Manual Chapter : Configuring Remote High-Speed DNS Logging

Applies To:

Show Versions Show Versions

BIG-IP GTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP LTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Overview: Configuring remote high-speed DNS logging

You can configure the BIG-IP system to log information about DNS traffic and send the log messages to remote high-speed log servers. You can choose to log either DNS queries or DNS responses, or both. In addition, you can configure the system to perform logging on DNS traffic differently for specific resources. For example, you can configure logging for a specific resource, and then disable and re-enable logging for the resource based on your network administration needs.

When configuring remote high-speed DNS logging, it is helpful to understand the objects you need to create and why, as described here:

Object to create in implementation Reason
Pool of remote log servers Create a pool of remote log servers to which the BIG-IP system can send log messages.
Destination (unformatted) Create a log destination of Remote High-Speed Log type that specifies a pool of remote log servers.
Destination (formatted) If your remote log servers are the ArcSight, Splunk, IPFIX, or Remote Syslog type, create an additional log destination to format the logs in the required format and forward the logs to a remote high-speed log destination.
Publisher Create a log publisher to send logs to a set of specified log destinations.
DNS Logging profile Create a custom DNS Logging profile to define the data you want the BIG-IP system to include in the DNS logs and associate a log publisher with the profile.
DNS profile Create a custom DNS profile to enable DNS logging, and associate a DNS Logging profile with the DNS profile.
LTM virtual server Associate a custom DNS profile with a virtual server to define how the BIG-IP system logs the DNS traffic that the virtual server processes.
GTM listener Associate a custom DNS profile with a listener to define how the BIG-IP system logs the DNS traffic that the listener processes.
Associations between DNS remote high-speed logging configuration objects Association of remote high-speed logging configuration objects

Task summary

Creating a pool of remote logging servers

Before creating a pool of log servers, gather the IP addresses of the servers that you want to include in the pool. Ensure that the remote log servers are configured to listen to and receive log messages from the BIG-IP system.
Create a pool of remote log servers to which the BIG-IP system can send log messages.
  1. On the Main tab, click DNS > Delivery > Load Balancing > Pools or Local Traffic > Pools. The Pool List screen opens.
  2. Click Create. The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. Using the New Members setting, add the IP address for each remote logging server that you want to include in the pool:
    1. Type an IP address in the Address field, or select a node address from the Node List.
    2. Type a service number in the Service Port field, or select a service name from the list.
      Note: Typical remote logging servers require port 514.
    3. Click Add.
  5. Click Finished.

Creating a remote high-speed log destination

Before creating a remote high-speed log destination, ensure that at least one pool of remote log servers exists on the BIG-IP system.

Create a log destination of the Remote High-Speed Log type to specify that log messages are sent to a pool of remote log servers.

  1. On the Main tab, click System > Logs > Configuration > Log Destinations. The Log Destinations screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this destination.
  4. From the Type list, select Remote High-Speed Log.
    Important: If you use log servers such as Remote Syslog, Splunk, or ArcSight, which require data be sent to the servers in a specific format, you must create an additional log destination of the required type, and associate it with a log destination of the Remote High-Speed Log type. With this configuration, the BIG-IP system can send data to the servers in the required format.
    The BIG-IP system is configured to send an unformatted string of text to the log servers.
  5. From the Pool Name list, select the pool of remote log servers to which you want the BIG-IP system to send log messages.
  6. From the Protocol list, select the protocol used by the high-speed logging pool members.
  7. Click Finished.

Creating a formatted remote high-speed log destination

Ensure that at least one remote high-speed log destination exists on the BIG-IP system.

Create a formatted logging destination to specify that log messages are sent to a pool of remote log servers, such as Remote Syslog, Splunk, or ArcSight servers.

  1. On the Main tab, click System > Logs > Configuration > Log Destinations. The Log Destinations screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this destination.
  4. From the Type list, select a formatted logging destination, such as IPFIX, Remote Syslog, Splunk, or ArcSight.
    Important: ArcSight formatting is only available for logs coming from Advanced Firewall Manager (AFM), Application Security Manager (ASM), and the Secure Web Gateway component of Access Policy Manager (APM). IPFIX is not available for Secure Web Gateway.
    The BIG-IP system is configured to send a formatted string of text to the log servers.
  5. If you selected Remote Syslog, from the Syslog Format list, select a format for the logs, and then from the High-Speed Log Destination list, select the destination that points to a pool of remote Syslog servers to which you want the BIG-IP system to send log messages.
  6. If you selected Splunk or IPFIX, from the Forward To list, select the destination that points to a pool of high-speed log servers to which you want the BIG-IP system to send log messages.
  7. Click Finished.

Creating a publisher

Ensure that at least one destination associated with a pool of remote log servers exists on the BIG-IP system.
Create a publisher to specify where the BIG-IP system sends log messages for specific resources.
  1. On the Main tab, click System > Logs > Configuration > Log Publishers. The Log Publishers screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this publisher.
  4. For the Destinations setting, select a destination from the Available list, and click << to move the destination to the Selected list.
    Note: If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or ArcSight.
  5. Click Finished.

