Forum Discussion

Emon_423837's avatar
Emon_423837
Icon for Altocumulus rankAltocumulus
Jun 03, 2023

Bot Log is not showing in BIG-IQ

Hi, I am Emon and I am new member at f5 world. I am using BIG-IP 15.1.8.2 and BIG-IQ 8.3.0 (CM and DCD). The Big-IQ is not showing the bot log as seen in the BIG-IP (ASM/WAF) itself. BIG-IP box's Ev...
  • F5_Design_Engineer's avatar
    Jun 04, 2023

    Hi Emon_423837  ,

     

    For Sending Security Logs yo BIG-IQ

    1. Add BIG-IP to the BIG-IQ CM

    2. Enable Web Application Security in BIG-IQ DCD

    3. Configuration of the Security Log profile

    4. Attach the log profile to the protected Virtual Servr

    5. Monitoring Profiles from BIG-IQ

     

    Can you please share the BOT Logging profile details.

     

    Actually, the BIG-IQ DCD has a listening service in the 8514 port then we have to configure a log profile in the BIG-IP device to send events to the 8514 port.

    Once it is configured, there will be security events in the BIG-IQ Central Management (CM) device, thus, we can already watch these logs for troubleshooting and applications visibility from BIG-IQ CM.

     

    For more details could you plese check the link as follows:

    https://techdocs.f5.com/en-us/bigiq-8-0-0/managing-bot-defense-using-big-iq/log-bot-defense-req-over-dcd.html

    Have you 

    Activate ASM Web Application Security events logging service for one or more BIG-IQ Data Collection Devices (DCD)

    https://my.f5.com/manage/s/article/K51005651

     

    Creating a DCD Pool

     

    Define this pool in Log Destination

    System >> Logs: Configuration : Log Destinations

    System >> Logs: Configuration : Log Destinations

    Now create one log destination for Splunk and here forward the destination to the previously created log destination

    System >> Logs: Configuration : Log Destinations

    Now check if you got 2 log destinations:

    System >> Logs: Configuration : Log Destinations

    Now create one log Publisher:

    System >> Logs: Configuration :Log Publisher >> Log_pub_DCD

     

    Can you check your logging profie and see if Bot protection is selected:

     

     

    Select all the request log options of your choice

     

     

     

     

    Save the logging profile

     

     

    Attach/Assign this logging profile to the required Virtual Sever:

    I am suspecting you may have missed this step, in case else check all the steps once again using the help of the screenshots I attached here:

     

    After that hopefuy you can also see the logs in the Bot 

    Hi  ,For Sending Security Logs yo BIG-IQ

    1. Add BIG-IP to the BIG-IQ CM

    2. Enable Web Application Security in BIG-IQ DCD

    3. Configuration of the Security Log profile

    4. Attach the log profile to the protected Virtual Servr

    5. Monitoring Profiles from BIG-IQ

     

    Can you please share the BOT Logging profile details.

     

    Actually, the BIG-IQ DCD has a listening service in the 8514 port then we have to configure a log profile in the BIG-IP device to send events to the 8514 port.

    Once it is configured, there will be security events in the BIG-IQ Central Management (CM) device, thus, we can already watch these logs for troubleshooting and applications visibility from BIG-IQ CM.

     

    For more details could you plese check the link as follows:

    https://techdocs.f5.com/en-us/bigiq-8-0-0/managing-bot-defense-using-big-iq/log-bot-defense-req-over-dcd.html

    Have you 

    Activate ASM Web Application Security events logging service for one or more BIG-IQ Data Collection Devices (DCD)

    https://my.f5.com/manage/s/article/K51005651

     

    Creating a DCD Pool , do not forget to metion the service port as 8514

    Define this pool in Log Destination

    System >> Logs: Configuration : Log Destinations

    System >> Logs: Configuration : Log Destinations

     

    Now create one log destination for Splunk and here forward the destination to the previously created log destination

    System >> Logs: Configuration : Log Destinations

     

    Now check if you got 2 log destinations:

    System >> Logs: Configuration : Log Destinations

     

     

    Now create one log Publisher:

    System >> Logs: Configuration :Log Publisher >> Log_pub_DCD

    Can you check your logging profie and see if Bot protection is selected:

    Select all the request log options of your choice

     

     

     

    Save the logging profile

     

    Attach/Assign this logging profile to the required Virtual Sever:

    I am suspecting you may have missed this step, in case else check all the steps once again using the help of the screenshots I attached here:

     

    After that hopefuy you can also see the logs in the Bot 

     

    Click o any log to see its details:

     

    Bot Traffic Dashboard

    Bot Traffic By Class

     

    Bot Traffic By Status

     

    Bot Traffic By Mitigation

     

    Bot Traffic Analytics

    Layer 7 Security Dashboard

    HTH

    F5 Design Engineer

    🙏

     

     

  • Emon_423837's avatar
    Emon_423837
    Jun 06, 2023

    Hi F5_Design_Engineer,

    Thanks for given me your valuable time.

    One Correction:

    • You must add Splunk type log destination on log publisher, Not High Speed Log Destination. When I add HSLD profile on log publisher. Log publisher was invisible on logging profile.

    One more info: Our network desing was wrong. We want to reach out BIG-IP to DCD through management interface that was the problem. Because F5 Big-ip traffic not in or out through management port.

    Before :

    After:

     

    Best Regards,
    Md. Emon Hossain