Manual Chapter : Managing Logging Profiles in Shared Security

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0, 8.0.0
Manual Chapter

Managing Logging Profiles in Shared Security

About logging profiles

A
logging profile
records requests to a virtual server hosted on a BIG-IP device. A logging profile determines whether and where events are logged, and which items (such as which parts of requests, or which type of errors) are logged. Events can be logged either locally by is configured to record the system and viewed in the Event Logs screens, or remotely by an external logging system. The system forwards the log messages to an external logging server using the Syslog service.
The following default logging profiles are imported from the BIG-IP device:
  • Log all requests
  • Log illegal requests
  • global-network
  • local-dos
The BIG-IQ Centralized Management system creates the following logging profiles:
  • The
    templates-default
    logging profile is the default logging profile for application templates.
  • The
    afm-remote-logging-profile
    logging profile can be created automatically when configuring Network Security event monitoring. For information on the configuration process, refer to the
    Monitoring Network Security events
    topics in
    F5 BIG-IQ Centralized Management: Monitoring and Reporting
    on
    support.f5.com
    .
  • The
    dos-remote-logging-profile-afm
    or
    dos-remote-logging-profile-asm-
    logging profile can be created automatically when configuring DoS event monitoring. For information on the configuration process, refer to the
    Monitoring DoS events
    topics in
    F5 BIG-IQ Centralized Management: Monitoring and Reporting
    on
    support.f5.com
    .
The logging profile can be associated with multiple virtual servers from multiple devices. Multiple logging profiles can be associated with a virtual server, but the multiple logging profiles cannot have an overlap subset configured. For example, two logging profiles with application security configured and enabled cannot be associated with the same virtual server. Application security and protocol security cannot be configured on the same logging profile or associated with the same virtual server.
BIG-IQ Centralized Management supports importing logging profiles with spaces in the name. An imported logging profile with spaces in the name can be modified on the BIG-IQ system and deployed back to a BIG-IP device. However, BIG-IQ does not support creating logging profiles with spaces in the name.
The logging publisher specified by the BIG-IQ system logging profile should be the same as that configured on the BIG-IP device.
If a BIG-IQ system adds or removes data collection devices (DCDs), that causes a change to be made to the remote logging event settings in the
templates-default
logging profile on the BIG-IQ system. A subsequent deployment of that BIG-IQ configuration to a managed BIG-IP device or a rediscovery or reimport of that BIG-IP device will show differences for the
templates-default
logging profile, since the BIG-IQ version of that profile has changed.

Create a new logging profile

You create logging profiles to configure the kind of information to log for objects that support logging.
  1. Click
    Configuration
    SECURITY
    Shared Security
    Logging Profiles
    .
  2. On the Logging Profiles screen, click
    Create
    .
    The New Logging Profile screen opens with the Properties displayed.
  3. In the
    Name
    field, type a name for the logging profile.
  4. In the
    Description
    field, type an optional description for the logging profile.
  5. If needed, change the default
    Common
    partition in the
    Partition
    field.
    The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name. Only users with access to a partition can view the objects (such as the logging profile) that it contains. If the logging profile resides in the
    Common
    partition, all users can access it.
  6. In the
    Available in Application Templates
    setting, select whether the profile is available to application templates.
    • To make the profile available to application templates, select
      Yes
      .
    • To remove the profile from being available to application templates, select
      No
      .
  7. On the left, click the logging type that you want to use, and then select the
    Enabled
    check box to display the related settings.
    • Enable
      Application Security
      to specify that the system logs traffic to the web application. You cannot enable both
      Application Security
      and
      Protocol Security
      . Refer to the
      Configure for Application Security logging
      section of
      BIG-IQ Centralized Management: Security
      on
      support.f5.com
      for configuration information.
    • Enable
      Protocol Security
      to specify that the system logs any dropped, malformed, and/or rejected requests sent through the given protocol. Refer to the
      Configure for Protocol Security logging
      section of
      BIG-IQ Centralized Management: Security
      on
      support.f5.com
      for configuration information.
    • Enable
      Network Firewall
      to specify that the system logs ACL rule matches, TCP events, and/or TCP/IP errors sent to the network firewall. Refer to the
      Configure for Network Firewall logging
      section of
      BIG-IQ Centralized Management: Security
      on
      support.f5.com
      for configuration information.
    • Enable
      Network Address Translation
      to specify which Network Address Translation (NAT) events the system logs, and where those events are logged. Refer to the
      Configure for Network Address Translation logging
      section of
      BIG-IQ Centralized Management: Security
      on
      support.f5.com
      for configuration information.
    • Enable
      DoS Protection
      to specify that the system logs detected DoS attacks, and where DoS events are logged.
    • Enable
      Bot Defense
      to specify that the system logs bot defense events. Refer to the
      Configure for Bot Defense logging
      section of
      BIG-IQ Centralized Management: Security
      on
      support.f5.com
      for configuration information.
    You must configure each enabled logging type before you can use it. You can do that now, or save the profile and configure the logging types later. See the configuration procedures for each type of logging profile below.
  8. Specify the settings needed for each logging type you use.
    You can configure multiple logging types while editing the logging profile.
  9. When finished, save your changes.

