Manual Chapter : Logging Bot Defense requests

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Logging Bot Defense requests

Configuring Bot Defense logging over multiple DCDs

BIG-IQ receives Bot Defense messages from BIG-IP via it's Data Collection Devices (DCD). To optimize the process, while ensuring high availability, it is best to load balance log events to a remote logging pool of DCDs. This will prevent data loss, in the instance that a DCD becomes unavailable, without unnecessary duplication of information.
To complete this process for Bot Defense, you must have previously configured the following:
  • An imported and discovered BIG-IP device that hosts your Bot Defense profile and Bot Request logging profile.
  • A remote logging pool of DCDs configured to the service port number
    8514
    .
For more information about configuring a remote pool of DCDs, see
Connect Devices to a Data Collection Device Cluster
in the
Planning and Implementing a BIG-IQ Deployment
guide at
support.f5.com
.
If you have already created or imported your logging profile, use this process to adjust the existing settings to include the remote logging pool of DCDs.

Configure a DCD pool as a Log Destination

You must create a remote logging pool for the DCDs configured to the service port of your module. For more information see
Connect Devices to a Data Collection Device cluster
in the
Planning and Implementing a BIG-IQ Deployment
guide at
support.f5.com
.
Create a Remote High-Speed Log and Splunk-type Log Destination to specify that log messages are sent to your pool of DCDs.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    LOCAL TRAFFIC
    Logs
    Log Destinations
    .
    The Log Destinations screen displays a list of the log destinations that are defined on this device.
  2. Click
    Create
    .
  3. Type a unique
    Name
    for this destination.
  4. From the
    Type
    list, select
    Remote High-Speed Log
  5. From the
    Protocol
    list, select
    TCP
    .
  6. From the
    Device
    list, select the BIG-IP device that hosts your service module's policy or profile.
  7. From the
    Pool
    list, select your pool of DCDs.
  8. Click
    Save & Close
    .
    The Log Destinations screen opens.
  9. Click
    Create
    .
  10. Type a unique
    Name
    for this destination.
  11. From the
    Type
    list, select
    Splunk
    .
  12. Under the
    Forward To
    field, select
    Remote High-Speed Log
    , and select the Remote High-Speed log saved in step 8.
  13. Click
    Save & Close
    .
You have now designated your DCD pool as a remote destination for BIG-IP to send its logging data. If your system has multiple modules that require event logging, ensure that you repeat this process for the module's designated DCD pool.
Create a Log Publisher to specify that BIG-IP system sends log messages to BIG-IQ. When configuring your Log Publisher ensure you are adding the Splunk-type Log Destination.

Create a Log Publisher for a DCD pool

Create a remote logging pool of DCDs, and specify your BIG-IQ's DCD pool as a remote Log Destination.
Create a Log Publisher to specify to your managed BIG-IP device to send log messages to BIG-IQ.
If you are configuring logging for the following service modules, you do not need to create a new Log Publisher:
  • Web Application Security (ASM or Adv. WAF)
  • DoS Protection
  • Network Security (AFM)
To complete this process, proceed to the following service module procedures:
  • Configure logging for Web Application Security
  • Configure logging for DoS Protection and Network Security
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    LOCAL TRAFFIC
    Logs
    Log Publishers
    .
    The Log Publishers screen displays a list of the log publishers that are defined on this device.
  2. Click
    Create
    .
  3. Under
    Name
    type a unique name for this publisher.
  4. In the
    Log Destination
    area, move the splunk-type log destination from the
    Available
    list to the
    Selected
    list.
  5. Click
    Save & Close
    .
  6. Pin the new log publisher to your host BIG-IP device:
    1. Go to
      Configuration
      LOCAL TRAFFIC
      Pinning Policies
      .
    2. Click the name of the BIG-IP device under the Pinning Policy column.
      If you have multiple devices, select the check box next to the names of the BIG-IP devices pinning policy to which you will pin the log publisher, and click
      Pin to Multiple Policies
      .
      The properties screen opens.
    3. In the center of the screen, locate the
      Local Traffic (LTM)
      field and select
      Log Publishers
      from the drop down list.
    4. Select the box next to the name of the log publisher created from the list in the bottom half of the screen.
    5. Click
      Add Selected
      .
    6. Click
      Save & Close
      .
You have now created a log publisher that specifies to BIG-IP to send log messages to the BIG-IQ DCD pool.
Create or edit a logging profile for your service module that specifies which logging data to collect and to send information to the proper log publisher.

