Forum Discussion

Emon_423837's avatar
Emon_423837
Icon for Altocumulus rankAltocumulus
Jun 03, 2023

Bot Log is not showing in BIG-IQ

Hi, I am Emon and I am new member at f5 world.

I am using BIG-IP 15.1.8.2 and BIG-IQ 8.3.0 (CM and DCD). The Big-IQ is not showing the bot log as seen in the BIG-IP (ASM/WAF) itself. BIG-IP box's Event Log all bot request is seen but biq iq bot request option show empty (image attached).

This type graph is seen but exact bot log request not seen.

 

I configure remote log publisher Remote High Speed Log within Splunk. I also select Local Publisher and Remote pubisher at a time.

More Info: BIG-IP and IQ connected through management ip. ASM/WAF log showing fine but Bot Request Log not showing.

Can you explain what happend that's why bot request log not showing. Please give me proper instruction how can I configure BIG-IP and IQ.

 

Thanks.

 

  • Hi Emon_423837  ,

     

    For Sending Security Logs yo BIG-IQ

    1. Add BIG-IP to the BIG-IQ CM

    2. Enable Web Application Security in BIG-IQ DCD

    3. Configuration of the Security Log profile

    4. Attach the log profile to the protected Virtual Servr

    5. Monitoring Profiles from BIG-IQ

     

    Can you please share the BOT Logging profile details.

     

    Actually, the BIG-IQ DCD has a listening service in the 8514 port then we have to configure a log profile in the BIG-IP device to send events to the 8514 port.

    Once it is configured, there will be security events in the BIG-IQ Central Management (CM) device, thus, we can already watch these logs for troubleshooting and applications visibility from BIG-IQ CM.

     

    For more details could you plese check the link as follows:

    https://techdocs.f5.com/en-us/bigiq-8-0-0/managing-bot-defense-using-big-iq/log-bot-defense-req-over-dcd.html

    Have you 

    Activate ASM Web Application Security events logging service for one or more BIG-IQ Data Collection Devices (DCD)

    https://my.f5.com/manage/s/article/K51005651

     

    Creating a DCD Pool

     

    Define this pool in Log Destination

    System >> Logs: Configuration : Log Destinations

    System >> Logs: Configuration : Log Destinations

    Now create one log destination for Splunk and here forward the destination to the previously created log destination

    System >> Logs: Configuration : Log Destinations

    Now check if you got 2 log destinations:

    System >> Logs: Configuration : Log Destinations

    Now create one log Publisher:

    System >> Logs: Configuration :Log Publisher >> Log_pub_DCD

     

    Can you check your logging profie and see if Bot protection is selected:

     

     

    Select all the request log options of your choice

     

     

     

     

    Save the logging profile

     

     

    Attach/Assign this logging profile to the required Virtual Sever:

    I am suspecting you may have missed this step, in case else check all the steps once again using the help of the screenshots I attached here:

     

    After that hopefuy you can also see the logs in the Bot 

    Hi  ,For Sending Security Logs yo BIG-IQ

    1. Add BIG-IP to the BIG-IQ CM

    2. Enable Web Application Security in BIG-IQ DCD

    3. Configuration of the Security Log profile

    4. Attach the log profile to the protected Virtual Servr

    5. Monitoring Profiles from BIG-IQ

     

    Can you please share the BOT Logging profile details.

     

    Actually, the BIG-IQ DCD has a listening service in the 8514 port then we have to configure a log profile in the BIG-IP device to send events to the 8514 port.

    Once it is configured, there will be security events in the BIG-IQ Central Management (CM) device, thus, we can already watch these logs for troubleshooting and applications visibility from BIG-IQ CM.

     

    For more details could you plese check the link as follows:

    https://techdocs.f5.com/en-us/bigiq-8-0-0/managing-bot-defense-using-big-iq/log-bot-defense-req-over-dcd.html

    Have you 

    Activate ASM Web Application Security events logging service for one or more BIG-IQ Data Collection Devices (DCD)

    https://my.f5.com/manage/s/article/K51005651

     

    Creating a DCD Pool , do not forget to metion the service port as 8514

    Define this pool in Log Destination

    System >> Logs: Configuration : Log Destinations

    System >> Logs: Configuration : Log Destinations

     

    Now create one log destination for Splunk and here forward the destination to the previously created log destination

    System >> Logs: Configuration : Log Destinations

     

    Now check if you got 2 log destinations:

    System >> Logs: Configuration : Log Destinations

     

     

    Now create one log Publisher:

