Manual Chapter : Configuring Remote Logging for Access

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0, 8.0.0, 7.1.0
Manual Chapter

Configuring Remote Logging for Access

Configure logging for Access Policy Manager

BIG-IP devices that you configure for remote logging send Access reporting and SWG log report data to the BIG-IQ data collection device for storage and management.
  1. At the top left of the screen, click
    Monitoring
    DASHBOARDS
    Access
    .
  2. Click
    Remote Logging Configuration
    .
    The Remote Logging Configuration screen opens to display all of the discovered BIG-IP devices that are provisioned with the Access service.
  3. Select the BIG-IP devices for which you want to enable remote logging, and then click
    Configure
    .
    The
    hostname
    of the primary data collection device is displayed, and the status changes to let you know whether the enable request was successful.
You have now configured your logging of Access events from the BIG-IP devices associated with the virtual servers. Once you have deployed your changes, you can view these events on the
Monitoring
DASHBOARDS
Access
Logging Messages (All)
screen.
To ensure that data is load balanced among your DCD devices, you must change the remote log destination. For more information see
Edit log publisher destinations
.
Once you have completed this process, ensure that all your changes to your Local Traffic and Shared Security virtual servers are deployed over the host BIG-IP device. You can deploy your changes by going to,
Deployment
EVALUATE & DEPLOY
Local Traffic & Network
and
Deployment
EVALUATE & DEPLOY
Access

Configure remote high-speed BIG-IQ and SWG event logging

You can configure the BIG-IQ system to log information about BIG-IQ and Secure Web Gateway events and send the log messages to remote high-speed log servers.
When configuring remote high-speed logging of events, it is helpful to understand the objects you need to create and why, as described here:
Object
Reason
Pool of remote log servers
Create a pool of remote log servers to which the BIG-IP system can send log messages.
Destination (unformatted)
Create a log destination of Remote High-Speed Log type that specifies a pool of remote log servers.
Destination (formatted)
If your remote log servers are the ArcSight, Splunk, or Remote Syslog type, create an additional log destination to format the logs in the required format and forward the logs to a remote high-speed log destination.
Publisher
Create a log publisher to send logs to a set of specified log destinations.
Log Setting
Add event logging for the APM system and configure log levels for it or add logging for URL filter events, or both. Settings include the specification of up to two log publishers: one for access system logging and one for URL request logging.
Access profile
Add log settings to the access profile. The log settings for the access profile control logging for the traffic that comes through the virtual server to which the access profile is assigned.

Create a pool of remote logging servers

Before creating a pool of log servers, gather the IP addresses of the servers that you want to include in the pool. Ensure that the remote log servers are configured to listen to and receive log messages from the BIG-IP system.
Create a pool of remote log servers to which the BIG-IP system can send log messages.
  1. At the top of the screen, click
    Configuration
    .
  2. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pool List screen opens.
  3. Click
    Create
    .
    The New Pool screen opens.
  4. In the
    Name
    field, type a unique name for the pool.
  5. Using the
    New Members
    setting, add the IP address for each remote logging server that you want to include in the pool:
    1. Type an IP address in the
      Address
      field, or select a node address from the
      Node List
      .
    2. Type a service number in the
      Service Port
      field, or select a service name from the list.
      Typical remote logging servers require port
      514
      .
    3. Click
      Add
      .
  6. Click
    Finished
    .

Create a new log publisher

Before you can create a new log publisher, configure a log destination with a pool of remote log servers so you can assign it to your publisher as you create it.
Log publishers specify log destinations that BIG-IP devices can send their log messages to.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    LOCAL TRAFFIC
    Logs
    Log Publishers
    .
    The screen displays a list of the Log Publishers that are defined on this device.
  2. To create a new log publisher, click
    Create
    .
    The New Log Publisher screen opens so you can define the settings you want for this publisher.
  3. In the
    Name
    field, type in a name for the log publisher you are creating.
  4. Select the Log Destinations for this publisher.
    1. Select a destination type from the Available list.
      The list of destinations displays only the type you selected.
    2. Select one or more destinations from the Available list.
    3. Move the selected destinations to the Selected list.
      If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or ArcSight.
  5. Specify the additional settings needed to suit the requirements for this log publisher.
    The parameters on this screen are optional and perform the same function as they do when you configure a log publisher on a BIG-IP device.
    For details about the purpose or function of a particular setting, refer to the BIG-IP reference information on support.f5.com. From the BIG-IP Knowledge Center, select the BIG-IP LTM module and the software version you have installed; then select the appropriate guide. For example, information about the log publisher parameters for BIG-IP version 13.0 is provided in the
    External Monitoring of BIG-IP Systems: Implementations
    guide.
  6. Click
    Save & Close
    .
    The system creates the new log publisher with the settings you specified.
Changes that you make are made only to the pending version. The
pending version
serves as a repository for changes you stage before deploying them to the managed device. Object settings for the pending version are not the same as the object settings on the actual BIG-IP device until they are deployed or discarded.
When you finish specifying the settings for this log publisher, the next step is to evaluate and then deploy the changes to the target device. Until you deploy the changes stored in the pending version, objects on the managed device are not changed.

Configure log settings for access system and URL request events

Create log settings to enable event logging for access system events or URL filtering events or both. Log settings specify how to process event logs for the traffic that passes through a virtual server with a particular access profile.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of an Access group.
    A new screen displays the group's properties.
  3. Click
    EVENT LOGS SETTINGS
    Create
    .
  4. Type a name for the name for the log setting.
  5. In the
    SSO Configuration Description
    field, type a descriptive text for the configuration.
  6. For
    Access System Logs
    , click the check box to specify a publisher for Access system logs and log levels.
  7. For
    Access Logs Publisher
    , select a log publisher.
  8. For the system log types, beginning with
    Access Policy
    and ending with
    ADFS Proxy
    , from the dropdown lists, select a log level. The default is
    Notice
    .
  9. For
    URL Request Logs
    , click the check box to select a publisher for the logs and specifies the URL requests to log based on whether the request was blocked or allowed.
  10. For
    URL Request Logs Publisher
    , select a log publisher.
  11. For
    Log Allowed Events
    , click the check box to log request data when a user tries to access a URL that the URL filter allows.
  12. For
    Log Blocked Events
    , click the check box to log request data when a user tries to access a URL that the URL filter blocks.
  13. For
    Log Confirmed Events
    , click the check box to log request data when a user confirms a request for access to a URL for which the URL filter requires confirmation.
  14. Click
    Save & Close
    .

What can cause logging nodes to become unavailable?

Logging nodes are highly available, but it is still possible for them to become unavailable. This could occur, for example, if all logging nodes are on devices in the same rack in a lab, and the power to the lab shuts down.