Manual Chapter : Managing Logging Profiles in Shared Security

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.0.0
Manual Chapter

Managing Logging Profiles in Shared Security

About logging profiles

A
logging profile
records requests to a virtual server hosted on a BIG-IP device. A logging profile determines whether and where events are logged, and which items (such as which parts of requests, or which type of errors) are logged. Events can be logged either locally by is configured to record the system and viewed in the Event Logs screens, or remotely by an external logging system. The system forwards the log messages to an external logging server using the Syslog service.
The following default logging profiles are imported from the BIG-IP device:
  • Log all requests
  • Log illegal requests
  • global-network
  • local-dos
The BIG-IQ Centralized Management system creates the following logging profiles:
  • The
    templates-default
    logging profile is the default logging profile for application templates.
  • The
    afm-remote-logging-profile
    logging profile can be created automatically when configuring Network Security event monitoring. For information on the configuration process, refer to the
    Monitoring Network Security events
    topics in
    F5 BIG-IQ Centralized Management: Monitoring and Reporting
    on
    support.f5.com
    .
  • The
    dos-remote-logging-profile-afm
    or
    dos-remote-logging-profile-asm-afm
    logging profile can be created automatically when configuring DoS event monitoring. For information on the configuration process, refer to the
    Monitoring DoS events
    topics in
    F5 BIG-IQ Centralized Management: Monitoring and Reporting
    on
    support.f5.com
    .
The logging profile can be associated with multiple virtual servers from multiple devices. Multiple logging profiles can be associated with a virtual server, but the multiple logging profiles cannot have an overlap subset configured. For example, two logging profiles with application security configured and enabled cannot be associated with the same virtual server. Application security and protocol security cannot be configured on the same logging profile or associated with the same virtual server.
BIG-IQ Centralized Management supports importing logging profiles with spaces in the name. An imported logging profile with spaces in the name can be modified on the BIG-IQ system and deployed back to a BIG-IP device. However, BIG-IQ does not support creating logging profiles with spaces in the name.
The logging publisher cannot be created or modified by the BIG-IQ Centralized Management system. The logging publisher specified by the BIG-IQ system logging profile should be the same as that configured on the BIG-IP device.
If a BIG-IQ system adds or removes data collection devices (DCDs), that causes a change to be made to the remote logging event settings in the
templates-default
logging profile on the BIG-IQ system. A subsequent deployment of that BIG-IQ configuration to a managed BIG-IP device or a rediscovery or reimport of that BIG-IP device will show differences for the
templates-default
logging profile, since the BIG-IQ version of that profile has changed.

Create a new logging profile

You create logging profiles to configure the kind of information to log for objects that support logging.
  1. Click
    Configuration
    SECURITY
    Shared Security
    Logging Profiles
    .
  2. On the Logging Profiles screen, click
    Create
    .
    The New Logging Profile screen opens with the Properties displayed.
  3. In the
    Name
    field, type a name for the logging profile.
  4. In the
    Description
    field, type an optional description for the logging profile.
  5. If needed, change the default
    Common
    partition in the
    Partition
    field.
    The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name. Only users with access to a partition can view the objects (such as the logging profile) that it contains. If the logging profile resides in the
    Common
    partition, all users can access it.
  6. In the
    Available in Application Templates
    setting, select whether the profile is available to application templates.
    • To make the profile available to application templates, select
      Yes
      .
    • To remove the profile from being available to application templates, select
      No
      .
  7. On the left, click the logging type that you want to use, and then select the
    Enabled
    check box to display the related settings.
    • Enable
      Application Security
      to specify that the system logs traffic to the web application. You cannot enable both
      Application Security
      and
      Protocol Security
      . Refer to the
      Configure for Application Security logging
      section of
      BIG-IQ Centralized Management: Security
      on
      support.f5.com
      for configuration information.
    • Enable
      Protocol Security
      to specify that the system logs any dropped, malformed, and/or rejected requests sent through the given protocol. Refer to the
      Configure for Protocol Security logging
      section of
      BIG-IQ Centralized Management: Security
      on
      support.f5.com
      for configuration information.
    • Enable
      Network Firewall
      to specify that the system logs ACL rule matches, TCP events, and/or TCP/IP errors sent to the network firewall. Refer to the
      Configure for Network Firewall logging
      section of
      BIG-IQ Centralized Management: Security
      on
      support.f5.com
      for configuration information.
    • Enable
      Network Address Translation
      to specify which Network Address Translation (NAT) events the system logs, and where those events are logged. Refer to the
      Configure for Network Address Translation logging
      section of
      BIG-IQ Centralized Management: Security
      on
      support.f5.com
      for configuration information.
    • Enable
      DoS Protection
      to specify that the system logs detected DoS attacks, and where DoS events are logged.
    • Enable
      Bot Defense
      to specify that the system logs bot defense events. Refer to the
      Configure for Bot Defense logging
      section of
      BIG-IQ Centralized Management: Security
      on
      support.f5.com
      for configuration information.
    You must configure each enabled logging type before you can use it. You can do that now, or save the profile and configure the logging types later.
  8. Specify the settings needed for each logging type you use.
    You can configure multiple logging types while editing the logging profile.
  9. When finished, save your changes.

Edit logging profiles

You can edit logging profiles to change the kind of information the system should log for objects that support logging.
  1. Click
    Configuration
    SECURITY
    Shared Security
    Logging Profiles
    .
  2. Click the name of a logging profile on the Logging Profiles screen.
    The logging profile properties screen opens.
  3. Modify the properties as needed.
    Logging profile properties are described in the
    Create logging profiles
    section of
    BIG-IQ Centralized Management: Security
    on
    support.f5.com
    for configuration information.
  4. If the Device Specific area is shown, click the name of a default logging profile for a particular BIG-IP device to review its settings.
    This area is displayed only for default logging profiles on the BIG-IP device, such as
    Log all requests
    and
    global-network
    .
  5. If the Device Specific area is shown, click the
    global-network
    logging profile for an individual BIG-IP device to modify the logging profile settings for that device.
    The settings you can modify are a subset of those available when you are creating a logging profile. You can modify only the
    global-network
    logging profile in this way.
  6. Review and add or modify the other logging profile properties as appropriate.
    The other logging profile properties are described in the
    Create logging profiles
    section of
    BIG-IQ Centralized Management: Security
    on
    support.f5.com
    .
  7. Save your work.