Creating a custom DNS logging profile for logging DNS queries

Create a custom DNS logging profile to log DNS queries, when you want to log only DNS queries.
  1. On the Main tab, click DNS > Delivery > Profiles > Other > DNS Logging or Local Traffic > Profiles > Other > DNS Logging. The DNS Logging profile list screen opens.
  2. Click Create. The New DNS Logging profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Log Publisher list, select a destination to which the BIG-IP system sends DNS log entries.
  5. For the Log Queries setting, ensure that the Enabled check box is selected, if you want the BIG-IP system to log all DNS queries.
  6. For the Include Query ID setting, select the Enabled check box, if you want the BIG-IP system to include the query ID sent by the client in the log messages.
  7. Click Finished.
Assign this custom DNS logging profile to a custom DNS profile.

Creating a custom DNS logging profile for logging DNS responses

Create a custom DNS logging profile to log DNS responses when you want to determine how the BIG-IP system is responding to a given query.
  1. On the Main tab, click DNS > Delivery > Profiles > Other > DNS Logging or Local Traffic > Profiles > Other > DNS Logging. The DNS Logging profile list screen opens.
  2. Click Create. The New DNS Logging profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Log Publisher list, select a destination to which the BIG-IP system sends DNS log entries.
  5. For the Log Responses setting, select the Enabled check box, if you want the BIG-IP system to log all DNS responses.
  6. For the Include Query ID setting, select the Enabled check box, if you want the BIG-IP system to include the query ID sent by the client in the log messages.
  7. Click Finished.
Assign this custom DNS logging profile to a custom DNS profile.

Creating a custom DNS logging profile for logging DNS queries and responses

Create a custom DNS logging profile to log both DNS queries and responses when troubleshooting a DDoS attack.
Note: Logging both DNS queries and responses has an impact on the BIG-IP system performance.
  1. On the Main tab, click DNS > Delivery > Profiles > Other > DNS Logging or Local Traffic > Profiles > Other > DNS Logging. The DNS Logging profile list screen opens.
  2. Click Create. The New DNS Logging profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Log Publisher list, select a destination to which the BIG-IP system sends DNS log entries.
  5. For the Log Queries setting, ensure that the Enabled check box is selected, if you want the BIG-IP system to log all DNS queries.
  6. For the Log Responses setting, select the Enabled check box, if you want the BIG-IP system to log all DNS responses.
  7. For the Include Query ID setting, select the Enabled check box, if you want the BIG-IP system to include the query ID sent by the client in the log messages.
  8. Click Finished.
Assign this custom DNS logging profile to a custom DNS profile.

Creating a custom DNS profile to enable DNS logging

Ensure that at least one custom DNS Logging profile exists on the BIG-IP system.
Create a custom DNS profile to log specific information about DNS traffic processed by the resources to which the DNS profile is assigned. Depending upon what information you want the BIG-IP system to log, attach a custom DNS Logging profile configured to log DNS queries, to log DNS responses, or to log both.
  1. On the Main tab, click DNS > Delivery > Profiles > DNS or Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens.
  2. Click Create. The New DNS Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select the Custom check box.
  5. From the Logging list, select Enabled.
  6. From the Logging Profile list, select a custom DNS Logging profile.
  7. Click Finished.
You must assign this custom DNS profile to a resource before the BIG-IP system can log information about the DNS traffic handled by the resource.

Configuring a listener for DNS logging

Ensure that at least one custom DNS profile with logging configured exists on the BIG-IP system.
Assign a custom DNS profile to a listener when you want the BIG-IP system to log the DNS traffic the listener handles.
Note: This task applies only to GTM-provisioned systems.
  1. On the Main tab, click DNS > Delivery > Listeners. The Listeners List screen opens.
  2. Click the name of the listener you want to modify.
  3. In the Service area, from the DNS Profile list, select a custom DNS profile that is associated with a DNS Logging profile.
  4. Click Update.

Configuring an LTM virtual server for DNS logging

Ensure that at least one custom DNS profile with logging enabled exists on the BIG-IP system.
Assign a custom DNS profile with logging enabled to a virtual server when you want the BIG-IP system to log the DNS traffic the virtual server handles.
Note: This task applies only to LTM-provisioned systems.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. From the Configuration list, select Advanced.
  4. From the DNS Profile list, select a custom DNS profile that is associated with a DNS Logging profile.
  5. Click Update to save the changes.

Disabling DNS logging

Disable DNS logging on a custom DNS profile when you no longer want the BIG-IP system to log information about the DNS traffic handled by the resources to which the profile is assigned.
Note: You can disable and re-enable DNS logging for a specific resource based on your network administration needs.
  1. On the Main tab, click DNS > Delivery > Profiles > DNS. The DNS profile list screen opens.
  2. Click the name of a profile.
  3. Select the Custom check box.
  4. From the Logging list, select Disabled.
  5. Click Update.
The BIG-IP system does not perform DNS logging on the DNS traffic handled by the resources to which this profile is assigned.

Implementation result

You now have an implementation in which the BIG-IP system performs DNS logging on specific DNS traffic and sends the log messages to a pool of remote log servers.