Manual Chapter : Logging Network Firewall Events

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Logging Network Firewall Events

Configuring Network Security event logging over multiple DCDs

BIG-IQ receives AFM events from BIG-IP via it's Data Collection Devices (DCD). To optimize the process, while ensuring high availability, it is best to load balance log events to a remote logging pool of DCDs. This will prevent data loss, in the instance that a DCD becomes unavailable, without unnecessary duplication of information.
While Network Security provides and automated process for creating a logging profile, and its associated objects, you need manually add your DCD pool to the Log Publisher's destination list.
To complete this process for Network Security, you must have previously configured the following:
  • An imported and discovered BIG-IP device that hosts your AFM policy and logging profile.
  • A remote logging pool of DCDs configured to the service port number
    8018
    .
For more information about configuring a remote pool of DCDs, see
Connect Devices to a Data Collection Device Cluster
in the
Planning and Implementing a BIG-IQ Deployment
guide at
support.f5.com
.
If you have already created or imported your logging profile, use this process to adjust the existing settings to include the remote logging pool of DCDs.

Configure a DCD pool as a Log Destination

You must create a remote logging pool for the DCDs configured to the service port of your module. For more information see
Connect Devices to a Data Collection Device cluster
in the
Planning and Implementing a BIG-IQ Deployment
guide at
support.f5.com
.
Create a Remote High-Speed Log and Splunk-type Log Destination to specify that log messages are sent to your pool of DCDs.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    LOCAL TRAFFIC
    Logs
    Log Destinations
    .
    The Log Destinations screen displays a list of the log destinations that are defined on this device.
  2. Click
    Create
    .
  3. Type a unique
    Name
    for this destination.
  4. From the
    Type
    list, select
    Remote High-Speed Log
  5. From the
    Protocol
    list, select
    TCP
    .
  6. From the
    Device
    list, select the BIG-IP device that hosts your service module's policy or profile.
  7. From the
    Pool
    list, select your pool of DCDs.
  8. Click
    Save & Close
    .
    The Log Destinations screen opens.
  9. Click
    Create
    .
  10. Type a unique
    Name
    for this destination.
  11. From the
    Type
    list, select
    Splunk
    .
  12. Under the
    Forward To
    field, select
    Remote High-Speed Log
    , and select the Remote High-Speed log saved in step 8.
  13. Click
    Save & Close
    .
You have now designated your DCD pool as a remote destination for BIG-IP to send its logging data. If your system has multiple modules that require event logging, ensure that you repeat this process for the module's designated DCD pool.
Create a Log Publisher to specify that BIG-IP system sends log messages to BIG-IQ. When configuring your Log Publisher ensure you are adding the Splunk-type Log Destination.

Configure viewing of Network Security data logs

Before you configure monitoring of Network Security data logging, you need to ensure that the Network Security service is running on the DCD.
Ensure that the Network Security service is activated by reviewing the services installed on the DCD on the BIG-IQ Data Collection Devices screen:
System
BIG-IQ DATA COLLECTION
BIG-IQ Data Collection Devices
.
Note whether the designated DCD listener is configured to monitor the BIG-IP devices using their self-IP or management network IP address. It is strongly discouraged to use the management network for data collection purposes, as it is not intended for production traffic. In the case that your DCD is using the management network IP, you must define a network routing gateway on your BIG-IP device as described in
BIG-IP TMOS: Routing Administration
.
If you deactivate the Network Security service for a DCD, or remove a DCD with that service enabled, the associated pool member will be removed from the pool when you next deploy to the BIG-IP device (or devices). The pool
afm-remote-logging-pool_
big-ipname
contains the pool member for the specified BIG-IP device.
You configure the collection of Network Security data logs so that you can better view and monitor information about your Network Security policies and firewalls. The BIG-IQ Centralized Management system provides a single button configuration process that creates and configures the needed configuration objects. The system creates these configuration objects, if needed:
  • One or more logging profiles
  • A log publisher
  • A log destination
  • A pool for each device
  • Pool members
  • A pool monitor
The configuration objects are shared among the Shared Security virtual servers that were selected. The objects that are created should not be modified. Modifying these objects could affect the ability of the BIG-IP devices to send Network Security events to the DCD.
  1. Click
    Configuration
    SECURITY
    Network Security
    Contexts
    .
  2. In the list of firewall contexts, select the check box to the left of the one or more virtual servers to use.
    The virtual servers are listed in the Firewall Type column as vip.
  3. Click
    Configure Logging
    .
    The Network Security Logging Configuration dialog box opens.
  4. In the dialog box, click
    Continue
    .
    The dialog box shows the configuration status, including which objects were created.
  5. Click
    Close
    .
  6. Use the Deployment screens to deploy the BIG-IP device associated with the virtual server using the Local Traffic service using these steps.
    1. Click
      Deployment
      EVALUATE & DEPLOY
      Local Traffic & Network
      .
    2. In the Deployments area, click
      Create
      .
    3. Specify a
      Name
      and
      Description
      , and select the appropriate deployment options.
    4. In the Target Device(s) area, select the device used by the application and click
      Create
      .
    The deployment causes some the objects created by the Network Security logging configuration process to be deployed to the device.
  7. Deploy the BIG-IP device for the virtual server using the Network Security service using these steps.
    1. Click
      Deployment
      EVALUATE & DEPLOY
      Network Security
      .
    2. In the Deployments area, click
      Create
      .
    3. Specify a
      Name
      and
      Description
      , and select the appropriate deployment options.
    4. In the Target Device(s) area, select the BIG-IP device to deploy and click
      Create
      .
    The deployment causes the remaining objects created by the Network Security logging configuration process to be deployed to the device.
You can now receive Network Security events from the BIG-IP devices associated with the virtual servers, and view them on the
Monitoring
EVENTS
Network Security
screens.

Edit a Log Publisher Log Destination

You must have created the log destination before you can add it to the an existing Log Publisher. For more information see
Managing Logs
in
support.f5.com
.
Edit the Log Publisher destination settings to change the pools that receive remote logging messages from BIG-IP.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    LOCAL TRAFFIC
    Logs
    Log Publishers
    .
    The screen displays a list of the Log Publishers that are defined on this device.
  2. Select the name of the log publisher you wish to edit.
    The log publisher properties screen opens.
  3. To add log destinations, select the Log Destination(s) from the
    Available
    list and use the arrow to move your selection to the
    Selected
    list.
    You can filter the
    Available
    list by selecting the type of destination from the drop-down list.
  4. To remove log destinations, select the Log Destination(s) from the
    Selected
    list and use the arrow to move your selection to the
    Available
    list.
  5. Click
    Save & Close
You have changed the remote destinations associated with the Log Publisher. This will alter where the BIG-IP device sends its log data.
Deploy changes to your BIG-IP device.