Manual Chapter : Configure IPsec event viewing on the BIG-IQ

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 6.0.0
Manual Chapter

Configure IPsec event viewing on the BIG-IQ

How do I configure viewing IPsec event logs?

You can use BIG-IQ® Centralized Management to view IPsec events. To set up IPsec event log viewing, you need to:

  • Configure the BIG-IP® devices that comprise the IPsec tunnel to send events to the data collection device.
    • Create a remote log server pool.
    • Create a remote high-speed log destination for IPsec.
    • Create a remote Syslog destination for IPsec.
    • Configure a log publisher to send IPsec events to the BIG-IQ.
  • Configure the BIG-IQ system to view IPsec events by Enabling IPsec event collection.

After you complete these initial configuration tasks, you can view IPsec events on the BIG-IQ.

Create a log publisher pool

Creating a log publisher pool is part of the sequence you perform to route IPsec events from the BIG-IP device to your data collection device so that you can view these events from the BIG-IQ.
Important: You must perform these steps for both of the BIG-IP devices that comprise the IPsec tunnel.
  1. At the top of the screen, click Configuration, then, on the left, click LOCAL TRAFFIC > Pools .
    The screen displays the list of pools defined on this device.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type in a name for the pool you are creating.
    Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.
    Important: The pool name is limited to 63 characters.
  4. From the Device list, select one of the devices that comprise the IPsec tunnel.
  5. To add a new pool member for this pool, click New Member.
    1. Specify the Node Type select New Node:
    2. Type a helpful name for the Node Name.
    3. For the Node Address type the self IP address of the data collection device that you want events from this device to go to.
    4. For the Port, type 9997.
    5. Click Save & Close.
    The new pool member is added to the specifications for the pool you are creating.
    Note: When you create a new pool member while creating a new pool, the new pool member is not actually created until you save the new pool. When you create a new pool member for an existing pool member, the new member is ready to use as soon as you save it.
  6. When you finish specifying the settings for this pool, click Save & Close.
    The system creates the new pool with the settings you specified.
  7. Repeat the last 5 steps to add a pool and pool member for the other device that makes up the IPsec tunnel.
The log publisher pools you created are added to the pools list.

Create a remote high-speed log destination for IPsec

Before creating a remote high-speed log destination for IPsec, you must create a log publishing pool.
Creating a remote high-speed log destination is part of the sequence you perform to route IPsec events from the BIG-IP device to your data collection device so that you can view these events from the BIG-IQ.
Important: You must perform these steps for both of the BIG-IP devices that comprise the IPsec tunnel.
  1. At the top of the screen, click Configuration, then, on the left, click LOCAL TRAFFIC > Logs > Log Destinations .
    The Log Destinations screen displays a list of the log destinations that are defined on this device.
  2. Click Create.
    The New Log Destination screen opens.
  3. In the Name field, type a name to identify the IPsec remote high speed log destination.
  4. From the Type list, select Remote High-Speed Log.
  5. Specify which devices to associate this destination with.
    1. Select the device you want this destination to use.
    2. Select the remote log server pool that you defined previously.
    3. Click Save to add the listed devices to the Device Specific list.
    Devices you select for this log destination are added to the Device Specific list.
    Note: Click on a device name in the Device Specific list to edit settings for that device. Bear in mind though that changes you make to one device do not change the settings for other devices, or for the base configuration for the log destination.
  6. Click Save & Close.
    The system creates the new log destination with the settings you specified.

Create a remote Syslog destination for IPsec

Before creating a remote Syslog log destination for IPsec, you must create a log publishing pool and a high-speed log destination for IPsec.
Creating a remote Syslog log destination is part of the sequence you perform to route IPsec events from the BIG-IP device to your data collection device so that you can view these events from the BIG-IQ system.
Important: You must perform these steps for both of the BIG-IP devices that comprise the IPsec tunnel.
  1. At the top of the screen, click Configuration, then, on the left, click LOCAL TRAFFIC > Logs > Log Destinations .
    The Log Destinations screen displays a list of the log destinations that are defined on this device.
  2. Click Create.
    The New Log Destination screen opens.
  3. In the Name field, type IPsec-Syslog to identify the IPsec Syslog destination.
  4. From the Type list, select Remote Syslog.
  5. From the Syslog Format list, select a format for the logs.
  6. From the Forward To list, select the name of the IPsec remote high speed log.
  7. Click Save & Close.
    The system creates the new log destination with the settings you specified.

Configure a log publisher to send IPsec events to the BIG-IQ

To send the IPsec event logs to the data collection device, you must configure a publisher to send them to the IPsec Syslog destination.
Important: You must perform these steps for both of the BIG-IP devices that comprise the IPsec tunnel.
  1. At the top of the screen, click Configuration, then, on the left, click LOCAL TRAFFIC > Logs > Log Publishers .
    The Log Publishers screen displays a list of the log publishers that are defined on this device.
  2. Click the log publisher named default-ipsec-log-publisher.
    The Log Publisher properties screen opens.
  3. For the Log Destinations setting, select IPsec-Syslog from the Available list, and move it to the Selected list.
    Both local-syslog (the default) and IPsec-Syslog are listed in the Selected list.
  4. Click Save & Close.
To use the IPsec tunnel configuration to collect IPsec events, you must activate IPsec event collection for your data collection device (DCD) cluster.

Enable IPsec event collection

To view IPsec tunnel events on BIG-IQ, you need to activate IPsec event collection for your data collection device (DCD) cluster.
  1. At the top of the screen, click System, then, on the left, click BIG-IQ DATA COLLECTION > BIG-IQ Data Collection Devices .
    The BIG-IQ Data Collection Devices screen opens to list the data collection devices in the cluster.
  2. In the Services column, click Add Services.
    The Services screen for this DCD opens.
  3. For IPsec, click Activate.
    The Listener Address displays the internal self IP address configured for the DCD. The self IP address is currently the recommended address for collecting event log data.
    The system begins collecting IPsec events.
  4. Click the Save & Close button.
You can now view IPsec event logs using the BIG-IQ user interface.