Forum Discussion
dbaimakov
Altocumulus
AltocumulusBoT Defense Traffic Analytics Tab
Hi guys,
We have recently implemented Bot Defense Profiles on our BIG-IP F5 and applied them to our VMs. However, we seem to have run into a small issue. The Security > Event Logs: Bot Defense: Bot Traffic is not displaying analytics. When we click on View Detected Bots, there is data present though.
Initially, I thought it could simply be due to my permissions, as many of the summary views require access to raw logs, and many of the roles don’t have that permission (and can’t obtain it because roles are predefined and fixed). But after checking with administrators, they also can't see the analytics tab data. We considered sending data to SIEM for visualization. However, it would be prudent to have those graphs visible in F5 as well.
It appears that some configurations are missing.
I would greatly appreciate any help or links regarding this issue.
Thank you 🙂
Hi dbaimakov ,
For BOT traffic tab , if you see samples in bot event , you should see Bot traffic as well ( trusted / untrusted / browser ...)
Go to your Bot profile and check mitigation settings , maybe you set it to alarm only , when you adjust it , you should see sample in Bot traffic during any Bot attack.
Try to configure some mitigating as block not alarm , if there is bot attack it will reflect on dos traffic event log.
As further I know , no Bot tabs in bigip analytics profile , and for analytics profile you need to provision AVR for more granular visibility on application.
Hi dbaimakov ,
For Bot Traffic in Event log tab >>> did you edit your logging profile to log bot detections ?
Go to securtiy >> Event log >> Logging profiles >> Select your target profile >> Enable Check box " Bot Defense " you can add filters as much as needed and Enable Check box " Local publisher ".
For Analytics or graphs :
First you have to provision AVR module in your bigip , if provisioned , you must create an Analytics profile
Local traffic >>> Profiles >>> Analytics >>> Create ( and add all needed metrics )
don't add all VIPs or huge metrics , this may cause negative impact on system CPU and Memory.
wait up to 10-15 mins , your bigip will collect all needed statistics and graphs.
But Like I said above for Bot monitoring and logging you have to add it in the logging profile and monitor your events or reported attacks if found.
I hope this figures out your needs 🙂
dbaimakovThank you for the guidance Mohamed!
The BoT logging profile was set up correctly and is logging away when I go to Security > Event Logs > Bot Defense > Bot Requests.
The AVR module was not set up, though; that helped!
When I went to create an Analytics Profile, I saw only two options: HTTP analytics and TCP analytics; there is no BoT Analytics per se.
Also, the tab to view Graph analytics for BoT traffic is not found in the typical location in Statistics > Analytics > HTTP analytics, CPU, Memory, etc.It is instead found in Security > Event Logs > Bot Defense > BoT Traffic (and that's where I can't see graphs, BUT if I click "View Detected Bots" I do see correlated Bot Events).
I did find some information on:
Create a new Analytics profile and attach it to your Virtual Servers (f5.com)
Create a new Analytics profile and attach it to your Virtual Servers (f5.com)But still, nothing about Analytics Visualization Graphs for BoTs, a feature that seems to allow visualization of Bot Traffic by color graphs with Browser/Trusted Bot/Untrusted Bot, etc.
Hope this makes sense, and it's totally ok if it doesn't 😂 I'll try F5 support in the meantime but would be cool to get more guidance here as well 😀
Thank you so much 😀
DmitriyHi dbaimakov ,
For BOT traffic tab , if you see samples in bot event , you should see Bot traffic as well ( trusted / untrusted / browser ...)
Go to your Bot profile and check mitigation settings , maybe you set it to alarm only , when you adjust it , you should see sample in Bot traffic during any Bot attack.
Try to configure some mitigating as block not alarm , if there is bot attack it will reflect on dos traffic event log.
As further I know , no Bot tabs in bigip analytics profile , and for analytics profile you need to provision AVR for more granular visibility on application.
