Manual Chapter :
AFM NAT Logging
Applies To:
Show VersionsBIG-IP AFM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
AFM NAT Logging
About AFM NAT logging profiles
AFM logging profiles provide a range of options to determine where and how NAT mapping event messages are logged. You can associate AFM logging profiles with AFM NAT policy rules, or with the virtual server and global contexts directly.
NAT logging workflow
Associating a NAT logging profile with a NAT policy involves these tasks:
- Creating a BIG-IP System Logging Destination and Publisher
- Creating an AFM NAT Logging Profile (referencing the Logging Publisher).
- Creating an AFM NAT Policy (referencing the Logging Profile).
You can send translation log messages to either a local or a remote location; a combination of both is not allowed. These are the most popular choices.
- Local DB
- You can send log mapping messages to the local MySQL database, and view them using the AFM Event Viewer at.
- Local File system
- You can send log mapping messages to the local/var/log/ltmfile and view them using the Advanced Shell (bash) or TMOS Shell (tmsh).
- Remote High-Speed Logs
- You can send log mapping messages to a remote high-speed logging server.
AFM NAT logging profile options
The AFM NAT logging profile options allow you to specify how and where NAT events are logged.
Option | Description |
---|---|
LSN Legacy Mode
| This mode is provided for users moving from CGNAT to AFM NAT, but wish to retain the CGNAT logging format.
LSN Legacy Mode is very limited:
|
Log Subscriber ID
| Logs the subscriber ID associated with a subscriber IP address. |
Aggregate Rate Limit
| Specifies the rate limit for all combined NAT log messages per second. Log messages are not logged again until the threshold drops below the specified rate. |
Start Outbound Session
| Provides options for logging the start of an outbound NAT translation event. See the Storage Format section (following) for more background. |
End Outbound Session
| Provides options for logging end of an outbound NAT translation event. See the Storage Format section (following) for more background. |
Start Inbound Session
| Provides options for logging the start of an inbound NAT translation event. See the Storage Format section (following) for more background. |
End Inbound Session
| Provides options for logging the end of an inbound NAT translation event. See the Storage Format section (following) for more background. |
Quota Exceeded
| Generates event log entries when a NAT client exceeds allocated resources. |
Errors
| Generates event log entries when a NAT translation error occurs. |
Publisher
| Specifies the name of the log publisher used for logging NAT events. |
AFM NAT logging storage format options
When you enable logging for Inbound or Outbound sessions, the
Storage Format
option provides a variety of filters for customizing NAT mapping log messages. AFM supports customized log messages only for the High Speed Logging (HSL) format. Other logging formats such as Splunk and ArcSight are logged in a fixed format. If LSN Legacy Mode is enabled, the Storage Format option will not be available. Options | Description |
---|---|
context_name
| Specifies the context, or access point on the BIG-IP system where the NAT rule match occurred. |
src_ip
| Specifies the source IP address prior to NAT mapping. |
dest_ip
| Specifies the destination IP address prior to NAT mapping. |
src_port
| Specifies the source service port prior to NAT mapping. |
dest_port
| Specifies the destination service port prior to NAT mapping. |
translated_src_ip
| Specifies source IP address after NAT mapping. |
translated_dest_ip
| Specifies destination IP address after NAT mapping. |
timestamp
| Specifies the time NAT mapping occurred. |
sub_id
| Specifies the ID of the mapped subscriber. |
Create a local DB log publisher
Viewing log files with the Advanced Shell (
bash
) can be difficult if you don't have experience with text pagers such as less
, or text filters such as grep
. Alternatively, you can view NAT logging events using the AFM Event Logs viewer, available in the BIG-IP Configuration Utility. The AFM Event Logs viewer provides a convenient way for you to filter, and view NAT logging events based on time, IP addresses, or service ports. To use the AFM Event Logs viewer, you must create a log destination specifying the local-db
as the logging target.- On the Main tab, click.
- ClickCreate.
- Type aNameand optionalDescription.
- From theTypelist, selectSplunk.
- From theForward Tolist, selectlocal-db.
- ClickFinished.The new log destination appears in the log destinations list.
- From the Configuration tab at the top of the page, selectLog Publishers.
- ClickCreate.
- Type aNameand optionalDescription.
- For theDestinationssetting, in theAvailablebox, select the newly created log destination and move it to theSelectedbox.
- ClickFinished.
You have created a new log publisher that can be referenced by an AFM NAT logging profile.
Create a local file system log publisher
You can use the Advanced Shell (
bash
) to view NAT events logged to the local /var/log/ltm
file. For more information about reviewing BIG-IP system log files, refer to article K16197: Reviewing BIG-IP log files
at support.f5.com/csp/article/K16197
. To view NAT events using bash
, you must create a log destination specifying local-syslog
as the logging target.- On the Main tab, click.
- ClickCreate.
- Type aNameand optionalDescription.
- From theTypelist, selectSplunk.
