Manual Chapter : Configuring Remote High-Speed Logging of Network Firewall Events

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP Analytics

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP Link Controller

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP LTM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP PEM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP AFM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP DNS

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP ASM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
Manual Chapter

Configuring Remote High-Speed Logging of Network Firewall Events

Overview: Configuring remote high-speed Network Firewall event logging

You can configure the BIG-IP system to log information about the BIG-IP system Network Firewall events and send the log messages to remote high-speed log servers.
The BIG-IP system Advanced Firewall Manager (AFM) must be licensed and provisioned before you can configure Network Firewall event logging.
This illustration shows the association of the configuration objects for remote high-speed logging.
Association of remote high-speed logging configuration objects

About the configuration objects of remote high-speed Network Firewall event logging

When configuring remote high-speed logging of Network Firewall events, it is helpful to understand the objects you need to create and why, as described here:
Object
Reason
Applies to
Pool of remote log servers
Create a pool of remote log servers to which the BIG-IP system can send log messages.
Creating a pool of remote logging servers.
Destination (unformatted)
Create a log destination of Remote High-Speed Log type that specifies a pool of remote log servers.
Creating a remote high-speed log destination.
Destination (formatted)
If your remote log servers are the ArcSight, Splunk, IPFIX, or Remote Syslog type, create an additional log destination to format the logs in the required format and forward the logs to a remote high-speed log destination.
Creating a formatted remote high-speed log destination.
Publisher
Create a log publisher to send logs to a set of specified log destinations.
Creating a publisher.
DNS Logging profile
Create a custom DNS Logging profile to define the data you want the BIG-IP system to include in the DNS logs and associate a log publisher with the profile.
Creating a custom Network Firewall Logging profile.
LTM virtual server
Associate a custom DNS profile with a virtual server to define how the BIG-IP system logs the DNS traffic that the virtual server processes.
Creating a virtual server for Network Firewall evemt logging.

Create a pool of remote logging servers

Before creating a pool of log servers, gather the IP addresses of the servers that you want to include in the pool. Ensure that the remote log servers are configured to listen to and receive log messages from the BIG-IP system.
Create a pool of remote log servers to which the BIG-IP system can send log messages.
  1. At the top of the screen, click
    Configuration
    .
  2. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pool List screen opens.
  3. Click
    Create
    .
    The New Pool screen opens.
  4. In the
    Name
    field, type a unique name for the pool.
  5. Using the
    New Members
    setting, add the IP address for each remote logging server that you want to include in the pool:
    1. Type an IP address in the
      Address
      field, or select a node address from the
      Node List
      .
    2. Type a service number in the
      Service Port
      field, or select a service name from the list.
      Typical remote logging servers require port
      514
      .
    3. Click
      Add
      .
  6. Click
    Finished
    .

Create a remote high-speed log destination

Before creating a remote high-speed log destination, ensure that at least one pool of remote log servers exists on the BIG-IP system.
Create a log destination of the
Remote High-Speed Log
type to specify that log messages are sent to a pool of remote log servers.
  1. On the Main tab, click
    System
    Logs
    Configuration
    Log Destinations
    .
    The Log Destinations screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique, identifiable name for this destination.
  4. From the
    Type
    list, select
    Remote High-Speed Log
    .
    If you use log servers such as Remote Syslog, Splunk, or ArcSight, which require data be sent to the servers in a specific format, you must create an additional log destination of the required type, and associate it with a log destination of the
    Remote High-Speed Log
    type. With this configuration, the BIG-IP system can send data to the servers in the required format.
    The BIG-IP system is configured to send an unformatted string of text to the log servers.
  5. From the
    Pool Name
    list, select the pool of remote log servers to which you want the BIG-IP system to send log messages.
  6. From the
    Protocol
    list, select the protocol used by the high-speed logging pool members.
  7. Click
    Finished
    .

Create a formatted remote high-speed log destination

Ensure that at least one remote high-speed log destination exists on the BIG-IP system.
Create a formatted logging destination to specify that log messages are sent to a pool of remote log servers, such as Remote Syslog, Splunk, or IPFIX servers.
  1. On the Main tab, click
    System
    Logs
    Configuration
    Log Destinations
    .
    The Log Destinations screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique, identifiable name for this destination.
  4. From the
    Type
    list, select a formatted logging destination, such as
    Remote Syslog
    ,
    Splunk
    , or
    IPFIX
    .
    The Splunk format is a predefined format of key value pairs.
    The BIG-IP system is configured to send a formatted string of text to the log servers.
  5. If you selected
    Remote Syslog
    , then from the
    Syslog Format
    list select a format for the logs, and then from the
    High-Speed Log Destination
    list, select the destination that points to a pool of remote Syslog servers to which you want the BIG-IP system to send log messages.
    For logs coming from Access Policy Manager (APM), only the BSD Syslog format is supported.
  6. If you selected
    Splunk
    or
    IPFIX
    , then from the
    Forward To
    list, select the destination that points to a pool of high-speed log servers to which you want the BIG-IP system to send log messages.
  7. Click
    Finished
    .

Create a publisher

Ensure that at least one destination associated with a pool of remote log servers exists on the BIG-IP system.
Create a publisher to specify where the BIG-IP system sends log messages for specific resources.
  1. On the Main tab, click
    System
    Logs
    Configuration
    Log Publishers
    .
    The Log Publishers screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique, identifiable name for this publisher.
  4. For the
    Destinations
    setting, select a destination from the
    Available
    list, and click
    <<
    to move the destination to the
    Selected
    list.
    If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or ArcSight.
  5. Click
    Finished
    .

