker; categories, alerts, reports and dashboards can be configured inEventTracker.The following Knowledge Packs are available in EventTracker v7 and later to support A10 ADC monitoring:Categories A10 ADC: Configuration Change - This category based report provides information related toconfiguration changes using GUI or CLI.A10 ADC: HA Events - This category based report provides information related to high availabilityevents.A10 ADC: Management Service Status - This category based report provides information related tochange in management service status.A10 ADC: Port Status Change - This category based report provides information related to change inport or trunk status.A10 ADC: Radius Server Error - This category based report provides information related to radiusserver error.A10 ADC: SLB Server Status - This category based report provides information related to change inload balancing server status.Alerts A10 ADC: Configuration Change - This alert is generated when configuration is added, deleted ormodified.A10 ADC: User Authentication Failed - This alert is generated when user authentication fails.Reports 8A10 ADC - Application Delivery Traffic Details: This report provides information related to applicationservers accessed by various clients with application usage details.A10 ADC - Console Logon Success Details: This report provides information related to users accessingthe ADC console with admin privileges.A10 ADC - User Authentication Failure Details: This report provides information related to failed userauthentication attempts.

Integrate A10 ADCKnowledge Objects A10 ADC - Application Delivery Traffic Details: This KO assists in evaluating application deliverycontroller traffic.A10 ADC - Console Logon Success Details: This KO assists in tracking console logon success events.A10 ADC - User Authentication Failure Details: This KO assists in identifying user authenticationfailure events.Import Knowledge Pack into EventTracker1. Launch EventTracker Control Panel.2. Double click Export/Import Utility, and then click the Import tab.Figure 33. Import Category/Alert/Tokens/Templates/Flex Reports/Knowledge Object as given below.9

Integrate A10 ADCImport Categories1. Click Category option, and then click the ‘browse’button.Figure 42. Locate All A10 group categories.iscat file, and then click the Open button.3. To import categories, click the Import button.EventTracker displays success message.Figure 54. Click OK, and then click the Close button.10

Integrate A10 ADCImport Alerts1. Click Alert option, and then click the ‘browse’button.Figure 62. Locate All A10 group alerts.isalt file, and then click the Open button.3. To import alerts, click the Import button.EventTracker displays success message.Figure 74. Click OK, and then click the Close button.11

Integrate A10 ADCImport Tokens1. Click Token Value option, and then click the ‘browse’button.2. Locate All A10 group tokens.istoken file, and then click the Open button.Figure 83. To import token value, click the Import button.EventTracker displays success message.Figure 94. Click OK, and then click the Close button.12

Integrate A10 ADCImport Flex Reports1. Click Scheduled Reports option, and then click the ‘browse’button.2. Locate All A10 group reports.issch file, and then click the Open button.Figure 103. To import scheduled reports, click the Import button.EventTracker displays success message.Figure 114. Click OK, and then click the Close button.13

Integrate A10 ADCImport Token Templates1. Click the Admin menu, and then click Parsing rule.2. Select Template tab, and then click on‘Import’ option.Figure 123. Click on Browse button.Figure 134. Locate A10 token template.ettd file, and then click the Open button.14

Integrate A10 ADCFigure 145. Now select the check box and then click onEventTracker displays success message.‘Import’ optionFigure 156. Click on OK button.15

Integrate A10 ADCImport Knowledge Object1. Click the Admin menu, and then click Knowledge Objects.2. Click on‘Import’ option.Figure 163. In IMPORT pane click on Browse button.Figure 174. Locate A10 KO.etko file, and then click the UPLOAD button.16

Integrate A10 ADCFigure 185. Now select the check box and then click on ‘MERGE’ option.EventTracker displays success message.Figure 196. Click on OK button.17

Integrate A10 ADCVerify Knowledge Pack in EventTrackerVerify Categories1. Logon to EventTracker Enterprise.2. Click the Admin menu, and then click Categories.3. To view the imported categories, in the Category Tree, expand A10 group folder.Figure 20Verify Alerts1. Logon to EventTracker Enterprise.2. Click the Admin menu, and then click Alerts.3. In the Search box, type ‘A10’, and then click the ’search’ button.Alert Management page will display all the imported alerts.18

Integrate A10 ADCFigure 214. To activate the imported alerts, select the respective checkbox in the Active column and then click theActivate Now button.EventTracker displays message box.Figure 225. Click OK.Note: Please specify appropriate systems in alert configuration for better performance.Verify Tokens1. Logon to EventTracker Enterprise.2. Click the Admin menu, and then click Parsing Rules.3. In Token Value Group Tree to view imported token values, scroll down and click A10 group folder.Token values are displayed in the token value pane.19

Integrate A10 ADCFigure 23Verify Flex Reports1.2.3.4.Logon to EventTracker Enterprise.Click the Reports menu, and then Configuration.Select Defined in report type.In Report Groups Tree to view imported Scheduled Reports, scroll down and click A10 group folder.Scheduled Reports are displayed in the Reports configuration pane.Figure 2420