Manual Chapter :
Logging Bot Defense requests
Applies To:
Show VersionsBIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0, 8.0.0
Logging Bot Defense requests
Configuring Bot Defense logging over multiple DCDs
BIG-IQ receives Bot Defense messages from BIG-IP via it's Data Collection Devices (DCD). To optimize the process, while ensuring high availability, it is best to load balance log events to a remote logging pool of DCDs. This will prevent data loss, in the instance that a DCD becomes unavailable, without unnecessary duplication of information.
To complete this process for Bot Defense, you must have previously configured the following:
- An imported and discovered BIG-IP device that hosts your Bot Defense profile and Bot Request logging profile.
- A remote logging pool of DCDs configured to the service port number8514.
For more information about configuring a remote pool of DCDs, see
Connect Devices to a Data Collection Device Cluster
in the Planning and Implementing a BIG-IQ Deployment
guide at support.f5.com
. If you have already created or imported your logging profile, use this process to adjust the existing settings to include the remote logging pool of DCDs.
Configure a DCD pool as a Log Destination
You must create a remote logging pool for the DCDs configured to the service port of your module. For more information see
Connect Devices to a Data Collection Device cluster
in the Planning and Implementing a BIG-IQ Deployment
guide at support.f5.com
.Create a Remote High-Speed Log and Splunk-type Log Destination to specify that log messages are sent to your pool of DCDs.
- At the top of the screen, clickConfiguration, then, on the left, click .The Log Destinations screen displays a list of the log destinations that are defined on this device.
- ClickCreate.
- Type a uniqueNamefor this destination.
- From theTypelist, selectRemote High-Speed Log
- From theProtocollist, selectTCP.
- From theDevicelist, select the BIG-IP device that hosts your service module's policy or profile.
- From thePoollist, select your pool of DCDs.
- ClickSave & Close.The Log Destinations screen opens.
- ClickCreate.
- Type a uniqueNamefor this destination.
- From theTypelist, selectSplunk.
- Under theForward Tofield, selectRemote High-Speed Log, and select the Remote High-Speed log saved in step 8.
- ClickSave & Close.
You have now designated your DCD pool as a remote destination for BIG-IP to send its logging data. If your system has multiple modules that require event logging, ensure that you repeat this process for the module's designated DCD pool.
Create a Log Publisher to specify that BIG-IP system sends log messages to BIG-IQ. When configuring your Log Publisher ensure you are adding the Splunk-type Log Destination.
Configure logging for Bot Defense requests
Before you configure monitoring of bot requests, you need to ensure that the Web Application Security service is enabled on the DCD.
Verify this by reviewing the services installed on the DCD on the
BIG-IQ Data Collection Devices screen. Click
.If the Web Application Security service is not
running, click
Activate
to
start it.If you deactivate the Web Application Security service
for a DCD, or remove a DCD with that service enabled, the associated pool member
will be removed from the pool when you next deploy to the BIG-IP device (or
devices).
You configure the collection and viewing of Bot Defense
requests so that you can better view and monitor information about your bot protection.
The BIG-IQ Centralized Management system provides a single-button configuration process
that creates and configures the needed configuration objects. The system automatically
creates the following configuration objects, if needed:
- One or more logging profiles
- A log publisher
- A log destination
- A pool for each device
- Pool members
- A pool monitor
- Click.
- In the list, select the check box to the left of the object that will host the logging profile.
- ClickManage Loggingand selectConfigure Bot Logging.The Bot Logging Configuration dialog box opens.
- In the dialog box, clickContinue.The dialog box shows the configuration status, including which objects were created.
- ClickClose.
- Use the Deployment screens to deploy the BIG-IP device associated with the virtual server using the Local Traffic service using these steps.
- Click.
- In the Deployments area, clickCreate.
- Specify aNameandDescription, and select the appropriate deployment options.
- In the Target Device(s) area, select the device used by the application and clickCreate.
The deployment causes some of the objects created by the Bot logging configuration process to be deployed to the device. - Deploy the same BIG-IP device using the Web Application Security service using these steps.You can use either service since both include the Shared Security objects.
- Click or.
- In the Deployments area, clickCreate.
- Specify aNameandDescription, and select the appropriate deployment options.