Creating a custom Network Firewall Logging profile

Create a custom logging profile to log messages about Network Firewall events.
  1. On the Main tab, click
    Security
    Event Logs
    Logging Profiles
    .
    The Logging Profiles list screen opens.
  2. Click
    Create
    .
    The Create New Logging Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. Select the
    Network Firewall
    check box.
  5. In the Network Firewall area, from the
    Publisher
    list, select the publisher the BIG-IP system uses to log Network Firewall events.
  6. Set an
    Aggregate Rate Limit
    to define a rate limit for all combined network firewall log messages per second.
    Beyond this rate limit, log messages are not logged.
    Rate Limits are calculated per-second per TMM. Each TMM throttles as needed independently of other TMMs.
  7. For the
    Log Rule Matches
    setting, select how the BIG-IP system logs packets that match ACL rules. You can select any or all of the options.
    Option
    Enables or disables logging of packets that match ACL rules configured with:
    Accept
    action=Accept
    Drop
    action=Drop
    Reject
    action=Reject
    When an option is selected, you can configure a rate limit for log messages of that type.
  8. Select the
    Log IP Errors
    check box, to enable logging of IP error packets.
    When this setting is enabled, you can configure a rate limit for log messages of this type.
  9. Select the
    Log TCP Errors
    check box, to enable logging of TCP error packets.
    When this is enabled, you can configure a rate limit for log messages of this type.
  10. Select the
    Log TCP Events
    check box, to enable logging of open and close of TCP sessions.
    When this is enabled, you can configure a rate limit for log messages of this type.
  11. Enable the
    Log Translation Fields
    setting to log both the original IP address and the NAT-translated IP address for Network Firewall log events.
  12. Enable the
    Log Geolocation IP Address
    setting to specify that when a geolocation event causes a network firewall action, the associated IP address is logged.
  13. From the
    Storage Format
    list, select how the BIG-IP system formats the log.
    Option
    Description
    None
    Specifies the default format type in which the BIG-IP system logs messages to a remote Syslog server, for example:
    "management_ip_address","bigip_hostname","context_type","context_name","src_ip","dest_ip","src_port","dest_port","vlan","protocol","route_domain","acl_rule_name","action","drop_reason
    Field-List
    Allows you to:
    • Select, from a list, the fields to be included in the log.
    • Specify the order the fields display in the log.
    • Specify the delimiter that separates the content in the log. The default delimiter is the comma character.
    User-Defined
    Allows you to:
    • Select, from a list, the fields to be included in the log.
    • Cut and paste, in a string of text, the order the fields display in the log.
  14. In the IP Intelligence area, from the
    Publisher
    list, select the publisher that the BIG-IP system uses to log source IP addresses, which are identified and configured for logging by an IP Intelligence policy.
    The IP Address Intelligence feature must be enabled and licensed.
  15. Set an
    Aggregate Rate Limit
    to define a rate limit for all combined IP Intelligence log messages per second.
    Beyond this rate limit, log messages are not logged.
    Rate Limits are calculated per-second per TMM. Each TMM throttles as needed independently of other TMMs.
  16. Enable the
    Log Translation Fields
    setting to log both the original IP address and the NAT-translated IP address for IP Intelligence log events.
  17. In the Traffic Statistics area, from the
    Publisher
    list, select the publisher that the BIG-IP system uses to log traffic statistics.
  18. For the
    Log Timer Events
    setting, enable
    Active Flows
    to log the number of active flows each second.
  19. For the
    Log Timer Events
    setting, enable
    Reaped Flows
    to log the number of reaped flows, or connections that are not established because of system resource usage levels.
  20. For the
    Log Timer Events
    setting, enable
    Missed Flows
    to log the number of packets that were dropped because of a flow table miss. A flow table miss occurs when a TCP non-SYN packet does not match an existing flow.
  21. For the
    Log Timer Events
    setting, enable
    SYN Cookie (Per Session Challenge)
    to log the number of SYN cookie challenges generated each second.
  22. For the
    Log Timer Events
    setting, enable
    SYN Cookie (White-listed Clients)
    to log the number of SYN cookie clients whitelisted each second.
  23. Click
    Finished
    .
Assign this custom network firewall Logging profile to a virtual server.

Configuring a virtual server for event logging

Ensure that at least one log publisher exists on the AFM Network Firewall system.
Assign a custom network firewall logging profile to a virtual server when you want the system to log network firewall events on the traffic that the virtual server processes.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. On the menu bar, click
    Security
    Policies
    .
    The screen displays policy settings for the virtual server.
  4. In the
    Log Profile
    setting, select
    Enabled
    . Then, select one or more profiles, and move them from the
    Available
    list to the
    Selected
    list.
    If you do not have a custom profile configured, select the predefined logging profile
    global-network
    to log Advanced Firewall Manager events. Note that to log global, self IP, and route domain contexts, you must enable a Publisher in the
    global-network
    profile.
  5. Click
    Update
    to save the changes.

Disabling logging

Disable event logging when you need to suspend logging for a period of time or you no longer want the BIG-IP system to log specific events.
Logging is enabled by adding log settings to the access profile.
  1. To clear log settings from access profiles, on the Main tab, click
    Access
    Profiles / Policies
    .
  2. Click the name of the access profile.
    Access profile properties display.
  3. On the menu bar, click
    Logs
    .
  4. Move log settings from the
    Selected
    list to the
    Available
    list.
  5. Click
    Update
    .
Logging is disabled for the access profile.