Manual Chapter : AFM NAT Logging

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

AFM NAT Logging

About AFM NAT logging profiles

AFM logging profiles provide a range of options to determine where and how NAT mapping event messages are logged. You can associate AFM logging profiles with AFM NAT policy rules, or with the virtual server and global contexts directly.
NAT logging workflow
Associating a NAT logging profile with a NAT policy involves these tasks:
  1. Creating a BIG-IP System Logging Destination and Publisher
  2. Creating an AFM NAT Logging Profile (referencing the Logging Publisher).
  3. Creating an AFM NAT Policy (referencing the Logging Profile).
You can send translation log messages to either a local or a remote location; a combination of both is not allowed. These are the most popular choices.
Local DB
You can send log mapping messages to the local MySQL database, and view them using the AFM Event Viewer at
Security
Event Logs
Network Address Translation
.
Local File system
You can send log mapping messages to the local
/var/log/ltm
file and view them using the Advanced Shell (
bash
) or TMOS Shell (
tmsh
).
Remote High-Speed Logs
You can send log mapping messages to a remote high-speed logging server.

AFM NAT logging profile options

The AFM NAT logging profile options allow you to specify how and where NAT events are logged.
Option
Description
LSN Legacy Mode
This mode is provided for users moving from CGNAT to AFM NAT, but wish to retain the CGNAT logging format. LSN Legacy Mode is very limited:
  • Logs only Dynamic PAT source translation events.
  • Does not support Firewall NAT logging to LocalDB (MySQL) or ArcSight.
  • Does not perform log throttling.
Log Subscriber ID
Logs the subscriber ID associated with a subscriber IP address.
Aggregate Rate Limit
Specifies the rate limit for all combined NAT log messages per second. Log messages are not logged again until the threshold drops below the specified rate.
Start Outbound Session
Provides options for logging the start of an outbound NAT translation event. See the Storage Format section (following) for more background.
End Outbound Session
Provides options for logging end of an outbound NAT translation event. See the Storage Format section (following) for more background.
Start Inbound Session
Provides options for logging the start of an inbound NAT translation event. See the Storage Format section (following) for more background.
End Inbound Session
Provides options for logging the end of an inbound NAT translation event. See the Storage Format section (following) for more background.
Quota Exceeded
Generates event log entries when a NAT client exceeds allocated resources.
Errors
Generates event log entries when a NAT translation error occurs.
Publisher
Specifies the name of the log publisher used for logging NAT events.

AFM NAT logging storage format options

When you enable logging for Inbound or Outbound sessions, the
Storage Format
option provides a variety of filters for customizing NAT mapping log messages. AFM supports customized log messages only for the High Speed Logging (HSL) format. Other logging formats such as Splunk and ArcSight are logged in a fixed format. If LSN Legacy Mode is enabled, the Storage Format option will not be available.
Options
Description
context_name
Specifies the context, or access point on the BIG-IP system where the NAT rule match occurred.
src_ip
Specifies the source IP address prior to NAT mapping.
dest_ip
Specifies the destination IP address prior to NAT mapping.
src_port
Specifies the source service port prior to NAT mapping.
dest_port
Specifies the destination service port prior to NAT mapping.
translated_src_ip
Specifies source IP address after NAT mapping.
translated_dest_ip
Specifies destination IP address after NAT mapping.
timestamp
Specifies the time NAT mapping occurred.
sub_id
Specifies the ID of the mapped subscriber.

Create a local DB log publisher

Viewing log files with the Advanced Shell (
bash
) can be difficult if you don't have experience with text pagers such as
less
, or text filters such as
grep
. Alternatively, you can view NAT logging events using the AFM Event Logs viewer, available in the BIG-IP Configuration Utility. The AFM Event Logs viewer provides a convenient way for you to filter, and view NAT logging events based on time, IP addresses, or service ports. To use the AFM Event Logs viewer, you must create a log destination specifying the
local-db
as the logging target.
  1. On the Main tab, click
    System
    Logs
    Configuration
    Log Destinations
    .
  2. Click
    Create
    .
  3. Type a
    Name
    and optional
    Description
    .
  4. From the
    Type
    list, select
    Splunk
    .
  5. From the
    Forward To
    list, select
    local-db
    .
  6. Click
    Finished
    .
    The new log destination appears in the log destinations list.
  7. From the Configuration tab at the top of the page, select
    Log Publishers
    .
  8. Click
    Create
    .
  9. Type a
    Name
    and optional
    Description
    .
  10. For the
    Destinations
    setting, in the
    Available
    box, select the newly created log destination and move it to the
    Selected
    box.
  11. Click
    Finished
    .
You have created a new log publisher that can be referenced by an AFM NAT logging profile.

Create a local file system log publisher

You can use the Advanced Shell (
bash
) to view NAT events logged to the local
/var/log/ltm
file. For more information about reviewing BIG-IP system log files, refer to article
K16197: Reviewing BIG-IP log files
at
support.f5.com/csp/article/K16197
. To view NAT events using
bash
, you must create a log destination specifying
local-syslog
as the logging target.
  1. On the Main tab, click
    System
    Logs
    Configuration
    Log Destinations
    .
  2. Click
    Create
    .
  3. Type a
    Name
    and optional
    Description
    .
  4. From the
    Type
    list, select
    Splunk
    .
  5. From the
    Forward To
    list, select
    local-syslog
    .
  6. Click
    Finished
    .
    The new log destination is listed in the Log Destinations area.
  7. From the Configuration tab at the top of the page, select
    Log Publishers
    .
  8. Click
    Create
    .
  9. Type a
    Name
    and optional
    Description
    .
  10. For the
    Destinations
    setting, under
    Available
    , select the newly created log destination and move it to the
    Selected
    box.
  11. Click
    Finished
    .
You have created a new log publisher that can be referenced by an AFM NAT logging profile.