Configure for Application Security logging

You need to configure application security logging profile settings after you have enabled them to specify what information is logged.
You can do this configuration when initially creating a logging profile (in which case go directly to step 5), or perform the configuration later in a logging profile that already exists.
  1. Click
    Configuration
    SECURITY
    Shared Security
    Logging Profiles
    .
  2. Click the name of the logging profile to configure on the Logging Profiles screen.
    The
    logging-profile-name
    screen opens with the Properties displayed.
  3. On the left, click
    Application Security
    .
    The Application Security configuration screen opens.
  4. For
    Status
    , select the
    Enabled
    check box.
    The screen displays the Application Security configuration settings.
  5. Supply the Application Security Configuration settings.
    Property
    When enabled:
    Local Storage
    When enabled, specifies that the system stores all traffic in the system. This setting can only be disabled when
    Remote Storage
    is enabled.
    Guarantee Local Logging
    Specifies that the system logs all requests, even though this might slow your web application. When cleared (disabled), specifies that the system logs the requests as long as it does not slow your web application. The default is disabled. In either case, the system does not drop requests. This setting is displayed only when
    Local Storage
    is enabled.
    Response Logging
    Specifies whether, and how, the system logs HTTP responses.
    • Off:
      The system does not log responses. This is the default.
    • For Illegal Requests Only:
      The system logs responses to illegal requests.
    • For All Requests:
      The system logs all responses if the
      Request Type
      setting in the Storage Filter area is set to
      All Requests
      .
    Guarantee Local Response Logging
    Specifies that the system logs all responses, even though this may slow your web application. When cleared (disabled), specifies that the system logs responses as long as it does not slow your web application. The default is disabled. In either case, the system does not drop responses. This setting is displayed only when
    Guarantee Local Logging
    is enabled, and
    Response Logging
    is set to
    For Illegal Requests Only
    or
    For All Requests
    .
    Remote Storage
    When enabled, specifies that the system stores all traffic on a remote logging server. This setting can only be disabled when
    Local Storage
    is enabled. Also provides additional remote storage options.
    Logging Format
    Specifies the logging format for the remote storage.
    • Select
      Comma-Separated Values
      to store traffic on a remote logging server like syslog. Messages are in syslog CSV format.
    • Select
      Key-Value Pairs
      to store traffic on a third party reporting server (for example, Splunk) using a pre-configured storage format. Key value pairs are used in the log messages.
    • Select
      Common Event Format (ArcSight)
      if your network uses ArcSight servers. Log messages are in Common Event Format (CEF).
    • Select
      BIG-IQ
      if you are using a BIG-IQ ®system as your logging server and you are using a BIG-IP device version 12.0 or later that has enabled the option to use a BIG-IQ system as a logging server.
    The logging format you select determines what other options are displayed.
    Protocol
    Specifies the protocol that the remote storage server uses.
    Server Addresses
    Specifies one or more remote servers, reporting servers, ArcSight servers, or BIG-IQ Centralized Management systems on which to log traffic. Type the values for the
    IP Address
    and
    Port
    , and click
    Add
    for each server.
    The default value for
    Port
    is 514 for all types of remote storage other than
    BIG-IQ
    . If
    BIG-IQ
    is selected for the
    Remote Storage Type
    , the default port is 8514.
    Facility
    Specifies the facility category of the logged traffic. The possible values are
    LOG_LOCAL0
    through
    LOG_LOCAL7
    .
    If you have more than one security policy, you can use the same remote logging server for both applications, and use the facility filter to sort the data for each.
    Storage Format
    Specifies how the log displays information and which traffic items the server logs, and in what order it logs them.
    1. To determine how the log appears: select
      Field-List
      to display the items in the
      Selected
      list in CSV format with a delimiter you specify; select
      User-Defined
      to display the items in the
      Selected
      list in addition to any free text you type in the
      Selected
      list.
    2. To specify which items appear in the log and in what order, move items from the
      Available
      list into the
      Selected
      list.
    Maximum Query String Size
    Specifies how much of a request the server logs.
    • Select
      Any
      to log the entire request.
    • Select
      Length
      and type the maximum number of bytes to log to limit the number of bytes that are logged per request. The value you specify for
      Length
      must be less than the value specified for
      Maximum Entry Length
      .
    Maximum Entry Length
    Specifies how much of the entry length the server logs. Select an appropriate value. The value you can select is determined by what protocol is selected. When logging Web Application Security traffic, the
    Maximum Entry Length
    setting should be set to
    64K
    .
    Report Detected Anomalies
    Select
    Enabled
    if you want the system to send a report string to the remote system log when a brute force attack or web scraping attack starts and ends.
  6. Supply the Application Security settings for the Storage Filter area.
    Property
    When enabled:
    Logic Operation
    Specifies whether requests must meet one or all criteria in the Storage Filter area for the system, or server, to log the requests.
    • OR:
      Specifies that requests must meet at least one of the criterion in the Storage Filter settings in order for the system, or server, to log the requests. This is the default.
    • AND:
      Specifies that requests must meet all of the criteria in the Storage Filter settings in order for the system, or server, to log the requests.
    Request Type
    Specifies which kind of requests the system, or server, logs.
    • Illegal requests only:
      Specifies that the system, or server, logs only illegal requests. This is the default.
    • Illegal requests, and requests that include staged attack signatures:
      Specifies that the system, or server, logs illegal requests, and logs requests that include attack signatures in staging (even though the system considers those requests legal).
    • All requests:
      Specifies that the system, or server, logs all requests.
    Protocols
    Specifies whether request logging occurs for all protocols or only for selected protocols.
    • All:
      Specifies that the system, or server, logs requests for all protocols. This is the default.
    • Only:
      Specifies that the system, or server, logs requests for only the specified protocol.
      HTTP
      and
      HTTPS
      are available for all supported BIG-IP device versions.
      WS
      and
      WSS
      are available only with BIG-IP devices version 12.1 or later. You can select more than one protocol for BIG-IP devices version 12.1 or later.
    Response Status Codes
    Specifies whether request logging occurs for all response status codes or only for selected response status codes. This setting applies only to requests that are not blocked by the system.
    • All:
      Specifies that the system, or server, logs all requests that generate all response status codes. This is the default.
    • Only:
      Specifies that the system, or server, logs only requests that generate specific response status codes. When selected, displays additional options where you specify the type of response status code to log. Unused status codes are in the
      Available
      list, selected status codes are in the
      Selected
      list.
    HTTP Methods
    Specifies whether request logging occurs for all HTTP methods or only for selected HTTP methods.
    • All:
      Specifies that the system, or server, logs requests for all HTTP methods. This is the default.
    • Only:
      Specifies that the system, or server, logs requests for the specified HTTP method. When selected, displays options where you specify the type of HTTP method to log.
    Request Containing String
    Specifies whether the request logging is dependent on a specific string.
    • All:
      Specifies that the system logs all requests, regardless of string. This is the default.
    • Search In:
      Specifies that the system logs only requests containing a specific string in a particular part of the request.
      • Select the part of the request to search from the list (
        Request
        ,
        URI
        ,
        Query String
        ,
        Post Data
        , or
        Headers
        ).
      • Type the string to search for in the request in the field to the right. The search is case-sensitive.
    Login Result
    Specifies whether request logging occurs for all login results or only for selected login results.
    • All:
      Specifies that the system, or server, logs all login results. This is the default.
    • Only:
      Specifies that the system, or server, logs login results of the specified type. When selected, displays options where you specify the login results to log. This option is only valid with BIG-IP devices version 13.0 or later.
  7. When you are finished, save your changes.
The Application Security configuration settings are saved.

