Manual Chapter :
Logging DoS Protection events
Applies To:
Show Versions
BIG-IQ Centralized Management
- 7.1.0
Logging DoS Protection events
Configure device DoS event logging
You enable device DoS event logging using the the devices displayed in the list. When enabled, you can view these device DoS events using the
screens.- Click.The Device DoS Configurations screen opens.
- To enable logging of device DoS events, click the check box next to the device to configure, and clickConfigure DoS Logging.To disable logging of device DoS events, click the check box next to the device to configure, and clickDisable DoS Logging.
The DoS Logging Configuration dialog box opens so that you can begin the configuration process.
Review the information about the configuration process before continuing. This is described in the
Monitoring DoS events
topics in F5 BIG-IQ Centralized Management: Monitoring and
Reporting
on support.f5.com
. Configure for DoS Protection logging
Before you can log DoS protection events, you must first have configured DoS protection to one of more of your managed BIG-IP devices. In addition, you must have data collection devices (DCD) within your BIG-IQ configuration. You must also activate Web Application Security for your DCD services (
).For logging bot requests from BIG-IP devices version 14.1 or later, see
Configure Bot Defense logging.
You need to configure DoS protection logging profiles after you have enabled them. This configuration determines the kind of information that is logged.
You can
do this configuration when initially creating a logging profile (in which case go
directly to step 5), or perform the configuration later in a logging profile that
already exists.
- Click.
- On the Logging Profiles screen, click the name of the logging profile to configure.Thelogging-profile-namescreen opens with the Properties displayed.
- On the left, clickDoS Protection.The DoS Protection configuration screen opens.
- ForStatus, select theEnabledcheck box.The screen displays the DoS Protection properties.
- Supply the DoS Application Protection settings to configure where DoS application protection events are logged.
- EnableLocal Publisherto specify that the system logs DoS events to the local database.
- Select aRemote Publisherto specify the name of the log publisher used for logging events. Select a log publisher configured in your system.
- In the DNS DoS Protection area, configure where DNS DoS protection events are logged: Select aPublisherto specify the name of the log publisher used for logging events. Select a log publisher configured in your system.
- For the SIP DoS Protection area, configure where SIP DoS protection events are logged: Select aPublisherto specify the name of the log publisher used for logging events. Select a log publisher configured in your system.
- For the Network DoS Protection area, configure where Network DoS protection events are logged: Select aPublisherto specify the name of the log publisher used for logging events. Select a log publisher configured in your system.
- When you are finished, save your changes.
The DoS Protection configuration settings are saved.
Configuring DoS Protection event logging over multiple DCDs
BIG-IQ receives DoS Protection events from BIG-IP via it's Data
Collection Devices (DCD). To optimize the process, while ensuring high
availability, it is best to load balance log events to a remote logging pool of
DCDs . This will prevent data loss, in the instance that a DCD becomes unavailable,
without unnecessary duplication of information.
While DoS Protection has an automated process for creating a
logging profile, and its associated objects, you need manually add your DCD pool
to the Log Publisher's destination list.
To complete this process for DoS Protection, you must have
previously configured the following:
- An imported and discovered BIG-IP device that hosts Dos Protection and its logging profile.
- A remote logging pool of DCDs configured to the service port number8020.
For more information about configuring a remote pool of DCDs, see
Connect Devices to a Data Collection Device Cluster
in the Planning and Implementing a BIG-IQ Deployment
guide at support.f5.com
. If you have already created or imported your logging profile, use this process to adjust the existing settings to include the remote logging pool of DCDs.
Configure a DCD pool as a Log Destination
You must create a remote logging pool for the DCDs
configured to the service port of your module. For more information see
Connect Devices to a Data Collection Device cluster
in
the Planning and Implementing a BIG-IQ Deployment
guide at support.f5.com
.Create a Remote High-Speed Log and Splunk-type Log
Destination to specify that log messages are sent to your pool of DCDs.
- At the top of the screen, clickConfiguration, then, on the left, click .The Log Destinations screen displays a list of the log destinations that are defined on this device.
- ClickCreate.
- Type a uniqueNamefor this destination.
