Manual Chapter :
Configuring Remote Logging for Access
Applies To:
Show VersionsBIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0, 8.0.0, 7.1.0
Configuring Remote Logging for Access
Configure logging for Access Policy Manager
BIG-IP devices that you configure for remote
logging send Access reporting and SWG log report data to the BIG-IQ data collection
device for storage and management.
- At the top left of the screen, click.
- ClickRemote Logging Configuration.The Remote Logging Configuration screen opens to display all of the discovered BIG-IP devices that are provisioned with the Access service.
- Select the BIG-IP devices for which you want to enable remote logging, and then clickConfigure.Thehostnameof the primary data collection device is displayed, and the status changes to let you know whether the enable request was successful.
You have now configured your logging of Access events from the BIG-IP devices
associated with the virtual servers. Once you have deployed your changes, you can view
these events on the
screen. To ensure that data is load balanced among
your DCD devices, you must change the remote log destination. For more information see
Edit log publisher destinations
. Once you have completed this process, ensure that
all your changes to your Local Traffic and Shared Security virtual servers are
deployed over the host BIG-IP device. You can deploy your changes by going to,
and Configure remote
high-speed BIG-IQ and SWG event logging
You can configure the BIG-IQ system to log information about BIG-IQ
and Secure Web Gateway events and send the log messages to remote high-speed log
servers.
When configuring remote high-speed logging of events, it is helpful to
understand the objects you need to create and why, as described here:
Object |
Reason |
---|---|
Pool of remote log servers |
Create a pool of remote log servers to which the BIG-IP system can send log
messages. |
Destination (unformatted) |
Create a log destination of Remote High-Speed Log type that specifies a pool of remote
log servers. |
Destination (formatted) |
If your remote log servers are the ArcSight,
Splunk, or Remote Syslog type, create an additional log destination to
format the logs in the required format and forward the logs to a remote
high-speed log destination. |
Publisher |
Create a log publisher to send logs to a set of specified log destinations. |
Log Setting |
Add event logging for the APM system and configure log levels for it or add logging
for URL filter events, or both. Settings include the specification of up to two log
publishers: one for access system logging and one for URL request logging. |
Access profile |
Add log settings to the access profile. The
log settings for the access profile control logging for the traffic that
comes through the virtual server to which the access profile is
assigned. |
Create a pool of remote logging servers
Before creating a pool of log servers, gather the IP addresses of the servers that you want to include in the pool. Ensure that the remote log servers are configured to listen to and receive log messages from the BIG-IP system.
Create a pool of remote log servers to which the BIG-IP system can send log messages.
- At the top of the screen, clickConfiguration.
- On the Main tab, click.The Pool List screen opens.
- ClickCreate.The New Pool screen opens.
- In theNamefield, type a unique name for the pool.
- Using theNew Memberssetting, add the IP address for each remote logging server that you want to include in the pool:
- Type an IP address in theAddressfield, or select a node address from theNode List.
- Type a service number in theService Portfield, or select a service name from the list.Typical remote logging servers require port514.
- ClickAdd.
- ClickFinished.
Create a new log publisher
Before you can create a new log
publisher, configure a log destination with a pool of remote log servers so you can
assign it to your publisher as you create it.
Log publishers specify log destinations that BIG-IP devices can send their log
messages to.
- At the top of the screen, clickConfiguration, then, on the left, click .The screen displays a list of the Log Publishers that are defined on this device.
- To create a new log publisher, clickCreate.The New Log Publisher screen opens so you can define the settings you want for this publisher.
- In theNamefield, type in a name for the log publisher you are creating.
- Select the Log Destinations for this publisher.
- Select a destination type from the Available list.The list of destinations displays only the type you selected.
- Select one or more destinations from the Available list.
- Move the selected destinations to the Selected list.If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or ArcSight.
- Specify the additional settings needed to suit the requirements for this log publisher.The parameters on this screen are optional and perform the same function as they do when you configure a log publisher on a BIG-IP device.For details about the purpose or function of a particular setting, refer to the BIG-IP reference information on support.f5.com. From the BIG-IP Knowledge Center, select the BIG-IP LTM module and the software version you have installed; then select the appropriate guide. For example, information about the log publisher parameters for BIG-IP version 13.0 is provided in theExternal Monitoring of BIG-IP Systems: Implementationsguide.
- ClickSave & Close.The system creates the new log publisher with the settings you specified.
Changes that you make are
made only to the pending version. The
pending version
serves as a repository for changes you stage before deploying them to the managed device.
Object settings for the pending version are not the same as the object settings on the
actual BIG-IP device until they are deployed or discarded. When you finish specifying the settings for
this log publisher, the next step is to evaluate and then deploy the changes to the
target device. Until you deploy the changes stored in the pending version, objects on
the managed device are not changed.
Configure log settings for access system and URL request events
Create log settings to enable event logging for access system events or URL filtering events or both. Log settings specify how to process event logs for the traffic that passes through a virtual server with a particular access profile.
- At the top of the screen, selectConfiguration, then on the left side of the screen, click .
- Click the name of an Access group.A new screen displays the group's properties.
- Click.
- Type a name for the name for the log setting.
- In theSSO Configuration Descriptionfield, type a descriptive text for the configuration.
- ForAccess System Logs, click the check box to specify a publisher for Access system logs and log levels.
- ForAccess Logs Publisher, select a log publisher.
- For the system log types, beginning withAccess Policyand ending withADFS Proxy, from the dropdown lists, select a log level. The default isNotice.
- ForURL Request Logs, click the check box to select a publisher for the logs and specifies the URL requests to log based on whether the request was blocked or allowed.
- ForURL Request Logs Publisher, select a log publisher.
- ForLog Allowed Events, click the check box to log request data when a user tries to access a URL that the URL filter allows.
- ForLog Blocked Events, click the check box to log request data when a user tries to access a URL that the URL filter blocks.
- ForLog Confirmed Events, click the check box to log request data when a user confirms a request for access to a URL for which the URL filter requires confirmation.
- ClickSave & Close.
What can cause logging nodes to become unavailable?
Logging nodes are highly available, but it is still possible for them to become unavailable.
This could occur, for example, if all logging nodes are on devices in the same rack in a lab, and
the power to the lab shuts down.