Manual Chapter :
Configuring Remote High-Speed Logging of Protocol Security Events
Applies To:
Show VersionsBIG-IP APM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP Analytics
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP Link Controller
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP LTM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP PEM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP AFM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP DNS
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP ASM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
Configuring Remote High-Speed Logging of Protocol Security Events
Overview: Logging
remote protocol security events
You can configure the BIG-IP system
to log information about Protocol Security events and send the log messages to remote
high-speed log servers.
The Advanced Firewall Manager™ (AFM™) must be
licensed and provisioned before you can configure Protocol Security event logging.
This illustration shows the association of the configuration objects for remote high-speed logging.
Task summary
Perform these tasks to configure Protocol Security event logging on the
BIG-IP system. Enabling remote high-speed logging impacts BIG-IP
system performance.
About the configuration objects of remote protocol security event logging
When configuring remote high-speed logging of Protocol Security events, it is helpful to understand the
objects you need to create and why, as described here:
Object |
Reason |
Applies to |
---|---|---|
Pool of remote log servers |
Create a pool of remote log servers to which the BIG-IP system
can send log messages. |
Creating a pool of remote logging servers. |
Destination (unformatted) |
Create a log destination of Remote High-Speed Log type that specifies a pool of remote log servers. |
Creating a remote high-speed log destination. |
Destination (formatted) |
If your remote log servers are the ArcSight, Splunk, IPFIX, or Remote Syslog type, create an additional log destination to format the logs in the required format and forward the logs to a remote high-speed log destination. |
Creating a formatted remote high-speed log destination. |
Publisher |
Create a log publisher to send logs to a set of specified log destinations. |
Creating a publisher. |
DNS Logging profile |
Create a custom DNS Logging profile to define the data you want the BIG-IP system to include in the DNS logs and associate a log publisher with the profile. |
Creating a custom Protocol Security logging profile. |
Protected object (virtual server) |
Associate a custom DNS profile with a protected object to define
how the BIG-IP system logs the DNS traffic that the protected object processes. |
Configuring a protected object for Protocol Security event
logging. |
Create a pool of remote logging servers
Before creating a pool of log servers, gather the IP addresses of the servers that you want to include in the pool. Ensure that the remote log servers are configured to listen to and receive log messages from the BIG-IP system.
Create a pool of remote log servers to which the BIG-IP system can send log messages.
- At the top of the screen, clickConfiguration.
- On the Main tab, click.The Pool List screen opens.
- ClickCreate.The New Pool screen opens.
- In theNamefield, type a unique name for the pool.
- Using theNew Memberssetting, add the IP address for each remote logging server that you want to include in the pool:
- Type an IP address in theAddressfield, or select a node address from theNode List.
- Type a service number in theService Portfield, or select a service name from the list.Typical remote logging servers require port514.
- ClickAdd.
- ClickFinished.
Create a remote high-speed log destination
Before creating a remote high-speed log destination, ensure that at least one pool
of remote log servers exists on the BIG-IP system.
Create a log destination of the
Remote High-Speed Log
type to
specify that log messages are sent to a pool of remote log servers.- On the Main tab, click.The Log Destinations screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this destination.
- From theTypelist, selectRemote High-Speed Log.If you use log servers such as Remote Syslog, Splunk, or ArcSight, which require data be sent to the servers in a specific format, you must create an additional log destination of the required type, and associate it with a log destination of theRemote High-Speed Logtype. With this configuration, the BIG-IP system can send data to the servers in the required format.The BIG-IP system is configured to send an unformatted string of text to the log servers.
- From thePool Namelist, select the pool of remote log servers to which you want the BIG-IP system to send log messages.
- From theProtocollist, select the protocol used by the high-speed logging pool members.
- ClickFinished.
Create a formatted remote high-speed log destination
Ensure that at least one remote high-speed log destination exists on the BIG-IP system.