- From theForward Tolist, selectlocal-syslog.
- ClickFinished.The new log destination is listed in the Log Destinations area.
- From the Configuration tab at the top of the page, selectLog Publishers.
- ClickCreate.
- Type aNameand optionalDescription.
- For theDestinationssetting, underAvailable, select the newly created log destination and move it to theSelectedbox.
- ClickFinished.
You have created a new log publisher that can be referenced by an AFM NAT logging profile.
Create a remote server log publisher
You can sent NAT event logs to a pool of remote high-speed logging servers. To send NAT event logs using remote high-speed logging, you must create a log destination specifying
Remote High-Speed Log
, and a Pool
as a logging target.- On the Main tab, click.
- ClickCreate.
- Type aNameand optionalDescription.
- In the Resources area, for theNew Membersetting, type the IPAddressandService Portof a remote logging server.Remote logging servers typically use service port 514.
- ClickAdd, and repeat steps 4 and 5 for additional remote logging servers.
- ClickFinished.
- On the Main tab, click.
- ClickCreate.
- Type aNameand optionalDescription.
- From theTypelist, selectRemote High-Speed Log.
- From thePool Namelist, select the new pool created in the previous steps.
- From theDistributionlist, select one of the available distribution methods:AdaptiveConnections to pool members will be added as required to provide enough logging bandwidth. This can have the undesirable effect of logs accumulating on only one pool member when it provides sufficient logging bandwidth on its own.BalancedSends each successive log to a new pool member, balancing the logs among them according to the pool's load balancing method.ReplicatedReplicates each log message to all pool members.
- ClickFinished.
- From the Configuration tab at the top of the page, selectLog Publishers.
- ClickCreate.
- Type aNameand optionalDescription.
- In theDestinationssetting, underAvailable, click the newly created log destination and move it to theSelectedbox.
- ClickFinished.
You have created a new log publisher that can be referenced by an AFM NAT logging profile.
Create an AFM NAT logging profile
You must have created a BIG-IP system Log Destination and Log Publisher before you can create a logging profile.
You can create a NAT logging profile to customize the information logged when an AFM NAT mapping event occurs.
- On the Main tab, click.
- ClickCreate.
- In theNetwork Address Translationsetting, click theEnabledcheck box.The Network Address Translation logging options display below the Logging Profile Properties area.
- From theAggregate Rate Limitlist, clickSpecifyto type the number of log messages to limit per second.The default setting isIndefinite, or no set limit.
- From theStart Outbound Sessionlist, select one of the available options:
- Enabled- Logs the beginning of an outbound NAT mapping event. To configure theStorage Format, refer toAFM NAT logging storage format options, in the introduction of this section.
- Backup Allocation Only- Logs only translation events that use the backup addresses configured in a NAT Source Translations object.
- Disabled- The NAT mapping event is not logged. The default setting.
- From theEnd Outbound Sessionlist, select one of the available options:
- Enabled- Logs the end of an outbound NAT mapping event. To configure theStorage Format, refer toAFM NAT logging storage format options, in the introduction of this section.
- Backup Allocation Only- Logs only translation events that use the backup addresses configured in a NAT Source Translations object.
- Disabled- The NAT mapping event is not logged. The default setting.
- From theStart Inbound Sessionlist, select one of the available options:
- Enabled- Logs the beginning of an inbound NAT mapping event. To configure theStorage Format, refer toAFM NAT logging storage format options, in the introduction of this section.
- Backup Allocation Only- Logs only translation events that use the backup addresses configured in a NAT Source Translations object.
- Disabled- The NAT mapping event is not logged. The default setting.
- From theEnd Inbound Sessionlist, select one of the available options:
- Enabled- Logs the end of an outbound NAT mapping event. To configure theStorage Format, refer toAFM NAT logging storage format options, in the introduction of this section.
- Backup Allocation Only- Logs only translation events that use the backup addresses configured in a NAT Source Translations object.
- Disabled- The NAT mapping event is not logged. The default setting.
- From theQuota Exceededlist, select one of the available options:
- Enabled- Generate an event log message when a NAT client exceeds the allocated NAT resources. To configure theStorage Format, refer toAFM NAT logging storage format options, in the introduction of this section.
- Backup Allocation Only- Logs only translation events that use the backup addresses configured in a NAT Source Translations object.
- Disabled- The NAT mapping event is not logged. The default setting.
- From theErrorslist, selectEnabledto generate event log entries when a NAT translation error occurs.
- Enabled- Generate an event log message when a NAT translation error occurs. To configure theStorage Format, refer toAFM NAT logging storage format options, in the introduction of this section.
- Backup Allocation Only- Logs only translation events that use the backup addresses configured in a NAT Source Translations object.
- Disabled- The NAT mapping event is not logged. The default setting.
- From thePublisherlist, select the appropriate log publisher.
- ClickCreate.
You have created a NAT logging profile that can now be associated with a NAT policy.