F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Center
  3. Managing DDoS Attacks using BIG-IQ
  4. Logging DoS Protection events
Manual Chapter : Logging DoS Protection events

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Logging DoS Protection events

Configure device DoS event logging

You enable device DoS event logging using the the devices displayed in the list. When enabled, you can view these device DoS events using the
Monitoring
EVENTS
DoS
 screens.
  1. Click
    Configuration
    SECURITY
    Shared Security
    DoS Protection
    Device DoS Configurations
    .
    The Device DoS Configurations screen opens.
  2. To enable logging of device DoS events, click the check box next to the device to configure, and click
    Configure DoS Logging
    .
    To disable logging of device DoS events, click the check box next to the device to configure, and click
    Disable DoS Logging
    .
The DoS Logging Configuration dialog box opens so that you can begin the configuration process.
Review the information about the configuration process before continuing. This is described in the
Monitoring DoS events
 topics in
F5 BIG-IQ Centralized Management: Monitoring and Reporting
 on
support.f5.com
.

Configure for DoS Protection logging

Before you can log DoS protection events, you must first have configured DoS protection to one of more of your managed BIG-IP devices. In addition, you must have data collection devices (DCD) within your BIG-IQ configuration. You must also activate Web Application Security for your DCD services (
System
BIG-IQ DATA COLLECTION DEVICES
SERVICES
).
For logging bot requests from BIG-IP devices version 14.1 or later, see
Configure Bot Defense logging.
You need to configure DoS protection logging profiles after you have enabled them. This configuration determines the kind of information that is logged.
You can do this configuration when initially creating a logging profile (in which case go directly to step 5), or perform the configuration later in a logging profile that already exists.
  1. Click
    Configuration
    SECURITY
    Shared Security
    Logging Profiles
    .
  2. On the Logging Profiles screen, click the name of the logging profile to configure.
    The
    logging-profile-name
     screen opens with the Properties displayed.
  3. On the left, click
    DoS Protection
    .
    The DoS Protection configuration screen opens.
  4. For
    Status
    , select the
    Enabled
     check box.
    The screen displays the DoS Protection properties.
  5. Supply the DoS Application Protection settings to configure where DoS application protection events are logged.
    • Enable
      Local Publisher
       to specify that the system logs DoS events to the local database.
    • Select a
      Remote Publisher
       to specify the name of the log publisher used for logging events. Select a log publisher configured in your system.
  6. In the DNS DoS Protection area, configure where DNS DoS protection events are logged: Select a
    Publisher
     to specify the name of the log publisher used for logging events. Select a log publisher configured in your system.
  7. For the SIP DoS Protection area, configure where SIP DoS protection events are logged: Select a
    Publisher
     to specify the name of the log publisher used for logging events. Select a log publisher configured in your system.
  8. For the Network DoS Protection area, configure where Network DoS protection events are logged: Select a
    Publisher
     to specify the name of the log publisher used for logging events. Select a log publisher configured in your system.
  9. When you are finished, save your changes.
The DoS Protection configuration settings are saved.

Configuring DoS Protection event logging over multiple DCDs

BIG-IQ receives DoS Protection events from BIG-IP via it's Data Collection Devices (DCD). To optimize the process, while ensuring high availability, it is best to load balance log events to a remote logging pool of DCDs . This will prevent data loss, in the instance that a DCD becomes unavailable, without unnecessary duplication of information.
While DoS Protection has an automated process for creating a logging profile, and its associated objects, you need manually add your DCD pool to the Log Publisher's destination list.
To complete this process for DoS Protection, you must have previously configured the following:
  • An imported and discovered BIG-IP device that hosts Dos Protection and its logging profile.
  • A remote logging pool of DCDs configured to the service port number
    8020
    .
For more information about configuring a remote pool of DCDs, see
Connect Devices to a Data Collection Device Cluster
 in the
Planning and Implementing a BIG-IQ Deployment
guide at
support.f5.com
.
If you have already created or imported your logging profile, use this process to adjust the existing settings to include the remote logging pool of DCDs.

