Manual Chapter :
Logging Network Firewall Events
Applies To:
Show Versions
BIG-IQ Centralized Management
- 7.1.0
Logging Network Firewall Events
Configuring Network Security event logging over multiple DCDs
BIG-IQ receives AFM events from BIG-IP via it's Data Collection
Devices (DCD). To optimize the process, while ensuring high availability, it is
best to load balance log events to a remote logging pool of DCDs. This will
prevent data loss, in the instance that a DCD becomes unavailable, without
unnecessary duplication of information.
While Network Security provides and automated process for creating
a logging profile, and its associated objects, you need manually add your DCD pool
to the Log Publisher's destination list.
To complete this process for Network Security, you must have
previously configured the following:
- An imported and discovered BIG-IP device that hosts your AFM policy and logging profile.
- A remote logging pool of DCDs configured to the service port number8018.
For more information about configuring a remote pool of DCDs, see
Connect Devices to a Data Collection Device Cluster
in the Planning and Implementing a BIG-IQ Deployment
guide at support.f5.com
. If you have already created or imported your logging profile, use this process to adjust the existing settings to include the remote logging pool of DCDs.
Configure a DCD pool as a Log Destination
You must create a remote logging pool for the DCDs
configured to the service port of your module. For more information see
Connect Devices to a Data Collection Device cluster
in
the Planning and Implementing a BIG-IQ Deployment
guide at support.f5.com
.Create a Remote High-Speed Log and Splunk-type Log
Destination to specify that log messages are sent to your pool of DCDs.
- At the top of the screen, clickConfiguration, then, on the left, click .The Log Destinations screen displays a list of the log destinations that are defined on this device.
- ClickCreate.
- Type a uniqueNamefor this destination.
- From theTypelist, selectRemote High-Speed Log
- From theProtocollist, selectTCP.
- From theDevicelist, select the BIG-IP device that hosts your service module's policy or profile.
- From thePoollist, select your pool of DCDs.
- ClickSave & Close.The Log Destinations screen opens.
- ClickCreate.
- Type a uniqueNamefor this destination.
- From theTypelist, selectSplunk.
- Under theForward Tofield, selectRemote High-Speed Log, and select the Remote High-Speed log saved in step 8.
- ClickSave & Close.
You have now designated your DCD pool as a remote
destination for BIG-IP to send its logging data. If your system has multiple modules
that require event logging, ensure that you repeat this process for the module's
designated DCD pool.
Create a Log Publisher to specify that BIG-IP system
sends log messages to BIG-IQ. When configuring your Log Publisher ensure you are adding
the Splunk-type Log Destination.
Configure viewing of Network Security data logs
Before you configure monitoring of Network Security data logging, you need to ensure that the Network Security service is running on the DCD.
Ensure that the Network Security service is activated by
reviewing the services installed on the DCD on the BIG-IQ Data Collection Devices
screen:
.Note whether the designated DCD listener is
configured to monitor the BIG-IP devices using their self-IP or management
network IP address. It is strongly discouraged to use the management network for
data collection purposes, as it is not intended for production traffic. In the
case that your DCD is using the management network IP, you must define a network
routing gateway on your BIG-IP device as described in
BIG-IP TMOS: Routing
Administration
. If you deactivate
the Network Security service for a DCD, or remove a DCD with that service
enabled, the associated pool member will be removed from the pool when you next
deploy to the BIG-IP device (or devices). The pool
afm-remote-logging-pool_
contains the pool member for the specified BIG-IP device.big-ipname
You configure the collection of Network Security data logs so that you can better view and monitor information about your Network Security policies and firewalls. The BIG-IQ Centralized Management system provides a single button configuration process that creates and configures the needed configuration objects. The system creates these configuration objects, if needed:
- One or more logging profiles
- A log publisher
- A log destination
- A pool for each device
- Pool members
- A pool monitor
The configuration objects are shared among the Shared Security
virtual servers that were selected. The objects that are created should not be
modified. Modifying these objects could affect the ability of the BIG-IP devices to
send Network Security events to the DCD.
- Click.
- In the list of firewall contexts, select the check box to the left of the one or more virtual servers to use.The virtual servers are listed in the Firewall Type column as vip.
- ClickConfigure Logging.The Network Security Logging Configuration dialog box opens.
- In the dialog box, clickContinue.The dialog box shows the configuration status, including which objects were created.
- ClickClose.
- Use the Deployment screens to deploy the BIG-IP device associated with the virtual server using the Local Traffic service using these steps.
- Click.
- In the Deployments area, clickCreate.
- Specify aNameandDescription, and select the appropriate deployment options.
- In the Target Device(s) area, select the device used by the application and clickCreate.
The deployment causes some the objects created by the Network Security logging configuration process to be deployed to the device. - Deploy the BIG-IP device for the virtual server using the Network Security service using these steps.
- Click.
- In the Deployments area, clickCreate.
- Specify aNameandDescription, and select the appropriate deployment options.
- In the Target Device(s) area, select the BIG-IP device to deploy and clickCreate.
The deployment causes the remaining objects created by the Network Security logging configuration process to be deployed to the device.
You can now receive Network Security events from the BIG-IP devices associated with the virtual servers, and view them on the
screens. Edit a Log Publisher Log Destination
You must have created the log destination before you
can add it to the an existing Log Publisher. For more information see
Managing Logs
in support.f5.com
.Edit the Log Publisher destination settings to change
the pools that receive remote logging messages from BIG-IP.
- At the top of the screen, clickConfiguration, then, on the left, click .The screen displays a list of the Log Publishers that are defined on this device.
- Select the name of the log publisher you wish to edit.The log publisher properties screen opens.
- To add log destinations, select the Log Destination(s) from theAvailablelist and use the arrow to move your selection to theSelectedlist.You can filter theAvailablelist by selecting the type of destination from the drop-down list.
- To remove log destinations, select the Log Destination(s) from theSelectedlist and use the arrow to move your selection to theAvailablelist.
- ClickSave & Close
You have changed the remote destinations associated
with the Log Publisher. This will alter where the BIG-IP device sends its log
data.
Deploy changes to your BIG-IP device.