Configure IPsec Event Viewing on the BIG-IQ
You can use BIG-IQ to view IPsec events. To set up IPsec event log viewing, you need to complete a few tasks:
- Configure the BIG-IP devices that form the IPsec tunnel to send events to the data collection device.
- Create a remote log server pool.
- Create a remote high-speed log destination for IPsec.
- Create a remote Syslog destination for IPsec.
- Configure a log publisher to send IPsec events to the BIG-IQ.
- Configure the BIG-IQ system to view IPsec events by Enabling IPsec event collection.
After you complete these initial configuration tasks, you can view IPsec events on the BIG-IQ.
You create a log publisher pool as part of the process you complete to route IPsec events from the BIG-IP device to your data collection device, so that you can view these events from the BIG-IQ.
Important: You must perform these steps for both of the BIG-IP devices that make up the IPsec tunnel.
-
At the top of the screen, click Configuration, then, on the left, click LOCAL TRAFFIC > Pools.
The screen displays the list of pools defined on this device.
Note: If you select the check box for a pool, you can either delete it, deploy it, or view statistics for it. You can also view details about other configuration objects to which this pool relates.
-
Click Create.
The New Pool screen opens.
-
Type a name Name for the pool you are creating.
Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.
Important: The pool name is limited to 63 characters.
-
From the Device list, select one of the devices that make up the IPsec tunnel.
-
To add a new pool member for this pool, click New Member.
-
Specify the Node Type select New Node.
-
Type a helpful name for the Node Name.
-
For the Node Address, type the self IP address of the data collection device that you want events from this device to go to.
-
For the Port, type 9997.
-
Click Save & Close.
The new pool member is added to the specifications for the pool you are creating.
Note: When you create a new pool member while creating a new pool, the new pool member is not actually created until you save the new pool. When you create a new pool member for an existing pool member, the new member is ready to use as soon as you save it.
-
-
When you finish specifying the settings for this pool, click Save & Close.
The system creates the new pool with the settings you specified.
-
Repeat the last 5 steps to add a pool and pool member for the other device that makes up the IPsec tunnel.
The pools list shows the log publisher pools you created.
Before creating a remote high-speed log destination for IPsec, you must create a log publishing pool.
You create a remote high-speed log destination as part of the processyou complete to route IPsec events from the BIG-IP device to your data collection device,so that you can view these events from the BIG-IQ.
Important: You must perform these steps for both of the BIG-IP devices that make up the IPsec tunnel.
-
At the top of the screen, click Configuration, then, on the left, click LOCAL TRAFFIC > Logs > Log Destinations.
The Log Destinations screen displays a list of the log destinations that are defined on this device.
-
Click Create.
The New Log Destination screen opens.
-
Type a Name to identify the IPsec remote high speed log destination.
-
From the Type list, select Remote High-Speed Log.
BIG-IQ displays additional parameters for a remote high speed logging destination
-
Specify which devices to associate this destination with.
-
Select the device you want this destination to use.
-
Select the remote log server pool that you defined previously.
-
Click Save to add the listed devices to the Device Specific list.
The Device Specific list shows the devices that you selected for this log destination.
Note: Click a device name in the Device Specific list to edit settings for that device. Bear in mind, though, that changes you make to one device do not change the settings for other devices, or for the base configuration for the log destination.
-
-
Click Save & Close.
The system creates the new log destination with the settings you specified.
Before creating a remote Syslog log destination for IPsec, you must create a log publishing pool and a high-speed log destination for IPsec.
You create a remote Syslog log destination as part of the processyou completeto route IPsec events from the BIG-IP device to your data collection device, so that you can view these events from the BIG-IQ system.
Important: You must perform these steps for both of the BIG-IP devices that make up the IPsec tunnel.
-
At the top of the screen, click Configuration, then, on the left, click LOCAL TRAFFIC > Logs > Log Destinations.
The Log Destinations screen displays a list of the log destinations that are defined on this device.
-
Click Create.
The New Log Destination screen opens.
-
In the Name field, type IPsec-Syslog to identify the IPsec Syslog destination.
-
From the Type list, select Remote Syslog.
-
From the Syslog Format list, select a format for the logs.
-
From the Forward To list, select the name of the IPsec remote high speed log.
-
Click Save & Close.
The system creates the new log destination with the settings you specified.
To send the IPsec event logs to the data collection device, you must configure a publisher to send the logs to the IPsec Syslog destination. This is the last task in the series you perform to route IPsec events from the BIG-IP® device to your data collection device so that you can view these events from the BIG-IQ®
Important: You must perform these steps for both of the BIG-IP devices that make up the IPsec tunnel.
-
At the top of the screen, click Configuration, then, on the left, click LOCAL TRAFFIC > Logs > Log Publishers.
The screen displays a list of the Log Publishers that are defined on this device.
-
Click the log publisher named default-ipsec-log-publisher.
The Log Publisher properties screen opens.
-
For the Log Destinations setting, from the Available list, select IPsec-Syslog and move it to the Selected list.
BIG-IQ lists both local-syslog (the default) and IPsec-Syslog in the Selected list.
-
Click Save & Close.
To use the IPsec tunnel configuration to collect IPsec events, you must activate IPsec event collection for your data collection device (DCD) cluster.
You activate IPsec event collection for your data collection device (DCD) cluster so that you can view IPsec tunnel events on BIG-IQ.
-
From BIG-IQ, at the top of the screen, click System, then, on the left, click BIG-IQ DATA COLLECTION > BIG-IQ Data Collection Devices.
The BIG-IQ Data Collection Devices screen opens listing the DCDs in the cluster. The Services column lists the BIG-IP services monitored by each DCD. If no services are enabled for a DCD, this column displays Add Services instead.
-
Determine whether you need to access the Services screen and how.
- If no services are listed, click Add Services to access the Services screen.
- If services other than IPsec are listed, click one of those services to access the Services screen.
- If the IPsec service is listed, it is already enabled, but you can click a service name to access the Services screen so you can verify the IP address and port the DCD uses to communicate with the IPsec service. The Services screen for this DCD opens.
-
For IPsec, click Activate.
The Listener Address setting displays the internal self IP address configured for the DCD. The self IP address is currently the recommended address for collecting event log data.
The system begins collecting IPsec events.
-
Click the Save & Close button.
You can now view IPsec event logs using the BIG-IQ user interface.