Manual Chapter :
Logging Bot Defense requests
Applies To:
Show Versions
BIG-IQ Centralized Management
- 7.1.0
Logging Bot Defense requests
Configuring Bot Defense logging over multiple DCDs
BIG-IQ receives Bot Defense messages from BIG-IP via it's Data
Collection Devices (DCD). To optimize the process, while ensuring high availability, it
is best to load balance log events to a remote logging pool of DCDs. This will prevent
data loss, in the instance that a DCD becomes unavailable, without unnecessary
duplication of information.
To complete this process for Bot Defense, you must have previously
configured the following:
- An imported and discovered BIG-IP device that hosts your Bot Defense profile and Bot Request logging profile.
- A remote logging pool of DCDs configured to the service port number8514.
For more information about configuring a remote pool of DCDs, see
Connect Devices to a Data Collection Device Cluster
in the Planning and Implementing a BIG-IQ Deployment
guide at support.f5.com
. If you have already created or imported your logging profile, use this process to adjust the existing settings to include the remote logging pool of DCDs.
Configure a DCD pool as a Log Destination
You must create a remote logging pool for the DCDs
configured to the service port of your module. For more information see
Connect Devices to a Data Collection Device cluster
in
the Planning and Implementing a BIG-IQ Deployment
guide at support.f5.com
.Create a Remote High-Speed Log and Splunk-type Log
Destination to specify that log messages are sent to your pool of DCDs.
- At the top of the screen, clickConfiguration, then, on the left, click .The Log Destinations screen displays a list of the log destinations that are defined on this device.
- ClickCreate.
- Type a uniqueNamefor this destination.
- From theTypelist, selectRemote High-Speed Log
- From theProtocollist, selectTCP.
- From theDevicelist, select the BIG-IP device that hosts your service module's policy or profile.
- From thePoollist, select your pool of DCDs.
- ClickSave & Close.The Log Destinations screen opens.
- ClickCreate.
- Type a uniqueNamefor this destination.
- From theTypelist, selectSplunk.
- Under theForward Tofield, selectRemote High-Speed Log, and select the Remote High-Speed log saved in step 8.
- ClickSave & Close.
You have now designated your DCD pool as a remote
destination for BIG-IP to send its logging data. If your system has multiple modules
that require event logging, ensure that you repeat this process for the module's
designated DCD pool.
Create a Log Publisher to specify that BIG-IP system
sends log messages to BIG-IQ. When configuring your Log Publisher ensure you are adding
the Splunk-type Log Destination.
Create a Log Publisher for a DCD pool
Create a remote logging pool of DCDs, and specify your
BIG-IQ's DCD pool as a remote Log Destination.
Create a Log Publisher to specify to your managed
BIG-IP device to send log messages to BIG-IQ.
If you are configuring logging for the following service
modules, you do not need to create a new Log Publisher:
- Web Application Security (ASM or Adv. WAF)
- DoS Protection
- Network Security (AFM)
- Configure logging for Web Application Security
- Configure logging for DoS Protection and Network Security
- At the top of the screen, clickConfiguration, then, on the left, click .The screen displays a list of the Log Publishers that are defined on this device.
- ClickCreate.
- UnderNametype a unique name for this publisher.
- In theLog Destinationarea, move the splunk-type log destination from theAvailablelist to theSelectedlist.
- ClickSave & Close.
- Pin the new log publisher to your host BIG-IP device:
- Go to.
- Click the name of the BIG-IP device under the Pinning Policy column.If you have multiple devices, select the check box next to the names of the BIG-IP devices pinning policy to which you will pin the log publisher, and clickPin to Multiple Policies.The properties screen opens.
- In the center of the screen, locate theLocal Traffic (LTM)field and selectLog Publishersfrom the drop down list.
- Select the box next to the name of the log publisher created from the list in the bottom half of the screen.
- ClickAdd Selected.
- ClickSave & Close.
You have now created a log publisher that specifies
to BIG-IP to send log messages to the BIG-IQ DCD pool.
Create or edit a logging profile for your service
module that specifies which logging data to collect and to send information to the
proper log publisher.
Configure logging for Bot Defense requests
Before you can log bot requests, you must first have the following:
- One or more BIG-IP devices that are provisioned to have Bot Defense.
- A remote logging pool of your DCDs that is connected to a virtual server deployed over a load balancing BIG-IP device.
- Web Application Security is active for DCD services (see)
The following procedure is for Bot
Defense profiles configured to BIG-IP devices version 14.1 or later. For logging bot
request information from earlier versions of BIG-IP, see
Configuring logging for DoS Protection and Network
Security
.You can view bot request information by attaching a logging profile to the virtual servers that host your Bot Defense profile. To access Bot Defense information, you need to configure the BIG-IP system to send log information to BIG-IQ. This is done by:
- Creating a log publisher and pin it to your BIG-IP device(s)
- Creating and attaching a bot request logging profile in Shared Security
- Deploying your changes over your BIG-IP device(s)
For more details about specific settings within the logging profile, see Configure logging for Bot Defense requests
.
- Click.
- ClickCreateto create a remote bot logging profile.
- Type a uniqueNamefor this logging profile.
- On the left, clickBOT DEFENSE.
- ForStatus, select theEnabledcheck box.The screen displays the Bot Defense request logging properties.
- From theRemote Publisherlist, select the logging publisher for your DCD pool.
- Enable the for the appropriate request types of logging in the remaining fields.
- When you are done, clickSave & Close.
- Attach the new logging profile to a Shared Security virtual server.
- Go to.
- Select the virtual server that hosts your Bot Defense profile.
- From theLogging Profilesfield, select the logging profile created in step 6, and use the arrow to move it to theSelectedlist.
- ClickSave & Close.
- Repeat step 6 for any additional virtual servers that host Bot Defense profiles.
- Deploy your new pool, log destinations and log publisher over your BIG-IP device.
- Go to.
- In theDeploymentslist at the bottom half of the screen and clickCreate.
- In theNamefield add a unique name.
- Ensure thatSourceandSource Scopefields are markedCurrent ChangesandAll Changes, respectively.
- From the Target Devices list, select the host BIG-IP device(s) over which to deploy changes.
- ClickCreate.The deployment is added the to Evaluations list.
- Once the evaluation is complete, click the box next to the deployment name and clickDeploy.
The new local traffic objects are deployed over the BIG-IP device. - Deploy changes to your Shared Security virtual server.
- Go to.
- Repeat steps 10b-g.The new logging profile on your Shared Security virtual server is now deployed over the BIG-IP device.
You can now monitor detected bot requests from the bot request log, from
.