Forum Discussion
Emon_423837
Altocumulus
AltocumulusBot Log is not showing in BIG-IQ
Hi, I am Emon and I am new member at f5 world. I am using BIG-IP 15.1.8.2 and BIG-IQ 8.3.0 (CM and DCD). The Big-IQ is not showing the bot log as seen in the BIG-IP (ASM/WAF) itself. BIG-IP box's Ev...
Hi Emon_423837 ,
For Sending Security Logs yo BIG-IQ
1. Add BIG-IP to the BIG-IQ CM
2. Enable Web Application Security in BIG-IQ DCD
3. Configuration of the Security Log profile
4. Attach the log profile to the protected Virtual Servr
5. Monitoring Profiles from BIG-IQ
Can you please share the BOT Logging profile details.
Actually, the BIG-IQ DCD has a listening service in the 8514 port then we have to configure a log profile in the BIG-IP device to send events to the 8514 port.
Once it is configured, there will be security events in the BIG-IQ Central Management (CM) device, thus, we can already watch these logs for troubleshooting and applications visibility from BIG-IQ CM.
For more details could you plese check the link as follows:
Have you
Activate ASM Web Application Security events logging service for one or more BIG-IQ Data Collection Devices (DCD)
https://my.f5.com/manage/s/article/K51005651
Creating a DCD Pool
Define this pool in Log Destination
System >> Logs: Configuration : Log Destinations
System >> Logs: Configuration : Log Destinations
Now create one log destination for Splunk and here forward the destination to the previously created log destination
System >> Logs: Configuration : Log Destinations
Now check if you got 2 log destinations:
System >> Logs: Configuration : Log Destinations
Now create one log Publisher:
System >> Logs: Configuration :Log Publisher >> Log_pub_DCD
Can you check your logging profie and see if Bot protection is selected:
Select all the request log options of your choice
Save the logging profile
Attach/Assign this logging profile to the required Virtual Sever:
I am suspecting you may have missed this step, in case else check all the steps once again using the help of the screenshots I attached here:
After that hopefuy you can also see the logs in the Bot
Hi ,For Sending Security Logs yo BIG-IQ
1. Add BIG-IP to the BIG-IQ CM
2. Enable Web Application Security in BIG-IQ DCD
3. Configuration of the Security Log profile
4. Attach the log profile to the protected Virtual Servr
5. Monitoring Profiles from BIG-IQ
Can you please share the BOT Logging profile details.
Actually, the BIG-IQ DCD has a listening service in the 8514 port then we have to configure a log profile in the BIG-IP device to send events to the 8514 port.
Once it is configured, there will be security events in the BIG-IQ Central Management (CM) device, thus, we can already watch these logs for troubleshooting and applications visibility from BIG-IQ CM.
For more details could you plese check the link as follows:
Have you
Activate ASM Web Application Security events logging service for one or more BIG-IQ Data Collection Devices (DCD)
https://my.f5.com/manage/s/article/K51005651
Creating a DCD Pool , do not forget to metion the service port as 8514
Define this pool in Log Destination
System >> Logs: Configuration : Log Destinations
System >> Logs: Configuration : Log Destinations
Now create one log destination for Splunk and here forward the destination to the previously created log destination
System >> Logs: Configuration : Log Destinations
Now check if you got 2 log destinations:
System >> Logs: Configuration : Log Destinations
Now create one log Publisher:
System >> Logs: Configuration :Log Publisher >> Log_pub_DCD
Can you check your logging profie and see if Bot protection is selected:
Select all the request log options of your choice
Save the logging profile
Attach/Assign this logging profile to the required Virtual Sever:
I am suspecting you may have missed this step, in case else check all the steps once again using the help of the screenshots I attached here:
After that hopefuy you can also see the logs in the Bot
Click o any log to see its details:
Bot Traffic Dashboard
Bot Traffic By Class
Bot Traffic By Status
Bot Traffic By Mitigation
Bot Traffic Analytics
Layer 7 Security Dashboard
HTH
F5 Design Engineer
🙏
Thanks for given me your valuable time.
One Correction:
- You must add Splunk type log destination on log publisher, Not High Speed Log Destination. When I add HSLD profile on log publisher. Log publisher was invisible on logging profile.
One more info: Our network desing was wrong. We want to reach out BIG-IP to DCD through management interface that was the problem. Because F5 Big-ip traffic not in or out through management port.
Before :
After:
Best Regards,Md. Emon Hossain
Hi Emon_423837 ,
Control plane traffic can in and out from management interface as well based on you have to define a management route for that particual subnet like we do for normal routes. ou can give a try by adding MGMT route for DCD and see if it works. Based on my experience it hsould work as all our syslog servers for our hundresds of client we configure the SPLUNK or SYLOG reachablity thorugh MGMT interface by adding MGMT route insted of normal routes. MGMT routes cannot be created from GUI for that CLI is the only way. So give a try if not for this solution but it may be useful for other solutio in future.
K13284: Overview of management interface routing (11.x - 17.x)
https://my.f5.com/manage/s/article/K13284
Also thanks for the correction and thanks for acceping the solution. Highly appreciate it.
Best regards, F5 Design Engineer.
- Emon_423837
Hi F5_Design_Engineer ,
Thanks you. I want to know one things,
Is it possible to any pool member (Pool_DCD) can send traffic over the management interface?
Because I think when I create a pool for send bot&dos log for the DCD listener ip, f5 on big ip for sent log as a data traffic.
(Attached image for visualize exact thing, what I want to say)
When i do this type of connectivity some log will see not all log.
Best Regards,
Emon Hossain