Configure for Protocol Security logging

You need to configure protocol security logging profiles after you have enabled them. This configuration determines the kind of information that is logged.
You can do this configuration when initially creating a logging profile (in which case go directly to step 5), or perform the configuration later in a logging profile that already exists.
You cannot enable
Protocol Security
if you have already enabled
Application Security
.
  1. Click
    Configuration
    SECURITY
    Shared Security
    Logging Profiles
    .
  2. On the Logging Profiles screen, click the name of the logging profile to configure.
    The
    logging-profile-name
    screen opens with the Properties displayed.
  3. On the left, click
    Protocol Security
    .
    The Protocol Security configuration screen opens.
  4. For
    Status
    , select the
    Enabled
    check box.
    The screen displays the Protocol Security configuration settings.
  5. In the HTTP, FTP, and SMTP Security area, in the
    Publisher
    setting, select the log publisher to use for the HTTP, FTP and SMTP protocols , or accept the default of
    None
    .
    This value specifies where the system sends log messages.
  6. In the DNS Security area, supply the Protocol Security DNS Security settings to configure where the system logs any dropped, malformed, rejected, and malicious DNS requests.
    Property
    When enabled:
    Publisher
    Specifies the name of the log publisher used for logging DNS security events. Select a log publisher from the list, or accept the default of
    None
    .
    Log Dropped Requests
    Specifies that the system logs dropped DNS requests.
    Log Filtered Dropped Requests
    Specifies that the system logs filtered dropped DNS requests.
    Log Malformed Requests
    Specifies that the system logs malformed DNS requests.
    Log Rejected Requests
    Specifies that the system logs rejected DNS requests.
    Log Malicious Requests
    Specifies that the system logs malicious DNS requests.
    Storage Format
    Specifies the format type for log messages. You can set the following options:
    • None
      Specifies that the system uses the default format type to log the messages to a Remote Syslog server. This is the default setting.
    • Field-List
      Specifies that the system uses a set of fields, set in a specific order, to log messages. When this is selected, specify the field list as follows.
      • Specify the delimiter string in the
        Delimiter
        field. The default delimiter is the comma character (,).
        Do not use the
        $
        character: it is reserved for internal usage.
      • Select the fields to use. Unused fields are in the
        Available
        list, selected fields are in the
        Selected
        list.
    • User-Defined
      Specifies that the format the system uses to log messages is in the form of a user-defined string. Select the items for the server to log. Unused items are in the
      Available
      list, selected items are in the
      Selected
      list.
  7. In the SIP Security area, supply the Protocol Security SIP Security settings to configure where the system logs any dropped and malformed malicious SIP requests, global and request failures, redirected responses, and server errors.
    Property
    When enabled:
    Publisher
    Specifies the name of the log publisher used for logging SIP protocol security events. Select a log publisher configured in your system.
    Log Dropped Requests
    Specifies that the system logs dropped requests.
    Log Global Failures
    Specifies that the system logs global failures.
    Log Malformed Requests
    Specifies that the system logs malformed requests.
    Log Redirection Responses
    Specifies that the system logs redirection responses.
    Log Request Failures
    Specifies that the system logs request failures.
    Log Server Errors
    Specifies that the system logs server errors.
    Storage Format
    Specifies the format type for log messages. You can configure the following options:
    • None
      Specifies that the system uses the default format type to log the messages to a Remote Syslog server. This is the default setting.
    • Field-List
      Specifies that the system uses a set of fields, set in a specific order, to log messages. When
      Field-List
      is selected, specify the field list as follows.
      • Specify the delimiter string in the
        Delimiter
        field. The default delimiter is the comma character (,).
        Do not use the
        $
        character; it is reserved for internal usage.
      • Select the fields to use. Unused fields are in the
        Available
        list, selected fields are in the
        Selected
        list.
    • User-Defined
      Specifies that the format the system uses to log messages is in the form of a user-defined string. Select the items for the server to log. Unused items are in the
      Available
      list, selected items are in the
      Selected
      list.
  8. In the SSH Proxy area, supply the Protocol Security SSH Proxy settings to configure logging of SSH proxy use. Select
    Enabled
    to make the other settings available.
    Property
    When enabled:
    Publisher
    Specifies the name of the log publisher used for logging SSH proxies. Select a log publisher configured in your system.
    Log Client Auth Fail Event
    Logs failed client side authentication events.
    Log Client Auth Success Event
    Logs successful client side authentication events.
    Log Client Auth Partial Event
    Logs client side partial authentication events.
    Log Server Auth Fail Event
    Logs failed server side authentication events.
    Log Server Auth Success Event
    Logs successful server side authentication events.
    Log Server Auth Partial Event
    Logs server side partial authentication events.
    Log Disallowed Channel Action
    Logs disallowed channel action events.
    Log Allowed Channel Action
    Logs allowed channel action events.
    Log SSH Timeout Event
    Logs SSH timeout events.
    Log Non-SSH Traffic Event
    Logs non-SSH traffic events.
  9. When you are finished, save your changes.
The Protocol Security configuration settings are saved.