Configure logging for Bot Defense requests

Before you can log bot requests, you must first have the following:
  • One or more BIG-IP devices that are provisioned to have Bot Defense.
  • A remote logging pool of your DCDs that is connected to a virtual server deployed over a load balancing BIG-IP device.
  • Web Application Security is active for DCD services (see
    System
    BIG-IQ DATA COLLECTION DEVICES
    SERVICES
    )
The following procedure is for Bot Defense profiles configured to BIG-IP devices version 14.1 or later. For logging bot request information from earlier versions of BIG-IP, see
Configuring logging for DoS Protection and Network Security
.
You can view bot request information by attaching a logging profile to the virtual servers that host your Bot Defense profile. To access Bot Defense information, you need to configure the BIG-IP system to send log information to BIG-IQ. This is done by:
  • Creating a log publisher and pin it to your BIG-IP device(s)
  • Creating and attaching a bot request logging profile in Shared Security
  • Deploying your changes over your BIG-IP device(s)
For more details about specific settings within the logging profile, see Configure logging for Bot Defense requests
.
  1. Click
    Configuration
    SECURITY
    Shared Security
    Logging Profiles
    .
  2. Click
    Create
    to create a remote bot logging profile.
  3. Type a unique
    Name
    for this logging profile.
  4. On the left, click
    BOT DEFENSE
    .
  5. For
    Status
    , select the
    Enabled
    check box.
    The screen displays the Bot Defense request logging properties.
  6. From the
    Remote Publisher
    list, select the logging publisher for your DCD pool.
  7. Enable the for the appropriate request types of logging in the remaining fields.
  8. When you are done, click
    Save & Close
    .
  9. Attach the new logging profile to a Shared Security virtual server.
    1. Go to
      Configuration
      SECURITY
      Shared Security
      Virtual Servers
      .
    2. Select the virtual server that hosts your Bot Defense profile.
    3. From the
      Logging Profiles
      field, select the logging profile created in step 6, and use the arrow to move it to the
      Selected
      list.
    4. Click
      Save & Close
      .
    5. Repeat step 6 for any additional virtual servers that host Bot Defense profiles.
  10. Deploy your new pool, log destinations and log publisher over your BIG-IP device.
    1. Go to
      Deployment
      EVALUATE & DEPLOY
      Local Traffic & Network
      .
    2. In the
      Deployments
      list at the bottom half of the screen and click
      Create
      .
    3. In the
      Name
      field add a unique name.
    4. Ensure that
      Source
      and
      Source Scope
      fields are marked
      Current Changes
      and
      All Changes
      , respectively.
    5. From the Target Devices list, select the host BIG-IP device(s) over which to deploy changes.
    6. Click
      Create
      .
      The deployment is added the to Evaluations list.
    7. Once the evaluation is complete, click the box next to the deployment name and click
      Deploy
      .
    The new local traffic objects are deployed over the BIG-IP device.
  11. Deploy changes to your Shared Security virtual server.
    1. Go to
      Deployment
      EVALUATE & DEPLOY
      Shared Security
      .
    2. Repeat steps 10b-g.
      The new logging profile on your Shared Security virtual server is now deployed over the BIG-IP device.
You can now monitor detected bot requests from the bot request log, from
Monitoring
EVENTS
Bot
Bot Requests
.