Create a formatted logging destination to specify that log messages are sent to a
pool of remote log servers, such as Remote Syslog, Splunk, or IPFIX servers.
- On the Main tab, click.The Log Destinations screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this destination.
- From theTypelist, select a formatted logging destination, such asRemote Syslog,Splunk, orIPFIX.The Splunk format is a predefined format of key value pairs.The BIG-IP system is configured to send a formatted string of text to the log servers.
- If you selectedRemote Syslog, then from theSyslog Formatlist select a format for the logs, and then from theHigh-Speed Log Destinationlist, select the destination that points to a pool of remote Syslog servers to which you want the BIG-IP system to send log messages.For logs coming from Access Policy Manager (APM), only the BSD Syslog format is supported.
- If you selectedSplunkorIPFIX, then from theForward Tolist, select the destination that points to a pool of high-speed log servers to which you want the BIG-IP system to send log messages.
- ClickFinished.
Create a publisher
Ensure that at least one destination associated with a pool of remote log servers
exists on the BIG-IP system.
Create a publisher to specify where the BIG-IP system sends log messages for
specific resources.
- On the Main tab, click.The Log Publishers screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this publisher.
- For theDestinationssetting, select a destination from theAvailablelist, and click<<to move the destination to theSelectedlist.If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or ArcSight.
- ClickFinished.
Create a custom Protocol Security logging profile
Create a logging profile to log Protocol Security events for the traffic handled by the protected object to which the profile is assigned.
You can configure
logging profiles for HTTP and DNS security events on Advanced
Firewall Manager, and FTP and SMTP security events on Application Security Manager.
- On the Main tab, click.The Logging Profiles list screen opens.
- ClickCreate.The Create New Logging Profile screen opens.
- Select theProtocol Securitycheck box.
- In the HTTP, FTP, and SMTP Security area, from thePublisherlist, select the publisher that the BIG-IP system uses to log HTTP, FTP, and SMTP Security events.
- In the DNS Security area, from thePublisherlist, select the publisher that the BIG-IP system uses to log DNS Security events.
- Select theLog Dropped Requestscheck box, to enable the BIG-IP system to log dropped DNS requests.
- Select theLog Filtered Dropped Requestscheck box, to enable the BIG-IP system to log DNS requests dropped due to DNS query/header-opcode filtering.The system does not log DNS requests that are dropped due to errors in the way the system processes DNS packets.
- Select theLog Malformed Requestscheck box to enable the BIG-IP system to log malformed DNS requests.
- Select theLog Rejected Requestscheck box to enable the BIG-IP system to log rejected DNS requests.
- Select theLog Malicious Requestscheck box to enable the BIG-IP system to log malicious DNS requests.
- From theStorage Formatlist, select how the BIG-IP system formats the log.OptionDescriptionNoneSpecifies the default format type in which the BIG-IP system logs messages to a remote Syslog server, for example:"management_ip_address","bigip_hostname","context_type","context_name","src_ip","dest_ip","src_port","dest_port","vlan","protocol","route_domain","acl_rule_name","action","drop_reasonField-ListAllows you to:
- Select, from a list, the fields to be included in the log.
- Specify the order the fields display in the log.
- Specify the delimiter that separates the content in the log. The default delimiter is the comma character.
User-DefinedAllows you to:- Select, from a list, the fields to be included in the log.
- Cut and paste, in a string of text, the order the fields display in the log.
- ClickFinished.
Assign this custom Protocol Security Logging profile to a protected object.
Logging DoS/DDoS Events for a Protected Object
Assign a logging profile to a protected object when you want the system to log DoS events.
- On the Main tab, click.
- Click the name of the protected object for which you want to log DoS events.The Properties pane opens on the right.
- In the Network & General area, forLogging Profiles, move the logging profile to assign from the Available list into the Selected list.You can create, and modify log publishers in.
- ClickSave.
The system logs DoS events for the protected object.
You can review DoS event logs at
and select the type of DoS event log to view.