Manual Chapter : Common Elements for Logging Topics

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.0, 14.1.0, 14.0.0
Manual Chapter

Common Elements for Logging Topics

  1. On the Main tab, click
    Security
    Event Logs
    Protocol
    DNS
    .
    The Protocol Security event log displays.
  2. On the Main tab, click
    Security
    Event Logs
    Network
    Firewall
    .
    The Network Firewall event log displays.
  3. Select an event log item, and click
    Create Rule
    .
    The
    New Rule
    screen opens. The new rule is populated with source, destination, VLAN, protocol, and port info derived from the log entry.
  4. On the Main tab, click
    Security
    Event Logs
    Protocol
    HTTP, FTP, SMTP
    .
    The HTTP, FTP, SMTP statistics screen opens.
  5. On the Main tab, click
    Security
    Event Logs
    Application
    .
    The Requests screen opens.
  6. On the Main tab, click
    System
    Logs
    .
    The System logs screen opens.
  7. On the Main tab, click
    System
    Logs
    Configuration
    Remote Logging
    .
    The Remote Logging screen opens.
  8. On the Main tab, click
    System
    Logs
    Configuration
    Log Destinations
    .
    The Log Destinations screen opens.
  9. On the Main tab, click
    System
    Logs
    Configuration
    Log Publishers
    .
    The Log Publishers screen opens.
  10. On the Main tab, click
    System
    Logs
    Configuration
    Log Filters
    .
    The Log Filters screen opens.
  11. On the menu bar, click
    Local Traffic
    .
    The Local Traffic logs screen opens.
  12. On the menu bar, click
    Packet Filter
    .
    The Packet Filter logs screen opens.
  13. On the menu bar, click
    System
    .
    The System logs screen opens.
  14. You can either scroll through the log or search for a log entry about a specific event.
  15. Click
    Create
    .
  16. Click
    Update
    .
  17. Click
    Finished
    .
  18. Click
    Add
    .
  19. In the
    Remote IP
    field, type the IP address of the remote server to which the BIG-IP system will send the log messages.
  20. In the
    Remote Port
    field, retain the default port number or type a different port number.
  21. Optionally, in the
    Local IP
    field, type the IP address of the local BIG-IP system that is sending the log messages.
  22. In the
    Name
    field, type a unique, identifiable name for this destination.
  23. From the
    Type
    list, select
    Remote High-Speed Log
    .
  24. From the
    Type
    list, select
    Remote High-Speed Log
    .
    If you use log servers such as Remote Syslog, Splunk, or ArcSight, which require data be sent to the servers in a specific format, you must create an additional log destination of the required type, and associate it with a log destination of the
    Remote High-Speed Log
    type. With this configuration, the BIG-IP system can send data to the servers in the required format.
    The BIG-IP system is configured to send an unformatted string of text to the log servers.
  25. From the
    Type
    list, select
    IPFIX
    .
  26. From the
    Type
    list, select
    Remote High-Speed Log
    .
    If you use log servers such as Remote Syslog, Splunk, or IPFIX, which require data be sent to the servers in a specific format, you must create an additional log destination of the required type, and associate it with a log destination of the
    Remote High-Speed Log
    type. This allows the BIG-IP system to send data to the servers in the required format.
    The BIG-IP system is configured to send an unformatted string of text to the log servers.
  27. From the
    Type
    list, select
    Remote Syslog
    .
  28. From the
    Type
    list, select a formatted logging destination, such as
    IPFIX
    ,
    Remote Syslog
    ,
    Splunk
    , or
    ArcSight
    .
    ArcSight formatting is only available for logs coming from Advanced Firewall Manager (AFM), Application Security Manager (ASM), and the Secure Web Gateway component of Access Policy Manager (APM). IPFIX is not available for Secure Web Gateway. Remote Syslog formatting is the only type supported for logs coming from APM. The Splunk format is a predefined format of key value pairs.
    The BIG-IP system is configured to send a formatted string of text to the log servers.
  29. From the
    Type
    list, select a formatted logging destination, such as
    Remote Syslog
    ,
    Splunk
    , or
    ArcSight
    .
    The Splunk format is a predefined format of key value pairs.
