Manual Chapter : Configure Web Application Security logging

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0
Manual Chapter

Configure Web Application Security logging

Create a log profile for application security

Your system must have the following configuration to view event logs:
  • Discover and activate a BIG-IQ Data Collection Device.
  • Configure a BIG-IP device to collect event logs and send them to the BIG-IQ Centralized Management Data Collection Device. Part of this configuration includes a virtual server configured with a logging profile.
  • Configure a logging profile for Web Application Security, assign it to a virtual server, and deploy it to the BIG-IP device that has been configured to collect log events. A
    logging profile
    is used to determine which events the system logs, and where, and the format of these events. It then directs security events to a BIG-IQ Data Collection Device, and the BIG-IQ Centralized Management system retrieves them from that node.
You create logging profiles to specify the kind of information to log for objects that support logging.
  1. Go to
    Monitoring
    EVENTS
    Web Application Security
    Events
    .
    To view a logging profile of a specific protected object, go to
    Monitoring
    DASHBOARDS
    L7 Dashboard
    and select the logging profile link associate with the object in the dashboard's list.
  2. Click
    Create
    and select
    Log Profile
    .
    The New Logging Profile screen opens with the Properties displayed.
  3. Type a
    Name
    for the logging profile.
  4. Type an optional
    Description
    for the logging profile.
  5. If needed, change the default
    Common
    partition in the
    Partition
    field.
    The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name. Only users with access to a partition can view the objects (such as the logging profile) that it contains. If the logging profile resides in the
    Common
    partition, all users can access it.
  6. For
    Application Templates
    , specify whether the profile is available to application templates.
    • To make the profile available to application templates, select the
      Make available
      check box.
    • To keep the profile from being available to application templates, clear the check box.
  7. On the left, click the logging type that you want to use, and then select the
    Enabled
    check box to display the related settings.
    • Enable
      APPLICATION SECURITY
      to specify that the system logs traffic to the web application. You cannot enable both
      APPLICATION SECURITY
      and
      PROTOCOL SECURITY
      . Refer to the
      Configure for Application Security logging
      section of
      BIG-IQ Centralized Management: Security
      on
      support.f5.com
      for configuration information.
    • Enable
      PROTOCOL SECURITY
      to specify that the system logs any dropped, malformed, and/or rejected requests sent through the given protocol. Refer to the
      Configure for Protocol Security logging
      section of
      BIG-IQ Centralized Management: Security
      on
      support.f5.com
      for configuration information.
    • Enable
      NETWORK FIREWALL
      to specify that the system logs ACL rule matches, TCP events, and/or TCP/IP errors sent to the network firewall. Refer to the
      Configure for Network Firewall logging
      section of
      BIG-IQ Centralized Management: Security
      on
      support.f5.com
      for configuration information.
    • Enable
      NETWORK ADDRESS TRANSLATION
      to specify which Network Address Translation (NAT) events the system logs, and where those events are logged. Refer to the
      Configure for Network Address Translation logging
      section of
      BIG-IQ Centralized Management: Security
      on
      support.f5.com
      for configuration information.
    • Enable
      DOS PROTECTION
      to specify that the system logs detected DoS attacks, and where DoS events are logged.
    • Enable
      BOT DEFENSE
      to specify that the system logs bot defense events. Refer to the
      Configure for Bot Defense logging
      section of
      BIG-IQ Centralized Management: Security
      on
      support.f5.com
      for configuration information.
    You must configure each enabled logging type before you can use it. You can do that now, or save the profile and configure the logging types later.
  8. Specify the settings needed for each logging type you use.
    You can configure multiple logging types while editing the logging profile.
  9. When finished, save your changes.
The newly created log profile is added to your list of log profiles. At this point, you can add it to any object that requires a security logging profile.

Configuring Web Application Security logging over multiple DCDs

BIG-IQ receives ASM (or Adv. WAF) messages from BIG-IP via it's Data Collection Devices (DCD). To optimize the process, while ensuring high availability, it is best to load balance log events to a remote logging pool of DCDs. This will prevent data loss, in the instance that a DCD becomes unavailable, without unnecessary duplication of information.
To complete this process for Web Application Security, you must have previously configured the following:
  • An imported and discovered BIG-IP device that hosts your ASM policy and log profile.
  • A separate BIG-IP device that can host a virtual server that load balances events to the DCD pool.
  • A remote logging pool of DCDs configured to the service port number
    8514
    .
For more information about configuring a remote pool of DCDs, see
Connect Devices to a Data Collection Device Cluster
in the
Planning and Implementing a BIG-IQ Deployment
guide at
support.f5.com
.
If you have already created or imported your logging profile, use this process to adjust the existing settings to include the remote logging pool of DCDs.

Configure high availability logging for Web Application Security

The following process is intended for data logging over multiple DCDs. Before you begin, you must create a DCD pool for remote logging that is added to a virtual server on a load balancing BIG-IP device.
  • Primary BIG-IP device: This device hosts virtual server with the ASM policy and an enabled HTTP logging profile.
  • A load balancing BIG-IP device: This is a separate BIG-IP device that hosts a virtual server that load balances logging messages to the pool of DCDs created in this task.
    When creating a load balancing virtual server you can use one of the following options:
    • Create a new virtual server using BIG-IQ by going to
      Configuration
      LOCAL TRAFFIC
      Virtual Server
      Web Application Security
      Virtual Server
      and click
      Create
      .
    • Create a virtual server using the AS3 template
      AS3-F5-DCD-lb-ASM-request-logging-events-template-big-iq-default
      . To access this template go to f5-big-iq.
To optimize application security logging of messages from your BIG-IP devices to multiple DCDs, you can configure a BIG-IP system to load balance these messages among the DCDs in your BIG-IQ configuration. This process prevents duplication of information in the consolidated data repository, while also providing high availability for your log messages in the case that one or more DCDs become unavailable. For more details about specific settings within the logging profile, see
Create a logging profile for Application Security.
The following configuration process is conducted within your BIQ-IQ environment. Before you begin, ensure that you have two separate BIG-IP devices, as described in the pre-requisites.
  1. Create a new logging profile, by going to
    Configuration
    SECURITY
    Shared Security
    Logging Profiles
    :
  2. Click
    Create
    .
  3. In the
    Name
    field, add a unique name for the profile.
  4. Click
    APPLICATION SECURITY
    from the left menu, select
    Enabled
    .
  5. From the
    Remote Storage
    field, select
    Enabled
    .
  6. From the
    Server Addresses
    field, enter the
    IP Address
    and
    Port
    values of the virtual server that hosts the DCD pool configured to port
    8514
    .
  7. Click the
    Add
    button next to the port value.
  8. In the Storage Filter area, from the
    Request Type
    field, select
    All Requests
    .
  9. Click
    Save & Close
    .
  10. Add the logging profile to the virtual server with the ASM security policy by going to
    Configuration
    SECURITY
    Shared Security
    Virtual Servers
    .
    1. Click the name of the virtual server with ASM security policy.
    2. From the
      Logging Profiles
      field, select the name of the logging profile created.
    3. Click
      Save & Close
      .
Your BIG-IQ Centralized Management now has high availability of logging data collection capabilities for its Web Application Security event logs. This prevents loss of messages in the case that one or more DCDs become unavailable.
Once you have completed this process, ensure that all your changes to your Local Traffic and Shared Security virtual servers are deployed over the host BIG-IP devices. You can deploy your changes by going to,
Deployment
EVALUATE & DEPLOY
Local Traffic & Network
(Local Traffic) and
Deployment
EVALUATE & DEPLOY
Shared Security
(Shared Security).