Configure Network Firewall event logging

Before you can log Network Firewall events, you must first have configured Advanced Firewall Protection (AFM) to one of more of your managed BIG-IP devices. In addition, you must have data collection devices (DCD) within your BIG-IQ configuration. You must also activate Network Firewall for your DCD services (
System
BIG-IQ DATA COLLECTION DEVICES
SERVICES
).
If you are configuring a logging profile for remote logging (including sending log data to BIG-IQ), you will need to configure remote publishing objects, including a pool and pool monitor that can securely send data from the host device to your DCDs.
You need to configure Network Firewall logging profiles after you have enabled them. This configuration determines the kind of information that is logged.
You can do this configuration when initially creating a logging profile (in which case go directly to step 5), or perform the configuration later in a logging profile that already exists.
  1. Click
    Configuration
    SECURITY
    Shared Security
    Logging Profiles
    .
  2. On the Logging Profiles screen, click the name of the logging profile to configure.
    The
    logging-profile-name
    screen opens with the Properties displayed.
  3. On the left, click
    Network Firewall
    .
    The Network Firewall configuration screen opens.
  4. For
    Status
    , select the
    Enabled
    check box.
    The screen displays the Network Firewall properties.
  5. In the Properties area, supply the Network Firewall settings to configure which network firewall events the system logs, and where they are logged.
    Property
    When enabled:
    Publisher
    Specifies the name of the log publisher used for logging Network events. Select a log publisher configured in your system.
    Aggregate Rate Limit
    Defines a rate limit for all combined network firewall log messages per second. Beyond this rate limit, log messages are not logged. You can select
    Indefinite
    , which sets the rate limit to the maximum of 4294967295, or you can select
    Specify
    to specify a lower rate limit as an integer between 0 and 4294967295.
    Log Rule Matches
    Specifies that the system logs packets that match the ACL rules.
    • Accept
      Specifies that the system logs packets that match ACL rules configured with
      action = Accept
      .
    • Drop
      Specifies that the system logs packets that match ACL rules configured with
      action = Drop
      .
    • Reject
      Specifies, that the system logs packets that match ACL rules configured with
      action = Reject
      .
    When specifying the
    Rate Limit
    for all network firewall log messages of one of the match types:
    • Indefinite
      sets the rate limit to the maximum of 4294967295, and
      Specify
      allows you to specify a lower rate limit as an integer between 0 and 4294967295.
    • If the rate limit is exceeded, log messages of the matched action type are not logged until the threshold drops below the specified rate.
    Log IP Errors
    Specifies that the system logs IP error packets. When enabled, you can specify a rate limit for all network firewall log messages of this type. If this rate limit is exceeded, log messages of this type are not logged until the threshold drops below the specified rate. You can select a
    Rate Limit
    of
    Indefinite
    , which means the rate limit is set to the maximum of 4294967295, or you can select
    Specify
    and specify an integer between 0 and 4294967295 that represents the number of messages per second.
    Log TCP Errors
    Specifies that the system logs TCP error packets. If this rate limit is exceeded, log messages of this type are not logged until the threshold drops below the specified rate. You can select a
    Rate Limit
    of
    Indefinite
    , which means the rate limit is set to the maximum of 4294967295, or you can select
    Specify
    and specify an integer between 0 and 4294967295 that represents the number of messages per second.
    Log TCP Events
    Specifies that the system logs TCP events (open and close of TCP sessions). If this rate limit is exceeded, log messages of this type are not logged until the threshold drops below the specified rate. You can select a
    Rate Limit
    of
    Indefinite
    , which means the rate limit is set to the maximum of 4294967295, or you can select
    Specify
    and specify an integer between 0 and 4294967295 that represents the number of messages per second.
    Log Translation Fields
    Specifies that translation values are logged if and when a network firewall event is logged.
    Log UUID Field
    Specfies, when enabled, that UUIDs should be logged as part of a network firewall event. To log UUIDs associated with firewall rules, you must also set the
    Storage Format
    setting to
    Field-List
