Manual Chapter : Logging SIP DoS Events to IPFIX Collectors

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Logging SIP DoS Events to IPFIX Collectors

Overview: Configuring IPFIX logging for SIP DoS

You can configure the BIG-IP system to log information about SIP denial-of-service (SIP DoS) events and send the log messages to remote IPFIX collectors.
IPFIX is a set of IETF standards. The BIG-IP system supports logging of SIP DoS events over the IPFIX protocol . IPFIX logs are raw, binary-encoded strings with their fields and field lengths defined by IPFIX templates.
IPFIX collectors
are external devices that can receive IPFIX templates and use them to interpret IPFIX logs.
The configuration process involves creating and connecting the following configuration objects:
Object
Reason
Pool of IPFIX collectors
Create a pool of IPFIX collectors to which the BIG-IP system can send IPFIX log messages.
Destination
Create a log destination to format the logs in IPFIX templates, and forward the logs to the IPFIX collectors.
Publisher
Create a log publisher to send logs to a set of specified log destinations.

Task summary

Perform these tasks to configure IPFIX logging of SIP DoS events on the BIG-IP system.
Enabling IPFIX logging impacts BIG-IP system performance.

Assemble a pool of IPFIX collectors

Before creating a pool of IPFIX collectors, gather the IP addresses of the collectors that you want to include in the pool. Ensure that the remote IPFIX collectors are configured to listen to and receive log messages from the BIG-IP system.
You can create a pool of IPFIX collectors to which the system can send IPFIX log messages.
  1. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pool List screen opens.
  2. Click
    Create
    .
    The New Pool screen opens.
  3. In the
    Name
    field, type a unique name for the pool.
  4. Using the
    New Members
    setting, add the IP address for each IPFIX collector that you want to include in the pool:
    1. Type the collector's IP address in the
      Address
      field, or select a node address from the
      Node List
      .
    2. Type a port number in the
      Service Port
      field.
      By default, IPFIX collectors listen on UDP or TCP port
      4739
      and Netflow V9 devices listen on port
      2055
      , though the port is configurable at each collector.
    3. Click
      Add
      .
  5. Click
    Finished
    .

Create an IPFIX log destination

A log destination of the
IPFIX
type specifies that log messages are sent to a pool of IPFIX collectors. Use these steps to create a log destination for IPFIX collectors.
  1. On the Main tab, click
    System
    Logs
    Configuration
    Log Destinations
    .
    The Log Destinations screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique, identifiable name for this destination.
  4. From the
    Type
    list, select
    IPFIX
    .
  5. From the
    Protocol
    list, select
    IPFIX
    or
    Netflow V9
    , depending on the type of collectors you have in the pool.
  6. From the
    Pool Name
    list, select an LTM pool of IPFIX collectors.
  7. From the
    Transport Profile
    list, select
    TCP
    ,
    UDP
    , or any customized profile derived from TCP or UDP.
  8. The
    Template Retransmit Interval
    is the time between transmissions of IPFIX templates to the pool of collectors. The BIG-IP system only retransmits its templates if the
    Transport Profile
    is a
    UDP
    profile.
    An
    IPFIX template
    defines the field types and byte lengths of the binary IPFIX log messages. The logging destination sends the template for a given log type (for example, NAT44 logs or customized logs from an iRule) before sending any of those logs, so that the IPFIX collector can read the logs of that type. The logging destination assigns a template ID to each template, and places the template ID into each log that uses that template.
    The log destination periodically retransmits all of its IPFIX templates over a UDP connection. The retransmissions are helpful for UDP connections, which are lossy.
  9. The
    Template Delete Delay
    is the time that the BIG-IP device should pause between deleting an obsolete template and re-using its template ID. This feature is helpful for systems that can create custom IPFIX templates with iRules.
  10. The
    Server SSL Profile
    applies Secure Socket Layer (SSL) or Transport Layer Security (TLS) to TCP connections. You can only choose an SSL profile if the
    Transport Profile
    is a
    TCP
    profile. Choose an SSL profile that is appropriate for the IPFIX collectors' SSL/TLS configuration.
    SSL or TLS requires extra processing and therefore slows the connection, so we only recommend this for sites where the connections to the IPFIX collectors have a potential security risk.
  11. Click
    Finished
    .

Create a publisher

Ensure that at least one destination associated with a pool of remote log servers exists on the BIG-IP system.
Create a publisher to specify where the BIG-IP system sends log messages for specific resources.
  1. On the Main tab, click
    System
    Logs
    Configuration
    Log Publishers
    .
    The Log Publishers screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique, identifiable name for this publisher.
  4. For the
    Destinations
    setting, select a destination from the
    Available
    list, and move the destination to the
    Selected
    list.
    If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or IPFIX.
    If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the
    logpublisher.atomic
    db key to
    false
    . If all the remote high-speed log (HSL) destinations are down (unavailable), setting the
    logpublisher.atomic
    db key to
    false
    will not work to allow the logs to be written to local-syslog. The
    logpublisher.atomic
    db key has no effect on local-syslog.
  5. Click
    Finished
    .

Create a custom DNS DoS protection logging profile

Create a custom logging profile to log DNS DoS events and send the log messages to a specific location.
  1. On the Main tab, click
    Security
    Event Logs
    Logging Profiles
    .
    The Logging Profiles list screen opens.
  2. Click
    Create
    .
    The Create New Logging Profile screen opens.
  3. In the
    Profile Name
    field, type a unique name for the logging profile.
  4. In the Logging Profile Properties, select the
    DoS Protection
    check box.
    The DoS Protection tab opens.
  5. In the DNS DoS Protection area, from the
    Publisher
    list, select the publisher that the BIG-IP system uses to log DNS DoS events.
    You can specify publishers for other DoS types in the same profile, for example, for SIP or Application DoS Protection.
  6. Click
    Create
    .
    The logging profile is created.
Now you created a logging profile so that the BIG-IP system can log messages about SIP DoS events and send the log messages to a pool of IPFIX collectors.
Assign this custom DNS DoS logging profile to a protected object.

Logging DoS/DDoS Events for a Protected Object

Assign a logging profile to a protected object when you want the system to log DoS events.
  1. On the Main tab, click
    Security
    DoS Protection
    Protected Objects
    .
  2. Click the name of the protected object for which you want to log DoS events.
    The Properties pane opens on the right.
  3. In the Network & General area, for
    Logging Profiles
    , move the logging profile to assign from the Available list into the Selected list.
    You can create, and modify log publishers in
    System
    Logs
    Configuration
    Log Publishers
    .
  4. Click
    Save
    .
The system logs DoS events for the protected object.
You can review DoS event logs at
Security
Event Logs
DoS
and select the type of DoS event log to view.