    System >> Logs: Configuration :Log Publisher >> Log_pub_DCD

    Can you check your logging profie and see if Bot protection is selected:

    Select all the request log options of your choice

     

     

     

    Save the logging profile

     

    Attach/Assign this logging profile to the required Virtual Sever:

    I am suspecting you may have missed this step, in case else check all the steps once again using the help of the screenshots I attached here:

     

    After that hopefuy you can also see the logs in the Bot 

     

    Click o any log to see its details:

     

    Bot Traffic Dashboard

    Bot Traffic By Class

     

    Bot Traffic By Status

     

    Bot Traffic By Mitigation

     

    Bot Traffic Analytics

    Layer 7 Security Dashboard

    HTH

    F5 Design Engineer

    šŸ™

    ā€ƒ

     

     

  • Emon_423837's avatar
    Emon_423837
    Jun 06, 2023

    Hi F5_Design_Engineer,

    Thanks for given me your valuable time.

    One Correction:

    • You must add Splunk type log destination on log publisher, Not High Speed Log Destination. When I add HSLD profile on log publisher. Log publisher was invisible on logging profile.

    One more info: Our network desing was wrong. We want to reach out BIG-IP to DCD through management interface that was the problem. Because F5 Big-ip traffic not in or out through management port.

    Before :

    After:

     

    Best Regards,
    Md. Emon Hossain

     

     

  • Hi  Emon_423837 , 

    Control plane traffic can in and out from management interface as well based on you have to define a management route for that particual subnet like we do for normal routes. ou can give a try by adding MGMT route for DCD and see if it works. Based on my experience it hsould work as all our syslog servers for our hundresds of client we configure the SPLUNK or SYLOG reachablity thorugh MGMT interface by adding MGMT route insted of normal routes. MGMT routes cannot be created from GUI for that CLI is the only way. So give a try if not for this solution but it may be useful for other solutio in future.

    K13284: Overview of management interface routing (11.x - 17.x)

    Article Detail (f5.com)

    https://my.f5.com/manage/s/article/K13284

    Also thanks for the correction and thanks for acceping the solution. Highly appreciate it.

    Best regards, F5 Design Engineer.

     

    • Emon_423837's avatar
      Emon_423837
      Icon for Altocumulus rankAltocumulus

      Hi F5_Design_Engineer ,

      Thanks you. I want to know one things,

      Is it possible to any pool member (Pool_DCD) can send traffic over the management interface?

      Because I think when I create a pool for send bot&dos log for the DCD listener ip, f5 on big ip for sent log as a data traffic.

      (Attached image for visualize exact thing, what I want to say)

      When i do this type of connectivity some log will see not all log.

      Best Regards,

      Emon Hossain

       

       

       

  • Hi Emon_423837  ,

     

    For Sending Security Logs yo BIG-IQ

    1. Add BIG-IP to the BIG-IQ CM

    2. Enable Web Application Security in BIG-IQ DCD

    3. Configuration of the Security Log profile

    4. Attach the log profile to the protected Virtual Servr

    5. Monitoring Profiles from BIG-IQ

     

    Can you please share the BOT Logging profile details.

     

    Actually, the BIG-IQ DCD has a listening service in the 8514 port then we have to configure a log profile in the BIG-IP device to send events to the 8514 port.

    Once it is configured, there will be security events in the BIG-IQ Central Management (CM) device, thus, we can already watch these logs for troubleshooting and applications visibility from BIG-IQ CM.

     

    For more details could you plese check the link as follows:

    https://techdocs.f5.com/en-us/bigiq-8-0-0/managing-bot-defense-using-big-iq/log-bot-defense-req-over-dcd.html

    Have you 

    Activate ASM Web Application Security events logging service for one or more BIG-IQ Data Collection Devices (DCD)

    https://my.f5.com/manage/s/article/K51005651

     

    Creating a DCD Pool

     

    Define this pool in Log Destination

    System >> Logs: Configuration : Log Destinations

    System >> Logs: Configuration : Log Destinations

    Now create one log destination for Splunk and here forward the destination to the previously created log destination

    System >> Logs: Configuration : Log Destinations

    Now check if you got 2 log destinations:

    System >> Logs: Configuration : Log Destinations

    Now create one log Publisher:

    System >> Logs: Configuration :Log Publisher >> Log_pub_DCD

     

    Can you check your logging profie and see if Bot protection is selected:

     

     

    Select all the request log options of your choice

     

     

     

     

    Save the logging profile

     

     

    Attach/Assign this logging profile to the required Virtual Sever:

    I am suspecting you may have missed this step, in case else check all the steps once again using the help of the screenshots I attached here:

     

    After that hopefuy you can also see the logs in the Bot 

    Hi  ,For Sending Security Logs yo BIG-IQ

    1. Add BIG-IP to the BIG-IQ CM

    2. Enable Web Application Security in BIG-IQ DCD

    3. Configuration of the Security Log profile

    4. Attach the log profile to the protected Virtual Servr

    5. Monitoring Profiles from BIG-IQ

     

    Can you please share the BOT Logging profile details.

