Manual Chapter : Managing Logs

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Managing Logs

How do I manage my device logs on the BIG-IQ?

You can create, edit or delete log filters, log publishers, and log destinations for the logs produced on your managed BIG-IP devices. Just make whatever changes you want and then deploy them to the device.

What is a device-specific log destination type?

There are several log destination types you can create and manage with the BIG-IQ. Most log destination types are completely shared objects. That is they use one set of parameters regardless of which device they are deployed to. However, there are also 3 types of log destinations that can have device-specific settings. For these destination types, the configuration can be altered depending on which device the destination is deployed to. These device-specific log types are:
  • IPFIX
  • Remote High-Speed Log
  • Management Port
IPFIX and Remote High-Speed Log destinations use pools that are per-device objects. As a result, they are always device-specific. Each BIG-IP that the destination is deployed to needs a log destination unique to that BIG-IP so that you can specify a pool on that BIG-IP the logs are forwarded to.
Management Port log destinations can either be completely shared objects or they can be device-specific. A shared log destination uses the same IP address and port for every BIG-IP device it is deployed to. A device-specific log destination uses a separate instance of the log destination (each with a unique IP address and port) for each BIG-IP it is deployed to.

Create a new log destination

Before you can create a new log destination, you must have configured a remote log server to send the logs to.
Use this screen to create a new log destination for a managed device.
Create a log destination to specify that log messages are sent to a remote log server.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    LOCAL TRAFFIC
    Logs
    Log Destinations
    .
    The Log Destinations screen displays a list of the log destinations that are defined on this device.
  2. To create a new log destination, click
    Create
    .
    The New Log destination screen opens so you can define the settings you want for this destination.
  3. In the
    Name
    field, type in a name for the log destination you are creating.
  4. For
    Type
    , select the kind of destination you are creating.
    Depending on the selection you make, additional controls are displayed.
  5. Specify the additional settings needed to suit the requirements for this log destination. The fields required to create a new log destination depend on the type you choose. BIG-IQ denotes required fields using an amber box. You can also determine whether you have completed all of the required fields by noting whether the
    Save & Close
    button is enabled.
    Except for the Devices and Device Specific settings, the parameters on this screen perform the same function as they do when you configure a log destination on a BIG-IP device. For details about the purpose or function of a particular setting, refer to the BIG-IP reference information on
    support.f5.com
    . From the BIG-IP Knowledge Center, select the BIG-IP LTM module and the software version you have installed; then select the appropriate guide. For example, information about the log destination parameters for BIG-IP version 13.0 is provided in the External Monitoring of BIG-IP Systems: Implementations, Version 13.0 guide.
  6. When you create a Log Destination and select a type of
    IPFIX
    or
    Remote High-Speed Log
    , you need to specify which devices to associate this destination with. When you create a Log Destination and select a type of
    Management Port
    you can specify device specific settings or, if no device specific settings are defined, the base configuration settings are used for any device associated with this log destination.
    For additional detail on device-specific log destination types, refer to
    What is a device specific log destination?
    in the
    F5 BIG-IQ Centralized Management: Local Traffic & Network Implementations
    guide on
    support.f5.com
    .
    • If you have a lot of devices that you need to associate with this log destination and want to automate the process:
      1. Use the steps below to specify one device and then click
        Save
        .
      2. Associate this log destination with the log publishers that are pinned to your managed devices.
      3. Come back and edit this log destination. A
        Find Relevant Devices
        button displays. You can use this button to let BIG-IQ assemble a list of devices. BIG-IQ finds the BIG-IP devices that this destination can be deployed to. You can use the list to create a device-specific instance of this destination for each BIG-IP.
      4. Click
        Save
        to add the listed devices to the Device Specific list.
    • To specify the devices for this log destination manually:
      1. Select the device you want this destination to use
      2. If you are creating an
        IPFIX
        or
        Remote High-Speed Log
        destination log, select the pool that you want each device to use.
      3. Use the button to add additional devices to the list.
      4. Use the button to remove a device from the list.
      5. Click
        Save
        to add the listed devices to the Device Specific list.
    Devices you select for this log destination are added to the Device Specific list.
    Click on a device name in the Device Specific list to edit settings for that device. Bear in mind though that changes you make to one device do not change the settings for other devices, or for the base configuration for the log destination.
  7. Click
    Save & Close
    .
    The system creates the new log destination with the settings you specified.
Changes that you make are made only to the pending version. The
pending version
serves as a repository for changes you stage before deploying them to the managed device. Object settings for the pending version are not the same as the object settings on the actual BIG-IP device until they are deployed or discarded.
When you finish specifying the settings for this log destination, the next step is to evaluate and then deploy the changes to the target device. Until you deploy the changes stored in the pending version, objects on the managed device are not changed.

