Applies To:Show Versions
BIG-IQ Centralized Management
Managing Web Application Security logging
Create a logging profile for application security
- Discover and activate a BIG-IQ Data Collection Device.
- Configure a BIG-IP device to collect event logs and send them to the BIG-IQ Centralized Management Data Collection Device. Part of this configuration includes a virtual server configured with a logging profile.
- Configure a logging profile for Web Application Security, assign it to a virtual server, and deploy it to the BIG-IP device that has been configured to collect log events. Alogging profileis used to determine which events the system logs, and where, and the format of these events. It then directs security events to a BIG-IQ Data Collection Device, and the BIG-IQ Centralized Management system retrieves them from that node.
- Go to.To view a logging profile of a specific protected object, go toand select the logging profile link associate with the object in the dashboard's list.
- ClickCreateand selectLog Profile.The New Logging Profile screen opens with the Properties displayed.
- Type aNamefor the logging profile.
- Type an optionalDescriptionfor the logging profile.
- If needed, change the defaultCommonpartition in thePartitionfield.The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name. Only users with access to a partition can view the objects (such as the logging profile) that it contains. If the logging profile resides in theCommonpartition, all users can access it.
- ForApplication Templates, specify whether the profile is available to application templates.
- To make the profile available to application templates, select theMake availablecheck box.
- To keep the profile from being available to application templates, clear the check box.
- On the left, click the logging type that you want to use, and then select theEnabledcheck box to display the related settings.
You must configure each enabled logging type before you can use it. You can do that now, or save the profile and configure the logging types later.
- EnableAPPLICATION SECURITYto specify that the system logs traffic to the web application. You cannot enable bothAPPLICATION SECURITYandPROTOCOL SECURITY. Refer to theConfigure for Application Security loggingsection ofBIG-IQ Centralized Management: Securityonsupport.f5.comfor configuration information.
- EnablePROTOCOL SECURITYto specify that the system logs any dropped, malformed, and/or rejected requests sent through the given protocol. Refer to theConfigure for Protocol Security loggingsection ofBIG-IQ Centralized Management: Securityonsupport.f5.comfor configuration information.
- EnableNETWORK FIREWALLto specify that the system logs ACL rule matches, TCP events, and/or TCP/IP errors sent to the network firewall. Refer to theConfigure for Network Firewall loggingsection ofBIG-IQ Centralized Management: Securityonsupport.f5.comfor configuration information.
- EnableNETWORK ADDRESS TRANSLATIONto specify which Network Address Translation (NAT) events the system logs, and where those events are logged. Refer to theConfigure for Network Address Translation loggingsection ofBIG-IQ Centralized Management: Securityonsupport.f5.comfor configuration information.
- EnableDOS PROTECTIONto specify that the system logs detected DoS attacks, and where DoS events are logged.
- EnableBOT DEFENSEto specify that the system logs bot defense events. Refer to theConfigure for Bot Defense loggingsection ofBIG-IQ Centralized Management: Securityonsupport.f5.comfor configuration information.
- Specify the settings needed for each logging type you use.You can configure multiple logging types while editing the logging profile.
- When finished, save your changes.
Configuring Web Application Security logging over multiple DCDs
- An imported and discovered BIG-IP device that hosts your ASM policy and log profile.
- A separate BIG-IP device that can host a virtual server that load balances events to the DCD pool.
- A remote logging pool of DCDs configured to the service port number8514.
Configure high availability logging for Web Application
- Primary BIG-IP device: This device hosts virtual server with the ASM policy and an enabled HTTP logging profile.
- A load balancing BIG-IP device: This is a separate BIG-IP device that hosts a virtual server that load balances logging messages to the pool of DCDs created in this task.When creating a load balancing virtual server you can use one of the following options:
- Create a new virtual server using BIG-IQ by going toand clickCreate.
- Create a new logging profile, by going to:
- In theNamefield, add a unique name for the profile.
- ClickAPPLICATION SECURITYfrom the left menu, selectEnabled.
- From theRemote Storagefield, selectEnabled.
- From theServer Addressesfield, enter theIP AddressandPortvalues of the virtual server that hosts the DCD pool configured to port8514.
- Click theAddbutton next to the port value.
- In the Storage Filter area, from theRequest Typefield, selectAll Requests.
- ClickSave & Close.
- Add the logging profile to the virtual server with the ASM security policy by going to.
- Click the name of the virtual server with ASM security policy.
- From theLogging Profilesfield, select the name of the logging profile created.
- ClickSave & Close.