     

    Actually, the BIG-IQ DCD has a listening service in the 8514 port then we have to configure a log profile in the BIG-IP device to send events to the 8514 port.

    Once it is configured, there will be security events in the BIG-IQ Central Management (CM) device, thus, we can already watch these logs for troubleshooting and applications visibility from BIG-IQ CM.

     

    For more details could you plese check the link as follows:

    https://techdocs.f5.com/en-us/bigiq-8-0-0/managing-bot-defense-using-big-iq/log-bot-defense-req-over-dcd.html

    Have you 

    Activate ASM Web Application Security events logging service for one or more BIG-IQ Data Collection Devices (DCD)

    https://my.f5.com/manage/s/article/K51005651

     

    Creating a DCD Pool , do not forget to metion the service port as 8514

    Define this pool in Log Destination

    System >> Logs: Configuration : Log Destinations

    System >> Logs: Configuration : Log Destinations

     

    Now create one log destination for Splunk and here forward the destination to the previously created log destination

    System >> Logs: Configuration : Log Destinations

     

    Now check if you got 2 log destinations:

    System >> Logs: Configuration : Log Destinations

     

     

    Now create one log Publisher:

    System >> Logs: Configuration :Log Publisher >> Log_pub_DCD

    Can you check your logging profie and see if Bot protection is selected:

    Select all the request log options of your choice

     

     

     

    Save the logging profile

     

    Attach/Assign this logging profile to the required Virtual Sever:

    I am suspecting you may have missed this step, in case else check all the steps once again using the help of the screenshots I attached here:

     

    After that hopefuy you can also see the logs in the Bot 

     

    Click o any log to see its details:

     

    Bot Traffic Dashboard

    Bot Traffic By Class

     

    Bot Traffic By Status

     

    Bot Traffic By Mitigation

     

    Bot Traffic Analytics

    Layer 7 Security Dashboard

    HTH

    F5 Design Engineer

    šŸ™

    ā€ƒ

     

     

    • Emon_423837's avatar
      Emon_423837
      Icon for Altocumulus rankAltocumulus

      Hi F5_Design_Engineer,

      Thanks for given me your valuable time.

      One Correction:

      • You must add Splunk type log destination on log publisher, Not High Speed Log Destination. When I add HSLD profile on log publisher. Log publisher was invisible on logging profile.

      One more info: Our network desing was wrong. We want to reach out BIG-IP to DCD through management interface that was the problem. Because F5 Big-ip traffic not in or out through management port.

      Before :

      After:

       

      Best Regards,
      Md. Emon Hossain

       

       

  • Hi Emon_423837 ,

    Mixing control plane traffic and data plane traffic flwoing on same interfaces is not a good choice.

    F5 strongly discourages you to configure a pool memeber or health monitor to send data plane traffic or probes using the management network because the management network is not intended for production traffic.

    F5 recommends that the pool members/nodes reside on a network that is reachable through TMM interfaces so data plane trafic or health monitor probes are sent through TMM interfaces.

     

    When configuring management traffic, you should consider the following factors:

    • F5 strongly discourages you to configure a health monitor to send probes using the management network because the management network is not intended for production traffic. F5 recommends that the pool members/nodes reside on a network that is reachable through TMM interfaces so health monitor probes are sent through TMM interfaces.
    • F5 recommends that you add static routes for management traffic whose destination does not match the directly-connected management network. This configuration is useful when you handle SNMP traffic that is directed to an SNMP Manager that resides on another network, which is accessible only through the management network or other network services that are hosted on networks that are not accessible through the TMM interfaces.
    • A Virtual Clustered Multiprocessing (vCMP) host administrator can reconfigure the default management gateway for a vCMP guest. The applied configuration takes precedence and overrides the value configured on the vCMP guest.

      Note: F5 recommends that you test any such changes during a maintenance window and consider the possible impact on your specific environment.

       

    HTH

    Best regards

    F5 Design Engineer