    The BIG-IP system is configured to send a formatted string of text to the log servers.
  30. From the
    Type
    list, select a formatted logging destination, such as
    Remote Syslog
    ,
    Splunk
    , or
    IPFIX
    .
    The Splunk format is a predefined format of key value pairs.
    The BIG-IP system is configured to send a formatted string of text to the log servers.
  31. From the
    Type
    list, select
    Splunk
    .
    The Splunk format is a predefined format of key value pairs.
  32. If you selected
    Splunk
    or
    IPFIX
    , then from the
    Forward To
    list, select the destination that points to a pool of high-speed log servers to which you want the BIG-IP system to send log messages.
  33. If you selected
    Splunk
    , then from the
    Forward To
    list, select the destination that points to a pool of high-speed log servers to which you want the BIG-IP system to send log messages.
    The Splunk format is a predefined format of key value pairs.
  34. If you selected
    Remote Syslog
    , then from the
    Syslog Format
    list select a format for the logs, and then from the
    High-Speed Log Destination
    list, select the destination that points to a pool of remote Syslog servers to which you want the BIG-IP system to send log messages.
    For logs coming from Access Policy Manager (APM), only the BSD Syslog format is supported.
  35. From the
    Forward To
    list, select
    local-syslog
    .
  36. From the
    Pool Name
    list, select the pool of remote log servers to which you want the BIG-IP system to send log messages.
  37. From the
    Pool Name
    list, select the alert pool that you defined previously.
  38. From the
    Pool Name
    list, select an LTM pool of IPFIX collectors.
  39. From the
    Protocol
    list, select the protocol used by the high-speed logging pool members.
  40. From the
    Protocol
    list, select the TCP protocol.
  41. From the
    Protocol
    list, select
    IPFIX
    or
    Netflow V9
    , depending on the type of collectors you have in the pool.
  42. From the
    Transport Profile
    list, select
    TCP
    ,
    UDP
    , or any customized profile derived from TCP or UDP.
  43. The
    Template Retransmit Interval
    is the time between transmissions of IPFIX templates to the pool of collectors. The BIG-IP system only retransmits its templates if the
    Transport Profile
    is a
    UDP
    profile.
    An
    IPFIX template
    defines the field types and byte lengths of the binary IPFIX log messages. The logging destination sends the template for a given log type (for example, NAT44 logs or customized logs from an iRule) before sending any of those logs, so that the IPFIX collector can read the logs of that type. The logging destination assigns a template ID to each template, and places the template ID into each log that uses that template.
    The log destination periodically retransmits all of its IPFIX templates over a UDP connection. The retransmissions are helpful for UDP connections, which are lossy.
  44. The
    Template Delete Delay
    is the time that the BIG-IP device should pause between deleting an obsolete template and re-using its template ID. This feature is helpful for systems that can create custom IPFIX templates with iRules.
  45. The
    Server SSL Profile
    applies Secure Socket Layer (SSL) or Transport Layer Security (TLS) to TCP connections. You can only choose an SSL profile if the
    Transport Profile
    is a
    TCP
    profile. Choose an SSL profile that is appropriate for the IPFIX collectors' SSL/TLS configuration.
    SSL or TLS requires extra processing and therefore slows the connection, so we only recommend this for sites where the connections to the IPFIX collectors have a potential security risk.
  46. In the
    Name
    field, type a unique, identifiable name for this publisher.
  47. For the
    Destinations
    setting, select a destination from the
    Available
    list, and click
    <<
    to move the destination to the
    Selected
    list.
    If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or ArcSight.
  48. For the
    Destinations
    setting, select the log destination you created previously from the
    Available
    list, and click
    <<
    to move the destination to the
    Selected
    list.
  49. For the
    Destinations
    setting, select a destination from the
    Available
    list, and click
    <<
    to move the destination to the
    Selected
    list.
    If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or IPFIX.
    If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the
    logpublisher.atomic
    db variable to
    false
    .
  50. For the
    Destinations
    setting, select a destination from the
    Available
    list, and click
    <<
    to move the destination to the
    Selected
    list.
    If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or IPFIX.