    with the comma as a delimiter, and select
    acl_rule_uuid
    as the field. You must enable this feature on the BIG-IP device in order for UUIDs to be assigned to rules on that device.
    Always Log Region
    Specifies that the geographic location should be logged when a geolocation event causes a network firewall event.
    Always Log User
    Specifies, when enabled, that subscriber and/or subscriber group information should be logged even when there is no firewall rule that specifies them. This overrides an optimization that bypasses user resolution if there are no firewall rules present.
    Storage Format
    Specifies the format type for log messages. You can configure the following options:
    • None
      Specifies that the system uses the default format type to log the messages to a Remote Syslog server. This is the default setting.
    • Field-List
      Specifies that the system uses a set of fields, set in a specific order, to log messages.
      When
      Field-List
      is selected, specify the field list as follows.
      • Specify the delimiter string in the
        Delimiter
        field. The default delimiter is the comma character (,).
        Do not use the
        $
        character; it is reserved for internal usage.
      • Select the fields to use. Unused fields are in the
        Available
        list, selected fields are in the
        Selected
        list.
    • User-Defined
      Specifies that the format the system uses to log messages is in the form of a user-defined string. Select the items for the server to log.
  6. In the IP Intelligence area, supply the Network Firewall IP Intelligence settings to configure where IP intelligence events are logged.
    If the IP intelligence feature is enabled and licensed, you can configure the system to log source IP addresses that match an IP intelligence blacklist or whitelist category, as determined by the database of preconfigured categories, or as determined from an IP intelligence feed list.
    Property
    When enabled:
    Publisher
    Specifies the name of the log publisher used for logging IP address intelligence events. Select a log publisher configured in your system.
    Aggregate Rate Limit
    Defines a rate limit for all combined IP intelligence log messages per second. Beyond this rate limit, log messages are not logged until the threshold drops below the specified rate. You can select a rate limit of
    Indefinite
    , which means the rate limit is set to the maximum of 4294967295, or you can select
    Specify
    and specify an integer between 0 and 4294967295 that represents the number of messages per second.
    Log Translation Fields
    Specifies that translation values are logged if and when a network firewall event is logged.
    Log Shun Events
    Specifies that IP Intelligence shun list events are logged.
    Log RTBH Events
    Specifies that remotely triggered black holing (RTBH) events are logged.
    Log Scrubber Events
    Specifies that IP Intelligence scrubber events are logged.
  7. In the Traffic Statistics area, supply the Network Firewall Traffic Statistics settings to configure logging of traffic statistics.
    Property
    When enabled:
    Publisher
    Specifies the name of the log publisher used for logging traffic statistics. Select a log publisher configured in your system.
    Log Timer Events
    Specifies:
    • Active Flows
      - Logs the number of active flows each second.
    • Reaped Flows
      - Logs the number of reaped flows, or connections that are not established because of system resource usage levels.
    • Missed Flows
      - Logs the number of packets that were dropped because of a flow table miss. A
      flow table miss
      occurs when a TCP non-SYN packet does not match an existing flow.
    • SYN Cookie (Per Session Challenge)
      - Logs the number of SYN cookie challenges generated each second.
    • SYN Cookie (White-listed Clients)
      - Logs the number of whitelisted SYN cookie clients each second.
  8. In the Port Misuse area, supply the Network Firewall Port Misuse settings to configure logging of port misuse policies.
    Property
    When enabled:
    Publisher
    Specifies the name of the log publisher used for logging port misuse policies. Select a log publisher configured in your system.
    Aggregate Rate Limit
    Defines a rate limit for all port misuse policy log messages per second. Beyond this rate limit, log messages are not logged until the threshold drops below the specified rate. You can select a rate limit of
    Indefinite
    , which means the rate limit is set to the maximum of 4294967295, or you can select
    Specify
    and specify an integer between 0 and 4294967295 that represents the number of messages per second.
  9. When you are finished, save your changes.
The Network Firewall configuration settings are saved.

