Manual Chapter : Configuring High-Speed Remote Logging of DNS DoS events

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Configuring High-Speed Remote Logging of DNS DoS events

Overview: Configuring remote high-speed DNS logging

You can configure the BIG-IP system to log information about DNS traffic and send the log messages to remote high-speed log servers. You can choose to log either DNS queries or DNS responses, or both. In addition, you can configure the system to perform logging on DNS traffic differently for specific resources. For example, you can configure logging for a specific resource, and then disable and re-enable logging for the resource based on your network administration needs.
This illustration shows the association of the configuration objects for remote high-speed logging.
Association of remote high-speed logging configuration objects

Create a pool of remote logging servers

Before creating a pool of log servers, gather the IP addresses of the servers that you want to include in the pool. Ensure that the remote log servers are configured to listen to and receive log messages from the BIG-IP system.
Create a pool of remote log servers to which the BIG-IP system can send log messages.
  1. At the top of the screen, click
    Configuration
    .
  2. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pool List screen opens.
  3. Click
    Create
    .
    The New Pool screen opens.
  4. In the
    Name
    field, type a unique name for the pool.
  5. Using the
    New Members
    setting, add the IP address for each remote logging server that you want to include in the pool:
    1. Type an IP address in the
      Address
      field, or select a node address from the
      Node List
      .
    2. Type a service number in the
      Service Port
      field, or select a service name from the list.
      Typical remote logging servers require port
      514
      .
    3. Click
      Add
      .
  6. Click
    Finished
    .

Create a remote high-speed log destination

Before creating a remote high-speed log destination, ensure that at least one pool of remote log servers exists on the BIG-IP system.
Create a log destination of the
Remote High-Speed Log
type to specify that log messages are sent to a pool of remote log servers.
  1. On the Main tab, click
    System
    Logs
    Configuration
    Log Destinations
    .
    The Log Destinations screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique, identifiable name for this destination.
  4. From the
    Type
    list, select
    Remote High-Speed Log
    .
    If you use log servers such as Remote Syslog, Splunk, or ArcSight, which require data be sent to the servers in a specific format, you must create an additional log destination of the required type, and associate it with a log destination of the
    Remote High-Speed Log
    type. With this configuration, the BIG-IP system can send data to the servers in the required format.
    The BIG-IP system is configured to send an unformatted string of text to the log servers.
  5. From the
    Pool Name
    list, select the pool of remote log servers to which you want the BIG-IP system to send log messages.
  6. From the
    Protocol
    list, select the protocol used by the high-speed logging pool members.
  7. Click
    Finished
    .

Create a formatted remote high-speed log destination

Ensure that at least one remote high-speed log destination exists on the BIG-IP system.
Create a formatted logging destination to specify that log messages are sent to a pool of remote log servers, such as Remote Syslog, Splunk, or IPFIX servers.
  1. On the Main tab, click
    System
    Logs
    Configuration
    Log Destinations
    .
    The Log Destinations screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique, identifiable name for this destination.
  4. From the
    Type
    list, select a formatted logging destination, such as
    Remote Syslog
    ,
    Splunk
    , or
    IPFIX
    .
    The Splunk format is a predefined format of key value pairs.
    The BIG-IP system is configured to send a formatted string of text to the log servers.
  5. If you selected
    Remote Syslog
    , then from the
    Syslog Format
    list select a format for the logs, and then from the
    High-Speed Log Destination
    list, select the destination that points to a pool of remote Syslog servers to which you want the BIG-IP system to send log messages.
    For logs coming from Access Policy Manager (APM), only the BSD Syslog format is supported.
  6. If you selected
    Splunk
    or
    IPFIX
    , then from the
    Forward To
    list, select the destination that points to a pool of high-speed log servers to which you want the BIG-IP system to send log messages.
  7. Click
    Finished
    .

Create a publisher

Ensure that at least one destination associated with a pool of remote log servers exists on the BIG-IP system.
Create a publisher to specify where the BIG-IP system sends log messages for specific resources.
  1. On the Main tab, click
    System
    Logs
    Configuration
    Log Publishers
    .
    The Log Publishers screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique, identifiable name for this publisher.
  4. For the
    Destinations
    setting, select a destination from the
    Available
    list, and click
    <<
    to move the destination to the
    Selected
    list.
    If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or ArcSight.
  5. Click
    Finished
    .

Create a custom DNS DoS protection logging profile

Create a custom logging profile to log DNS DoS events and send the log messages to a specific location.
  1. On the Main tab, click
    Security
    Event Logs
    Logging Profiles
    .
    The Logging Profiles list screen opens.
  2. Click
    Create
    .
    The Create New Logging Profile screen opens.
  3. In the
    Profile Name
    field, type a unique name for the logging profile.
  4. In the Logging Profile Properties, select the
    DoS Protection
    check box.
    The DoS Protection tab opens.
  5. In the DNS DoS Protection area, from the
    Publisher
    list, select the publisher that the BIG-IP system uses to log DNS DoS events.
    You can specify publishers for other DoS types in the same profile, for example, for SIP or Application DoS Protection.
  6. Click
    Create
    .
    The logging profile is created.
Now you created a logging profile so that the BIG-IP system can log messages about SIP DoS events and send the log messages to a pool of IPFIX collectors.
Assign this custom DNS DoS logging profile to a protected object.

Logging DoS/DDoS Events for a Protected Object

Assign a logging profile to a protected object when you want the system to log DoS events.
  1. On the Main tab, click
    Security
    DoS Protection
    Protected Objects
    .
  2. Click the name of the protected object for which you want to log DoS events.
    The Properties pane opens on the right.
  3. In the Network & General area, for
    Logging Profiles
    , move the logging profile to assign from the Available list into the Selected list.
    You can create, and modify log publishers in
    System
    Logs
    Configuration
    Log Publishers
    .
  4. Click
    Save
    .
The system logs DoS events for the protected object.
You can review DoS event logs at
Security
Event Logs
DoS
and select the type of DoS event log to view.

Disable DNS DoS logging

Disable DNS DoS logging when you no longer want the BIG-IP system to log information about the DNS traffic handled by the resources to which the logging profile is assigned.
  1. On the Main tab, click
    Security
    Event Logs
    Logging Profiles
    .
    The Logging Profiles list screen opens.
  2. Click the name of a profile.
  3. Disable DNS DoS logging:
    • If the profile handles logging for DNS DoS protection only, for
      DoS Protection
      , uncheck the
      Enabled
      check box.
    • If the profile handles logging for SIP or Network DoS as well as DNS, in DNS DoS Protection, you can change the
      Publisher
      to
      none
      .
  4. Click
    Update
    .
The system does not log DNS traffic handled by the resources to which this profile is assigned.