- In the Target Device(s) area, select the device used by the application and clickCreate.
The deployment causes the rest of the objects created by the Bot logging configuration process to be deployed to the device.
You have now configured your logging profile to send
Bot Defense requests from the BIG-IP devices associated with the virtual servers. Once
you have deployed your changes, you can view these events on
screens. To view or manage your logging profile, go to
and select your DoS logging profile name.To ensure that data is load balanced among
your DCD devices, you must change the remote log destination. For more information see
Edit log publisher destinations
. Once you have completed this process, ensure that all your changes to
your Local Traffic and Shared Security virtual servers are deployed over the host
BIG-IP device. You can deploy your changes by going to,
Edit a Log Publisher Log Destination
You must have created the log destination before you
can add it to the an existing Log Publisher. For more information see
Managing Logs
in support.f5.com
.Edit the Log Publisher destination settings to change
the pools that receive remote logging messages from BIG-IP.
- At the top of the screen, clickConfiguration, then, on the left, click .The screen displays a list of the Log Publishers that are defined on this device.
- Select the name of the log publisher you wish to edit.The log publisher properties screen opens.
- To add log destinations, select the Log Destination(s) from theAvailablelist and use the arrow to move your selection to theSelectedlist.You can filter theAvailablelist by selecting the type of destination from the drop-down list.
- To remove log destinations, select the Log Destination(s) from theSelectedlist and use the arrow to move your selection to theAvailablelist.
- ClickSave & Close
You have changed the remote destinations associated
with the Log Publisher. This will alter where the BIG-IP device sends its log
data.
Deploy changes to your BIG-IP device.
Manually configure logging for Bot Defense requests
Before you can log bot
requests, you must first have the following:
- One or more BIG-IP devices that are provisioned to have Bot Defense.
- A remote logging pool of your DCDs that is connected to a virtual server deployed over a load balancing BIG-IP device.
- Web Application Security is active for DCD services (see)
The following procedure is for Bot
Defense profiles configured to BIG-IP devices version 14.1 or later. For logging bot
request information from earlier versions of BIG-IP, see
Configuring logging for DoS Protection and Network
Security
.You
can view bot request information by attaching a logging profile to the virtual servers
that host your Bot Defense profile. To access Bot Defense information, you need to configure the
BIG-IP system to send log information to BIG-IQ. This is done by:
- Creating a log publisher and pin it to your BIG-IP device(s)
- Creating and attaching a bot request logging profile in Shared Security
- Deploying your changes over your BIG-IP device(s)
For more details about specific settings within the logging profile, see Configure logging for Bot Defense requests
.
- Click.
- ClickCreateto create a remote bot logging profile.
- Type a uniqueNamefor this logging profile.
- On the left, clickBOT DEFENSE.
- ForStatus, select theEnabledcheck box.The screen displays the Bot Defense request logging properties.
- From theRemote Publisherlist, select the logging publisher for your DCD pool.
- Enable the for the appropriate request types of logging in the remaining fields.
- When you are done, clickSave & Close.
- Attach the new logging profile to a Shared Security virtual server.
- Go to.
- Select the virtual server that hosts your Bot Defense profile.
- From theLogging Profilesfield, select the logging profile created in step 6, and use the arrow to move it to theSelectedlist.
- ClickSave & Close.
- Repeat step 6 for any additional virtual servers that host Bot Defense profiles.
- Deploy your new pool, log destinations and log publisher over your BIG-IP device.
- Go to.
- In theDeploymentslist at the bottom half of the screen and clickCreate.
- In theNamefield add a unique name.
- Ensure thatSourceandSource Scopefields are markedCurrent ChangesandAll Changes, respectively.
- From the Target Devices list, select the host BIG-IP device(s) over which to deploy changes.
- ClickCreate.The deployment is added the to Evaluations list.
- Once the evaluation is complete, click the box next to the deployment name and clickDeploy.
The new local traffic objects are deployed over the BIG-IP device. - Deploy changes to your Shared Security virtual server.
- Go to.
- Repeat steps 10b-g.The new logging profile on your Shared Security virtual server is now deployed over the BIG-IP device.
You can now monitor detected bot requests from the bot
request log, from
.