Manual Chapter : Configure IPsec Event Viewing on the BIG-IQ

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Configure IPsec Event Viewing on the BIG-IQ

How do I configure viewing IPsec event logs?

You can use BIG-IQ to view IPsec events. To set up IPsec event log viewing, you need to complete a few tasks:
  • Configure the BIG-IP devices that form the IPsec tunnel to send events to the data collection device.
    • Create a remote log server pool.
    • Create a remote high-speed log destination for IPsec.
    • Create a remote Syslog destination for IPsec.
    • Configure a log publisher to send IPsec events to the BIG-IQ.
  • Configure the BIG-IQ system to view IPsec events by Enabling IPsec event collection.
After you complete these initial configuration tasks, you can view IPsec events on the BIG-IQ.

Create a log publisher pool

You create a log publisher pool as part of the process you complete to route IPsec events from the BIG-IP device to your data collection device, so that you can view these events from the BIG-IQ.
You must perform these steps for both of the BIG-IP devices that make up the IPsec tunnel.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    LOCAL TRAFFIC
    Pools
    .
    The screen displays the list of pools defined on this device.
    If you select the check box for a pool, you can either delete it, deploy it, or view statistics for it. You can also view details about other configuration objects to which this pool relates.
  2. Click
    Create
    .
    The New Pool screen opens.
  3. Type a name
    Name
    for the pool you are creating.
    Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.
    The pool name is limited to 63 characters.
  4. From the
    Device
    list, select one of the devices that make up the IPsec tunnel.
  5. To add a new pool member for this pool, click
    New Member
    .
    1. Specify the
      Node Type
      select
      New Node
      .
    2. Type a helpful name for the
      Node Name
      .
    3. For the
      Node Address
      , type the self IP address of the data collection device that you want events from this device to go to.
    4. For the
      Port
      , type
      9997
      .
    5. Click
      Save & Close
      .
    The new pool member is added to the specifications for the pool you are creating.
    When you create a new pool member while creating a new pool, the new pool member is not actually created until you save the new pool. When you create a new pool member for an existing pool member, the new member is ready to use as soon as you save it.
  6. When you finish specifying the settings for this pool, click
    Save & Close
    .
    The system creates the new pool with the settings you specified.
  7. Repeat the last 5 steps to add a pool and pool member for the other device that makes up the IPsec tunnel.
The pools list shows the log publisher pools you created.

Create a remote high-speed log destination for IPsec

Before creating a remote high-speed log destination for IPsec, you must create a log publishing pool.
You create a remote high-speed log destination as part of the processyou complete to route IPsec events from the BIG-IP device to your data collection device,so that you can view these events from the BIG-IQ.
You must perform these steps for both of the BIG-IP devices that make up the IPsec tunnel.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    LOCAL TRAFFIC
    Logs
    Log Destinations
    .
    The Log Destinations screen displays a list of the log destinations that are defined on this device.
  2. Click
    Create
    .
    The New Log Destination screen opens.
  3. Type a
    Name
    to identify the IPsec remote high speed log destination.
  4. From the
    Type
    list, select
    Remote High-Speed Log
    .
    BIG-IQ displays additional parameters for a remote high speed logging destination
  5. Specify which devices to associate this destination with.
    1. Select the device you want this destination to use.
    2. Select the remote log server pool that you defined previously.
    3. Click
      Save
      to add the listed devices to the Device Specific list.
    The Device Specific list shows the devices that you selected for this log destination.
    Click a device name in the Device Specific list to edit settings for that device. Bear in mind, though, that changes you make to one device do not change the settings for other devices, or for the base configuration for the log destination.
  6. Click
    Save & Close
    .
    The system creates the new log destination with the settings you specified.

Create a remote Syslog destination for IPsec

Before creating a remote Syslog log destination for IPsec, you must create a log publishing pool and a high-speed log destination for IPsec.
You create a remote Syslog log destination as part of the processyou completeto route IPsec events from the BIG-IP device to your data collection device, so that you can view these events from the BIG-IQ system.
You must perform these steps for both of the BIG-IP devices that make up the IPsec tunnel.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    LOCAL TRAFFIC
    Logs
    Log Destinations
    .
    The Log Destinations screen displays a list of the log destinations that are defined on this device.
  2. Click
    Create
    .
    The New Log Destination screen opens.
  3. In the
    Name
    field, type
    IPsec-Syslog
    to identify the IPsec Syslog destination.
  4. From the
    Type
    list, select
    Remote Syslog
    .
  5. From the
    Syslog Format
    list, select a format for the logs.
  6. From the
    Forward To
    list, select the name of the IPsec remote high speed log.
  7. Click
    Save & Close
    .
    The system creates the new log destination with the settings you specified.

Configure a log publisher to send IPsec events to the BIG-IQ

To send the IPsec event logs to the data collection device, you must configure a publisher to send the logs to the IPsec Syslog destination. This is the last task in the series you perform to route IPsec events from the BIG-IP® device to your data collection device so that you can view these events from the BIG-IQ®
You must perform these steps for both of the BIG-IP devices that make up the IPsec tunnel.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    LOCAL TRAFFIC
    Logs
    Log Publishers
    .
    The Log Publishers screen displays a list of the log publishers that are defined on this device.
  2. Click the log publisher named
    default-ipsec-log-publisher
    .
    The Log Publisher properties screen opens.
  3. For the
    Log Destinations
    setting, from the
    Available
    list, select
    IPsec-Syslog
    and move it to the
    Selected
    list.
    BIG-IQ lists both
    local-syslog
    (the default) and
    IPsec-Syslog
    in the
    Selected
    list.
  4. Click
    Save & Close
    .
To use the IPsec tunnel configuration to collect IPsec events, you must activate IPsec event collection for your data collection device (DCD) cluster.

Enable IPsec event collection

You activate IPsec event collection for your data collection device (DCD) cluster so that you can view IPsec tunnel events on BIG-IQ.
  1. At the top of the screen, click
    System
    , then, on the left, click
    BIG-IQ DATA COLLECTION
    BIG-IQ Data Collection Devices
    .
    The BIG-IQ Data Collection Devices screen opens listing the data collection devices in the cluster. The Services column lists the BIG-IP services monitored by each DCD. If no services are enabled for a DCD, this column displays
    Add Services
    instead.
  2. Determine whether you need to access the Services screen and how.
    • If no services are listed, click
      Add Services
      to access the Services screen.
    • If services other than IPsec are listed, click one of those services to access the Services screen.
    • If the IPsec service is listed, it is already enabled, but you can click a service name to access the Services screen so you can verify the IP address and port the DCD uses to communicate with the IPsec service.
    The Services screen for this DCD opens.
  3. For IPsec, click
    Activate
    .
    The
    Listener Address
    setting displays the internal self IP address configured for the DCD. The self IP address is currently the recommended address for collecting event log data.
    The system begins collecting IPsec events.
  4. Click the
    Save & Close
    button.
You can now view IPsec event logs using the BIG-IQ user interface.