Configure a DCD pool as a Log Destination

You must create a remote logging pool for the DCDs configured to the service port of your module. For more information see
Connect Devices to a Data Collection Device cluster
 in the
Planning and Implementing a BIG-IQ Deployment
 guide at
support.f5.com
.
Create a Remote High-Speed Log and Splunk-type Log Destination to specify that log messages are sent to your pool of DCDs.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    LOCAL TRAFFIC
    Logs
    Log Destinations
    .
    The Log Destinations screen displays a list of the log destinations that are defined on this device.
  2. Click
    Create
    .
  3. Type a unique
    Name
    for this destination.
  4. From the
    Type
     list, select
    Remote High-Speed Log
  5. From the
    Protocol
     list, select
    TCP
    .
  6. From the
    Device
     list, select the BIG-IP device that hosts your service module's policy or profile.
  7. From the
    Pool
     list, select your pool of DCDs.
  8. Click
    Save & Close
    .
    The Log Destinations screen opens.
  9. Click
    Create
    .
  10. Type a unique
    Name
     for this destination.
  11. From the
    Type
     list, select
    Splunk
    .
  12. Under the
    Forward To
     field, select
    Remote High-Speed Log
    , and select the Remote High-Speed log saved in step 8.
  13. Click
    Save & Close
    .
You have now designated your DCD pool as a remote destination for BIG-IP to send its logging data. If your system has multiple modules that require event logging, ensure that you repeat this process for the module's designated DCD pool.
Create a Log Publisher to specify that BIG-IP system sends log messages to BIG-IQ. When configuring your Log Publisher ensure you are adding the Splunk-type Log Destination.

Configure viewing of DoS events

Before you configure monitoring of DoS events, you need to ensure that the DoS Protection service is running on the DCD.
Verify this by reviewing the services installed on the DCD on the BIG-IQ Data Collection Devices screen. Click
System
BIG-IQ DATA COLLECTION
BIG-IQ Data Collection Devices
.
If the DoS Protection service is not running, click
Activate
 to start it.
If you deactivate the DoS Protection service for a DCD, or remove a DCD with that service enabled, the associated pool member will be removed from the pool when you next deploy to the BIG-IP device (or devices). The pool
dos-remote-logging-pool_
big-ipname
 contains the pool member for the specified BIG-IP device.
You configure the collection and viewing of DoS events so that you can better view and monitor information about your DoS protection. The BIG-IQ Centralized Management system provides a single-button configuration process that creates and configures the needed configuration objects. The system creates the following configuration objects, if needed:
  • One or more logging profiles
  • A log publisher
  • A log destination
  • A pool for each device
  • Pool members
  • A pool monitor
The configuration objects are shared among the Shared Security virtual servers that were selected. The objects that are created should not be modified. Modifying these objects could affect the ability of the BIG-IP devices to send DoS events to the DCD.
  1. Click
    Configuration
    SECURITY
    Shared Security
    Virtual Servers
    .
  2. In the list, select the check box to the left of the one or more virtual servers to use.
  3. Click
    Configure DoS Logging
    .
    The DoS Logging Configuration dialog box opens.
  4. In the dialog box, click
    Continue
    .
    The dialog box shows the configuration status, including which objects were created.
  5. Click
    Close
    .
  6. Use the Deployment screens to deploy the BIG-IP device associated with the virtual server using the Local Traffic service using these steps.
    1. Click
      Deployment
      EVALUATE & DEPLOY
      Local Traffic & Network
      .
    2. In the Deployments area, click
      Create
      .
    3. Specify a
      Name
       and
      Description
      , and select the appropriate deployment options.
    4. In the Target Device(s) area, select the device used by the application and click
      Create
      .
    The deployment causes some of the objects created by the DoS logging configuration process to be deployed to the device.
  7. Deploy the same BIG-IP device using either the Network Security or Web Application Security service using these steps.
    You can use either service since both include the Shared Security objects.
    1. Click
      Deployment
      EVALUATE & DEPLOY
      Network Security
       or
      Deployment
      EVALUATE & DEPLOY
      Web Application Security
      .
    2. In the Deployments area, click
      Create
      .
    3. Specify a
      Name
       and
      Description
      , and select the appropriate deployment options.
    4. In the Target Device(s) area, select the device used by the application and click
      Create
      .
    The deployment causes the rest of the objects created by the DoS logging configuration process to be deployed to the device.
You can now receive DoS events from the BIG-IP devices associated with the virtual servers and view them on the
Monitoring
EVENTS
DoS
 screens.

Edit a Log Publisher Log Destination

You must have created the log destination before you can add it to the an existing Log Publisher. For more information see
Managing Logs
 in
support.f5.com
.
Edit the Log Publisher destination settings to change the pools that receive remote logging messages from BIG-IP.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    LOCAL TRAFFIC
    Logs
    Log Publishers
    .
    The Log Publishers screen displays a list of the log publishers that are defined on this device.
  2. Select the name of the log publisher you wish to edit.
    The log publisher properties screen opens.
  3. To add log destinations, select the Log Destination(s) from the
    Available
     list and use the arrow to move your selection to the
    Selected
     list.
    You can filter the
    Available
     list by selecting the type of destination from the drop-down list.
  4. To remove log destinations, select the Log Destination(s) from the
    Selected
     list and use the arrow to move your selection to the
    Available
     list.
  5. Click
    Save & Close
You have changed the remote destinations associated with the Log Publisher. This will alter where the BIG-IP device sends its log data.
Deploy changes to your BIG-IP device.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information