Configure for Network Address Translation logging

You need to configure network address translation (NAT) logging profiles after you have enabled them. This configuration determines the kind of information that is logged.
You can do this configuration when initially creating a logging profile (in which case go directly to step 5), or perform the configuration later in a logging profile that already exists.
  1. Click
    Configuration
    SECURITY
    Shared Security
    Logging Profiles
    .
  2. On the Logging Profiles screen, click the name of the logging profile to configure.
    The
    logging-profile-name
    screen opens with the Properties displayed.
  3. On the left, click
    Network Address Translation
    .
    The Network Address Translation configuration screen opens.
  4. For
    Status
    , select the
    Enabled
    check box.
    The screen displays the Network Address Translation properties.
  5. Supply the Network Address Translation settings to configure which NAT events the system logs, and where they are logged.
    Property
    When enabled:
    LSN Legacy Mode
    When enabled, specifies that events be logged in Carrier Grade Network Address Translation (CGNAT) LSN format for backward compatibility. If not enabled, the newer HSL logging format is used, which is the default.
    Log Subscriber ID
    Specifies, when enabled, that the subscriber identity (the Mobile Subscriber ISDN, MSISDN) be added to all firewall NAT log events. This is supported for all firewall NAT types that are logged for source translation: static NAT, static PAT and dynamic PAT.
    Aggregate Rate Limit
    Specifies, when enabled, a rate limit for all combined NAT firewall log messages per second. Above this rate limit, log messages are not logged.
    • To enable a limit, select
      Specify
      and provide a numeric value for the number of messages per second.
    • To have no limit, select
      Indefinite
      .
    Start Outbound Session
    Specifies logging options for the start of an outbound translation session, when the outbound flow is created.
    Select one of the following from the list.
    • Select
      Enabled
      to log Start Outbound Session events.
    • Select
      Disabled
      to not log Start Outbound Session events. This is the default.
    • Select
      Backup Allocation Only
      to log the translation event if the translation occurred due to backup addresses being configured in a NAT Source Translations object.
    • Select
      Include Destination Address/Port
      to include the destination address/port.
    • In the
      Rate Limit
      setting, specify a rate limit for these events.
      • To enable a limit, select
        Specify
        and provide a numeric value for the number of messages per second.
      • To have no limit, select
        Indefinite
        .
    • In the
      Storage Format
      setting, specify how the log displays information and which traffic items the server logs, and in what order it logs them.
      • Select
        Field-List
        to have the log display the items in the Selected list in CSV format with a delimiter you specify.
      • Select
        User-Defined
        to have the log display the items in the Selected list in addition to any free text you type in the Selected list.
      You specify which items appear in the log and in what order, by moving items from the Available list into the Selected list, and re-ordering them if needed.
    End Outbound Session
    Specifies logging options for the end of an outbound translation session, when the outbound flow is deleted.
    Select one of the options from the list.
    • Select
      Enabled
      to log End Outbound Session events.
    • Select
      Disabled
      to not log End Outbound Session events. This is the default.
    • Select
      Backup Allocation Only
      to log the translation event if the translation occurred due to backup addresses being configured in a NAT Source Translations object.
    • Select
      Include Destination Address/Port
      to include the destination address/port.
    • In the
      Rate Limit
      setting, specify a rate limit for these events.
      • To enable a limit, select
        Specify
        and provide a numeric value for the number of messages per second.
      • To have no limit, select
        Indefinite
        .
      • In the
        Storage Format
        setting, specify how the log displays information and which traffic items the server logs, and in what order it logs them.
        • Select
          Field-List
          to have the log display the items in the Selected list in CSV format with a delimiter you specify.
        • Select
          User-Defined
          to have the log display the items in the Selected list in addition to any free text you type in the Selected list.
        You specify which items appear in the log and in what order, by moving items from the Available list into the Selected list, and re-ordering them if needed.
    Start Inbound Session
    Specifies logging options for the start of an incoming connection to a translated address.
    Select one of the options from the list.
    • Select
      Enabled
      to log Start Inbound Session events.
    • Select
      Disabled
      to not log Start Inbound Session events. This is the default.
    • Select
      Backup Allocation Only
      to log the translation event if the translation occurred due to backup addresses being configured in a NAT Source Translations object.
    • In the
      Rate Limit
      setting, specify a rate limit for these events.
      • To enable a limit, select
        Specify
        and provide a numeric value for the number of messages per second.
      • To have no limit, select
        Indefinite
        .
    • In the
      Storage Format
      setting, specify how the log displays information and which traffic items the server logs, and in what order it logs them.
      • Select
        Field-List
        to have the log display the items in the Selected list in CSV format with a delimiter you specify.
      • Select
        User-Defined
        to have the log display the items in the Selected list in addition to any free text you type in the Selected list.
      You specify which items appear in the log and in what order, by moving items from the Available list into the Selected list, and re-ordering them if needed.
    End Inbound Session
    Specifies logging options for the end of an incoming connection to a translated address.
    Select one of the options from the list.
    • Select
      Enabled
      to log End Inbound Session events.
    • Select
      Disabled
      to not log End Inbound Session events. This is the default.
    • Select
      Backup Allocation Only
      to log the translation event if the translation occurred due to backup addresses being configured in a NAT Source Translations object.
    • In the
      Rate Limit
      setting, specify a rate limit for these events.
      • To enable a limit, select
        Specify
        and provide a numeric value for the number of messages per second.
      • To have no limit, select
        Indefinite
        .
    • In the
      Storage Format
      setting, specify how the log displays information and which traffic items the server logs, and in what order it logs them.
      • Select
        Field-List
        to have the log display the items in the Selected list in CSV format with a delimiter you specify.
      • Select
        User-Defined
        to have the log display the items in the Selected list in addition to any free text you type in the Selected list.
      You specify which items appear in the log and in what order, by moving items from the Available list into the Selected list, and re-ordering them if needed.
    Quota Exceeded
    When enabled, specifies whether to log when a client exceeds the allocated resource limit.
    • Select
      Enabled
      to log when a client exceeds the allocated resource limit.
    • Select
      Disabled
      to not log when a client exceeds the allocated resource limit. This is the default.
    • In the
      Rate Limit
      setting, specify a rate limit for these events.
      • To enable a limit, select
        Specify
        and provide a numeric value for the number of messages per second.
      • To have no limit, select
        Indefinite
        .
    • In the
      Storage Format
      setting, specify how the log displays information and which traffic items the server logs, and in what order it logs them.
      • Select
        Field-List
        to have the log display the items in the Selected list in CSV format with a delimiter you specify.
      • Select
        User-Defined
        to have the log display the items in the Selected list in addition to any free text you type in the Selected list.
      You specify which items appear in the log and in what order, by moving items from the Available list into the Selected list, and re-ordering them if needed.
    Errors
    Specifies whether to log when errors are encountered while attempting translation for clients.
    • Select
      Enabled
      to log when errors are encountered while attempting translation for clients.
    • Select
      Disabled
      to not log when errors are encountered while attempting translation for clients. This is the default.
    • In the
      Rate Limit
      setting, specify a rate limit for these events.
      • To enable a limit, select
        Specify
        and provide a numeric value for the number of messages per second.
      • To have no limit, select
        Indefinite
        .
    • In the
      Storage Format
      setting, specify how the log displays information and which traffic items the server logs, and in what order it logs them.
      • Select
        Field-List
        to have the log display the items in the Selected list in CSV format with a delimiter you specify.
      • Select
        User-Defined
        to have the log display the items in the Selected list in addition to any free text you type in the Selected list.
      You specify which items appear in the log and in what order, by moving items from the Available list into the Selected list, and re-ordering them if needed.
    Publisher
    Specifies the name of the log publisher used for logging NAT events. Select a log publisher configured in your system.
  6. When you are finished, save your changes.
The Network Address Translation configuration settings are saved.