- From theTypelist, selectRemote High-Speed Log
- From theProtocollist, selectTCP.
- From theDevicelist, select the BIG-IP device that hosts your service module's policy or profile.
- From thePoollist, select your pool of DCDs.
- ClickSave & Close.The Log Destinations screen opens.
- ClickCreate.
- Type a uniqueNamefor this destination.
- From theTypelist, selectSplunk.
- Under theForward Tofield, selectRemote High-Speed Log, and select the Remote High-Speed log saved in step 8.
- ClickSave & Close.
You have now designated your DCD pool as a remote
destination for BIG-IP to send its logging data. If your system has multiple modules
that require event logging, ensure that you repeat this process for the module's
designated DCD pool.
Create a Log Publisher to specify that BIG-IP system
sends log messages to BIG-IQ. When configuring your Log Publisher ensure you are adding
the Splunk-type Log Destination.
Configure viewing of DoS events
Before you configure monitoring of DoS events, you need to ensure that the DoS Protection service is running on the DCD.
Verify this by reviewing the services installed on the DCD on the
BIG-IQ Data Collection Devices screen. Click
.If the DoS Protection service is not
running, click
Activate
to
start it.If you deactivate the DoS Protection service
for a DCD, or remove a DCD with that service enabled, the associated pool member
will be removed from the pool when you next deploy to the BIG-IP device (or
devices). The pool
dos-remote-logging-pool_
contains the pool member for the specified BIG-IP
device.big-ipname
You configure the collection and viewing of DoS events so that you can better view and monitor information about your DoS protection. The BIG-IQ Centralized Management system provides a single-button configuration process that creates and configures the needed configuration objects. The system creates the following configuration objects, if needed:
- One or more logging profiles
- A log publisher
- A log destination
- A pool for each device
- Pool members
- A pool monitor
The configuration objects are shared among the Shared
Security virtual servers that were selected. The objects that are created should not
be modified. Modifying these objects could affect the ability of the BIG-IP devices
to send DoS events to the DCD.
- Click.
- In the list, select the check box to the left of the one or more virtual servers to use.
- ClickConfigure DoS Logging.The DoS Logging Configuration dialog box opens.
- In the dialog box, clickContinue.The dialog box shows the configuration status, including which objects were created.
- ClickClose.
- Use the Deployment screens to deploy the BIG-IP device associated with the virtual server using the Local Traffic service using these steps.
- Click.
- In the Deployments area, clickCreate.
- Specify aNameandDescription, and select the appropriate deployment options.
- In the Target Device(s) area, select the device used by the application and clickCreate.
The deployment causes some of the objects created by the DoS logging configuration process to be deployed to the device. - Deploy the same BIG-IP device using either the Network Security or Web Application Security service using these steps.You can use either service since both include the Shared Security objects.
- Clickor .
- In the Deployments area, clickCreate.
- Specify aNameandDescription, and select the appropriate deployment options.
- In the Target Device(s) area, select the device used by the application and clickCreate.
The deployment causes the rest of the objects created by the DoS logging configuration process to be deployed to the device.
You can now receive DoS events from the BIG-IP devices associated with the virtual servers and view them on the
screens. Edit a Log Publisher Log Destination
You must have created the log destination before you
can add it to the an existing Log Publisher. For more information see
Managing Logs
in support.f5.com
.Edit the Log Publisher destination settings to change
the pools that receive remote logging messages from BIG-IP.
- At the top of the screen, clickConfiguration, then, on the left, click .The Log Publishers screen displays a list of the log publishers that are defined on this device.
- Select the name of the log publisher you wish to edit.The log publisher properties screen opens.
- To add log destinations, select the Log Destination(s) from theAvailablelist and use the arrow to move your selection to theSelectedlist.You can filter theAvailablelist by selecting the type of destination from the drop-down list.
- To remove log destinations, select the Log Destination(s) from theSelectedlist and use the arrow to move your selection to theAvailablelist.
- ClickSave & Close
You have changed the remote destinations associated
with the Log Publisher. This will alter where the BIG-IP device sends its log
data.
Deploy changes to your BIG-IP device.