Create a remote server log publisher

You can sent NAT event logs to a pool of remote high-speed logging servers. To send NAT event logs using remote high-speed logging, you must create a log destination specifying
Remote High-Speed Log
, and a
Pool
as a logging target.
  1. On the Main tab, click
    Local Traffic
    Pools
    .
  2. Click
    Create
    .
  3. Type a
    Name
    and optional
    Description
    .
  4. In the Resources area, for the
    New Member
    setting, type the IP
    Address
    and
    Service Port
    of a remote logging server.
    Remote logging servers typically use service port 514.
  5. Click
    Add
    , and repeat steps 4 and 5 for additional remote logging servers.
  6. Click
    Finished
    .
  7. On the Main tab, click
    System
    Logs
    Configuration
    Log Destinations
    .
  8. Click
    Create
    .
  9. Type a
    Name
    and optional
    Description
    .
  10. From the
    Type
    list, select
    Remote High-Speed Log
    .
  11. From the
    Pool Name
    list, select the new pool created in the previous steps.
  12. From the
    Distribution
    list, select one of the available distribution methods:
    Adaptive
    Connections to pool members will be added as required to provide enough logging bandwidth. This can have the undesirable effect of logs accumulating on only one pool member when it provides sufficient logging bandwidth on its own.
    Balanced
    Sends each successive log to a new pool member, balancing the logs among them according to the pool's load balancing method.
    Replicated
    Replicates each log message to all pool members.
  13. Click
    Finished
    .
  14. From the Configuration tab at the top of the page, select
    Log Publishers
    .
  15. Click
    Create
    .
  16. Type a
    Name
    and optional
    Description
    .
  17. In the
    Destinations
    setting, under
    Available
    , click the newly created log destination and move it to the
    Selected
    box.
  18. Click
    Finished
    .
You have created a new log publisher that can be referenced by an AFM NAT logging profile.

Create an AFM NAT logging profile

You must have created a BIG-IP system Log Destination and Log Publisher before you can create a logging profile.
You can create a NAT logging profile to customize the information logged when an AFM NAT mapping event occurs.
  1. On the Main tab, click
    Security
    Event Logs
    Logging Profiles
    .
  2. Click
    Create
    .
  3. In the
    Network Address Translation
    setting, click the
    Enabled
    check box.
    The Network Address Translation logging options display below the Logging Profile Properties area.
  4. From the
    Aggregate Rate Limit
    list, click
    Specify
    to type the number of log messages to limit per second.
    The default setting is
    Indefinite
    , or no set limit.
  5. From the
    Start Outbound Session
    list, select one of the available options:
    • Enabled
      - Logs the beginning of an outbound NAT mapping event. To configure the
      Storage Format
      , refer to
      AFM NAT logging storage format options
      , in the introduction of this section.
    • Backup Allocation Only
      - Logs only translation events that use the backup addresses configured in a NAT Source Translations object.
    • Disabled
      - The NAT mapping event is not logged. The default setting.
  6. From the
    End Outbound Session
    list, select one of the available options:
    • Enabled
      - Logs the end of an outbound NAT mapping event. To configure the
      Storage Format
      , refer to
      AFM NAT logging storage format options
      , in the introduction of this section.
    • Backup Allocation Only
      - Logs only translation events that use the backup addresses configured in a NAT Source Translations object.
    • Disabled
      - The NAT mapping event is not logged. The default setting.
  7. From the
    Start Inbound Session
    list, select one of the available options:
    • Enabled
      - Logs the beginning of an inbound NAT mapping event. To configure the
      Storage Format
      , refer to
      AFM NAT logging storage format options
      , in the introduction of this section.
    • Backup Allocation Only
      - Logs only translation events that use the backup addresses configured in a NAT Source Translations object.
    • Disabled
      - The NAT mapping event is not logged. The default setting.
  8. From the
    End Inbound Session
    list, select one of the available options:
    • Enabled
      - Logs the end of an outbound NAT mapping event. To configure the
      Storage Format
      , refer to
      AFM NAT logging storage format options
      , in the introduction of this section.
    • Backup Allocation Only
      - Logs only translation events that use the backup addresses configured in a NAT Source Translations object.
    • Disabled
      - The NAT mapping event is not logged. The default setting.
  9. From the
    Quota Exceeded
    list, select one of the available options:
    • Enabled
      - Generate an event log message when a NAT client exceeds the allocated NAT resources. To configure the
      Storage Format
      , refer to
      AFM NAT logging storage format options
      , in the introduction of this section.
    • Backup Allocation Only
      - Logs only translation events that use the backup addresses configured in a NAT Source Translations object.
    • Disabled
      - The NAT mapping event is not logged. The default setting.
  10. From the
    Errors
    list, select
    Enabled
    to generate event log entries when a NAT translation error occurs.
    • Enabled
      - Generate an event log message when a NAT translation error occurs. To configure the
      Storage Format
      , refer to
      AFM NAT logging storage format options
      , in the introduction of this section.
    • Backup Allocation Only
      - Logs only translation events that use the backup addresses configured in a NAT Source Translations object.
    • Disabled
      - The NAT mapping event is not logged. The default setting.
  11. From the
    Publisher
    list, select the appropriate log publisher.
  12. Click
    Create
    .
You have created a NAT logging profile that can now be associated with a NAT policy.