Configure DoS Protection logging per protocol

Before you can log DoS protection events, you must first have configured DoS protection to one of more of your managed BIG-IP devices. In addition, you must have data collection devices (DCD) within your BIG-IQ configuration. You must also activate Web Application Security for your DCD services (
System
BIG-IQ DATA COLLECTION DEVICES
SERVICES
).
If you are configuring a logging profile for remote logging (including sending log data to BIG-IQ), you will need to configure remote publishing objects, including a pool and pool monitor that can securely send data from the host device to your DCDs. F5 recommends you use automatic DoS Protection event logging (see
Configure DoS Protection event logging on BIG-IQ).
For logging bot requests from BIG-IP devices version 14.1 or later, see
Configure Bot Defense logging.
You need to configure DoS protection logging profiles to determine the kind of information that is logged.
You can do this configuration when initially creating a logging profile (in which case go directly to step 5), or perform the configuration later in a logging profile that already exists.
  1. Click
    Configuration
    SECURITY
    Shared Security
    Logging Profiles
    .
  2. On the Logging Profiles screen, click the name of the logging profile to configure.
    The logging profile properties are displayed.
  3. On the left, click
    DoS Protection
    .
    The DoS Protection configuration screen opens.
  4. For
    Status
    , select the
    Enabled
    check box.
    The screen displays the DoS Protection properties.
  5. Supply the DoS Application Protection settings to configure where DoS application protection events are logged.
    • Enable
      Local Publisher
      to specify that the system logs DoS events to the local database (on the host BIG-IP device).
    • Select a
      Remote Publisher
      to specify the name of the log publisher used for logging events. Select a log publisher configured in your system. This option includes publishing to BIG-IQ. Ensure you select this option to view data in central management.
      If your system contains multiple Data Collection Devices (DCDs), F5 recommends to load balance events, which provides high availability. For configuring high availability see
      DoS Protection event logging over multiple DCDs.
  6. In the DNS DoS Protection area, configure where DNS DoS protection events are logged: Select a
    Publisher
    to specify the name of the log publisher used for logging events. Select a log publisher configured in your system.
  7. For the SIP DoS Protection area, configure where SIP DoS protection events are logged: Select a
    Publisher
    to specify the name of the log publisher used for logging events. Select a log publisher configured in your system.
  8. For the Network DoS Protection area, configure where Network DoS protection events are logged: Select a
    Publisher
    to specify the name of the log publisher used for logging events. Select a log publisher configured in your system.
  9. When you are finished, save your changes.
The DoS Protection configuration settings are saved.