    If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the
    logpublisher.atomic
    db key to
    false
    . If all the remote high-speed log (HSL) destinations are down (unavailable), setting the
    logpublisher.atomic
    db key to
    false
    will not work to allow the logs to be written to local-syslog. The
    logpublisher.atomic
    db key has no effect on local-syslog.
  51. For the
    Destinations
    setting, select the previously created destination from the
    Available
    list (which formats the logs in the Splunk format and forwards the logs to the local Syslog database) and move the destination to the
    Selected
    list.
  52. Use the
    Log Destinations
    setting to select an existing IPFIX destination (perhaps along with other destinations for your logs): click any destination name in the
    Available
    list, and click
    <<
    to move it to the
    Selected
    list.
    If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging will occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the
    logpublisher.atomic
    db variable to
    false
    .
  53. Use the
    Log Destinations
    setting to select an existing IPFIX destination (perhaps along with other destinations for your logs): click any destination name in the
    Available
    list, and click
    <<
    to move it to the
    Selected
    list.
    If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging will occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the
    logpublisher.atomic
    db key to
    false
    . If all the remote high-speed log (HSL) destinations are down (unavailable), setting the
    logpublisher.atomic
    db key to
    false
    will not work to allow the logs to be written to local-syslog. The
    logpublisher.atomic
    db key has no effect on local-syslog.
  54. For the
    Destinations
    setting, select a destination from the
    Available
    list, and move the destination to the
    Selected
    list.
    If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or IPFIX.
    If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the
    logpublisher.atomic
    db key to
    false
    . If all the remote high-speed log (HSL) destinations are down (unavailable), setting the
    logpublisher.atomic
    db key to
    false
    will not work to allow the logs to be written to local-syslog. The
    logpublisher.atomic
    db key has no effect on local-syslog.
  55. In the
    Name
    field, type a unique, identifiable name for this filter.
  56. From the
    Severity
    list, select the level of alerts that you want the system to use for this filter.
    The severity level that you select includes all of the severity levels that display above your selection in the list. For example, if you select
    Emergency
    , the system publishes only emergency messages to the log. If you select
    Critical
    , the system publishes critical, alert, and emergency-level messages in the log.
  57. From the
    Severity
    list, select
    Debug
    .
  58. From the
    Source
    list, select the system processes from which messages will be sent to the log.
  59. From the
    Source
    list, select
    All
    .
  60. In the
    Message ID
    field, type the first eight hex-digits of the specific message ID that you want the system to include in the log. Use this field when you want a log to contain only each instance of one specific log message.
    BIG-IP system log messages contain message ID strings in the format:
    xxxxxxxx:x:
    . For example, in this log message:
    Oct 31 11:06:27 olgavmmgmt notice mcpd[5641]: 01070410:5: Removed subscription with subscriber id lind
    , the message ID string is:
    01070410:5:
    . You enter only the first eight hex-digits:
    01070410
    .
  61. From the
    Log Publisher
    list, select the publisher that includes the destinations to which you want to send log messages.
  62. From the
    Log Publisher
    list, select
    None
    .
  63. Select the check box next to the name of the log filter that you want to delete. Click
    Delete
    , and then click
    Delete
    again.
  64. To search for specific events, click
    Custom Search
    . Drag the event data that you want to search for from the Event Log table into the Custom Search table, and then click
    Search
    .
  65. To search for enforced policy events, in the search field, type
    Enforced
    , then click
    Search
    .
  66. To narrow your search for enforced events, click
    Custom Search
    . Drag the
    Enforced
    text from the
    Policy Type
    column to the custom search table. Narrow your search further by dragging other items from the log display, for example, from the
    action
    ,
    policy
    , or
    rule
    columns. the event data that you want to search for from the Event Log table into the Custom Search table, and then click
    Search
    .
  67. To search for staged policy events, in the search field, type
    Staged
    , then click
    Search
    .
  68. To narrow your search for staged policy events, click
    Custom Search
    . Drag the
    Staged
    text from the
    Policy Type
    column to the custom search table. Narrow your search further by dragging other items from the log display. For example, from the
    action
    ,
    policy
    , or
    rule
    columns, you can drag event data that you want to search for from the Event Log table into the Custom Search table, and then click
    Search
    .