Create a new log publisher

Before you can create a new log publisher, configure a log destination with a pool of remote log servers so you can assign it to your publisher as you create it.
Log publishers specify log destinations that BIG-IP devices can send their log messages to.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    LOCAL TRAFFIC
    Logs
    Log Publishers
    .
    The Log Publishers screen displays a list of the log publishers that are defined on this device.
  2. To create a new log publisher, click
    Create
    .
    The New Log Publisher screen opens so you can define the settings you want for this publisher.
  3. In the
    Name
    field, type in a name for the log publisher you are creating.
  4. Select the Log Destinations for this publisher.
    1. Select a destination type from the Available list.
      The list of destinations displays only the type you selected.
    2. Select one or more destinations from the Available list.
    3. Move the selected destinations to the Selected list.
      If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or ArcSight.
  5. Specify the additional settings needed to suit the requirements for this log publisher.
    The parameters on this screen are optional and perform the same function as they do when you configure a log publisher on a BIG-IP device.
    For details about the purpose or function of a particular setting, refer to the BIG-IP reference information on support.f5.com. From the BIG-IP Knowledge Center, select the BIG-IP LTM module and the software version you have installed; then select the appropriate guide. For example, information about the log publisher parameters for BIG-IP version 13.0 is provided in the
    External Monitoring of BIG-IP Systems: Implementations
    guide.
  6. Click
    Save & Close
    .
    The system creates the new log publisher with the settings you specified.
Changes that you make are made only to the pending version. The
pending version
serves as a repository for changes you stage before deploying them to the managed device. Object settings for the pending version are not the same as the object settings on the actual BIG-IP device until they are deployed or discarded.
When you finish specifying the settings for this log publisher, the next step is to evaluate and then deploy the changes to the target device. Until you deploy the changes stored in the pending version, objects on the managed device are not changed.

Create a new log filter

Before you create a new log filter, you must have configured at least one log publisher on this BIG-IQ.
Use this screen to create a new log filter for a managed device.
Create a custom log filters so you can specify the system log messages that you want to publish to a particular log.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    LOCAL TRAFFIC
    Logs
    Log Filters
    .
    The Log Filters screen displays a list of the log filters that are defined on this device.
  2. To create a new log filter, click
    Create
    .
    The New Log Filter screen opens so you can define the settings you want for this filter.
  3. In the
    Name
    field, type in a name for the log filter you are creating.
  4. Specify the additional settings needed to suit the requirements for this log filter.
    The remaining parameters on this screen are optional and perform the same function as they do when you configure a log filter on a BIG-IP device.
    For details about the purpose or function of a particular setting, refer to the BIG-IP reference information on support.f5.com. From the BIG-IP Knowledge Center, select the BIG-IP LTM module and the software version you have installed; then select the appropriate guide. For example, information about the log filter parameters for BIG-IP version 13.0 is provided in the
    External Monitoring of BIG-IP Systems: Implementations
    guide.
  5. Click
    Save & Close
    .
    The system creates the new log filter with the settings you specified.
Changes that you make are made only to the pending version. The
pending version
serves as a repository for changes you stage before deploying them to the managed device. Object settings for the pending version are not the same as the object settings on the actual BIG-IP device until they are deployed or discarded.
Because this log filter is a shared object, you must pin it to the device to which you want it to deploy. To pin this log filter to a specific device, click
Configuration
LOCAL TRAFFIC
Pinning Policies
.
For details about how pinning works, refer to
Managing Object Pinning
on
support.f5.com
.
When you finish revising the settings for this log filter, you next need to evaluate and then deploy the changes to the target device. Until you deploy the changes stored in the pending version, objects on the managed device are not changed.