Manually configure logging for Bot Defense requests

Before you can log bot requests, you must first have the following:
  • One or more BIG-IP devices that are provisioned to have Bot Defense.
  • A remote logging pool of your DCDs that is connected to a virtual server deployed over a load balancing BIG-IP device.
  • Web Application Security is active for DCD services (see
    System
    BIG-IQ DATA COLLECTION DEVICES
    SERVICES
    )
The following procedure is for Bot Defense profiles configured to BIG-IP devices version 14.1 or later. For logging bot request information from earlier versions of BIG-IP, see
Configuring logging for DoS Protection and Network Security
.
You can view bot request information by attaching a logging profile to the virtual servers that host your Bot Defense profile. To access Bot Defense information, you need to configure the BIG-IP system to send log information to BIG-IQ. This is done by:
  • Creating a log publisher and pin it to your BIG-IP device(s)
  • Creating and attaching a bot request logging profile in Shared Security
  • Deploying your changes over your BIG-IP device(s)
For more details about specific settings within the logging profile, see Configure logging for Bot Defense requests
.
  1. Click
    Configuration
    SECURITY
    Shared Security
    Logging Profiles
    .
  2. Click
    Create
    to create a remote bot logging profile.
  3. Type a unique
    Name
    for this logging profile.
  4. On the left, click
    BOT DEFENSE
    .
  5. For
    Status
    , select the
    Enabled
    check box.
    The screen displays the Bot Defense request logging properties.
  6. From the
    Remote Publisher
    list, select the logging publisher for your DCD pool.
  7. Enable the for the appropriate request types of logging in the remaining fields.
  8. When you are done, click
    Save & Close
    .
  9. Attach the new logging profile to a Shared Security virtual server.
    1. Go to
      Configuration
      SECURITY
      Shared Security
      Virtual Servers
      .
    2. Select the virtual server that hosts your Bot Defense profile.
    3. From the
      Logging Profiles
      field, select the logging profile created in step 6, and use the arrow to move it to the
      Selected
      list.
    4. Click
      Save & Close
      .
    5. Repeat step 6 for any additional virtual servers that host Bot Defense profiles.
  10. Deploy your new pool, log destinations and log publisher over your BIG-IP device.
    1. Go to
      Deployment
      EVALUATE & DEPLOY
      Local Traffic & Network
      .
    2. In the
      Deployments
      list at the bottom half of the screen and click
      Create
      .
    3. In the
      Name
      field add a unique name.
    4. Ensure that
      Source
      and
      Source Scope
      fields are marked
      Current Changes
      and
      All Changes
      , respectively.
    5. From the Target Devices list, select the host BIG-IP device(s) over which to deploy changes.
    6. Click
      Create
      .
      The deployment is added the to Evaluations list.
    7. Once the evaluation is complete, click the box next to the deployment name and click
      Deploy
      .
    The new local traffic objects are deployed over the BIG-IP device.
  11. Deploy changes to your Shared Security virtual server.
    1. Go to
      Deployment
      EVALUATE & DEPLOY
      Shared Security
      .
    2. Repeat steps 10b-g.
      The new logging profile on your Shared Security virtual server is now deployed over the BIG-IP device.
You can now monitor detected bot requests from the bot request log, from
Monitoring
EVENTS
Bot
Bot Requests
.

Edit logging profiles

You can edit logging profiles to change the kind of information the system should log for objects that support logging.
  1. Click
    Configuration
    SECURITY
    Shared Security
    Logging Profiles
    .
  2. Click the name of a logging profile on the Logging Profiles screen.
    The logging profile properties screen opens.
  3. Modify the properties as needed.
    Logging profile properties are described in the
    Create logging profiles
    section of
    BIG-IQ Centralized Management: Security
    on
    support.f5.com
    for configuration information.
  4. If the Device Specific area is shown, click the name of a default logging profile for a particular BIG-IP device to review its settings.
    This area is displayed only for default logging profiles on the BIG-IP device, such as
    Log all requests
    and
    global-network
    .
  5. If the Device Specific area is shown, click the
    global-network
    logging profile for an individual BIG-IP device to modify the logging profile settings for that device.
    The settings you can modify are a subset of those available when you are creating a logging profile. You can modify only the
    global-network
    logging profile in this way.
  6. Review and add or modify the other logging profile properties as appropriate.
    The other logging profile properties are described in the
    Create logging profiles
    section of
    BIG-IQ Centralized Management: Security
    on
    support.f5.com
    .
  7. Save your work.