Manual Chapter : Creating a Data Protection logging profile

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 15.0.1, 15.0.0
Manual Chapter

Creating a
Data
Protection logging profile

Before creating a
Data
Protection logging profile, you need to configure a log publisher that will send the
Data
Protection logs to the third-party platform of your choice. Your log publisher must have a log destination of one of the following types: Remote High-Speed Log, Local Syslog, Remote Syslog, or Splunk.
Create a
Data
Protection logging profile so that you can receive a log of information on client attempts to login to the website protected by your
BIG-IP DataSafe
profile and information on alerts sent by the BIG-IP system.
  1. On the Main tab, click
    Security
    Event Logs
    Logging Profiles
    .
    The Logging Profiles list screen opens.
  2. Click
    Create
    .
    The Create New Logging Profile screen opens.
  3. In the
    Profile Name
    field, type a unique name for the profile.
  4. Select the
    Enabled
    check box by
    Data
    Protection.
    The screen displays the
    Data
    Protection tab.
  5. On the
    Data
    Protection tab, for Configuration, select
    Advanced
    .
    Advanced
    configuration is optional. However, if you choose
    Basic
    configuration, you cannot set a rate-limit for sending log messages and the rate-limit is unlimited. Also, with
    Basic
    configuration you cannot select data items to be URL-encoded in log messages.
  6. For Publisher, select your log publisher from the list.
  7. For Rate-Limit Template, choose either
    Default
    or
    User-Defined
    .
    The Rate-Limit Template settings define the notification that appears when the rate-limit for sending logs is exceeded.
    If you choose
    User-Defined
    , define the Rate-Limit template as follows:
    1. In the Available Items list, select the data items you want to appear in rate-limit exceeded notifications and move them to the Selected Items list.
    2. For Select Format, choose one of the following:
      • Field-List:
        Specifies that the notification displays only the items you move from the Available Items list to the Selected Items list. The delimiter that you choose separates the items in the notification. After choosing a delimiter, click
        Format
        to see the revised template.
      • Key-Value Pairs:
        Specifies that the notification displays the actual name of the selected item as being equal to the value of that item. For example, if you choose
        Key-Value Pairs
        format and one of your selected items is
        timestamp
        , if the value of timestamp is 1549888174, in the log message you will see
        timestamp=1549888174
        .
        After choosing a delimiter, click
        Format
        to see the revised template.
  8. If you want data items to be URL-encoded in log messages and in the rate-limit exceeded notification, at Fields to Encode select
    Only
    and then select the data items from the Available Items list and move them to the Selected Items list.
  9. For Login Attempt, select the
    Enabled
    check box.
    The Template and Rate Limit settings for Login Attempt messages appear.
  10. For the Login Attempt Template, choose either
    Default
    or
    User-Defined
    .
    If you choose
    User-Defined
    , define the Login Attempt template as follows:
    1. In the Available Items list, select the data items you want to appear in login attempt messages and move them to the Selected Items list.
    2. For Select Format, choose one of the following:
      • Field-List:
        Specifies that the message displays only the items you move from the Available Items list to the Selected Items list. The delimiter that you choose separates the items in the message. After choosing a delimiter, click
        Format
        to see the revised template.
      • Key-Value Pairs:
        Specifies that the message displays the actual name of the selected item as being equal to the value of that item. For example, if you choose
        Key-Value Pairs
        format and one of your selected items is
        timestamp
        , if the value of timestamp is 1549888174, in the log message you will see
        timestamp=1549888174
        .
        After choosing a delimiter, click
        Format
        to see the revised template.
  11. For Login Attempt Rate Limit, select either
    Unlimited
    or
    Specify
    .
    If you choose
    Specify
    , type your preferred rate limit in the text box.
    Rate Limits are calculated per-second, per TMM, with each TMM throttling as needed, independently of other TMMs.
  12. For Alert, select the
    Enabled
    check box.
    The Template and Rate Limit settings for Alert messages appear.
  13. For the Alert Template, choose either
    Default
    or
    User-Defined
    .
    If you choose
    User-Defined
    , define the Alert template as follows:
    1. In the Available Items list, select the data items you want to appear in alert messages and move them to the Selected Items list.
    2. For Select Format, choose one of the following:
      • Field-List:
        Specifies that the message displays only the items you move from the Available Items list to the Selected Items list. The delimiter that you choose separates the items in the message. After choosing a delimiter, click
        Format
        to see the revised template.
      • Key-Value Pairs:
        Specifies that the message displays the actual name of the selected item as being equal to the value of that item. For example, if you choose
        Key-Value Pairs
        format and one of your selected items is
        timestamp
        , if the value of timestamp is 1549888174, in the log message you will see
        timestamp=1549888174
        .
        After choosing a delimiter, click
        Format
        to see the revised template.
  14. For Alert Rate Limit, select either
    Unlimited
    or
    Specify
    .
    If you choose
    Specify
    , type your preferred rate limit in the text box.
    Rate Limits are calculated per-second, per TMM, with each TMM throttling as needed, independently of other TMMs.
  15. Click
    Create
    .
    The BIG-IP system saves your logging profile and the list of logging profiles appears.
After you have created a
Data
Protection logging profile, you need to associate the logging profile with
a BIG-IP DataSafe
profile.