Forum Discussion
AltocumulusHigh Speed Logging vs Telemetry Streaming (Logging to SIEM)
My goals is to send web application traffic logs from my virtual servers to an external SIEM. It looks like there are quite a few ways to approach this, so I want to check with the community to see what works best for you.
Ideally, this would be a high-volume configuration with logging enabled for 400+ public virtual servers. At a minimum, I would like to collect the client IP, user agent, URI path, virtual IP, virtual server name, pool, server name, and server-side response code.
I reviewed the overview here: Getting Started with iRules: Logging & Comments | DevCentral
It is clear that High Speed Logging (HSL) would be the preferred approach to ensure the resource and capacity burden is placed on the TMM (data plane) and not the control/management plane and to avoid writing to disk on the F5 BIG-IP host. I could write to syslog servers and forward these logs to my SIEM. The HSL seems to be straight forward to configure with a sample iRule looking like:
when CLIENT_ACCEPTED {
set vs [IP::local_addr]:[TCP::local_port]
# Open HSL connections with configured pools
set hsl_pool_1 [HSL::open -proto UDP -pool Pool_Syslog_1]
set hsl_pool_2 [HSL::open -proto UDP -pool Pool_Syslog_2]
}
when SERVER_CONNECTED {
set client [IP::client_addr]:[TCP::client_port]
set srv [IP::remote_addr]:[TCP::remote_port]
set log_message "<134>Client: $client connected to $vs and routed to server $srv at [clock format [clock seconds] -format \"%Y-%m-%d %H:%M:%S\"]"
# Send logs to both HSL pools
HSL::send $hsl_pool_1 $log_message
HSL::send $hsl_pool_2 $log_message
}
However, when I searched through the DevCentral forums for references to SIEM logging, I found that most examples used Telemetry Streaming and AS3 for configuration. An official KB can be found here: Configure Azure sentinel or other telemetry consumer integration with BIG-IP and there is a f5devcentral github publication with configuration declarations for this approach for multiple SIEM vendors (e.g., analytics-vendor-dashboards/elastic at main · f5devcentral/analytics-vendor-dashboards for Elastic)
For a use case like mine that involves high-volume logging in BIG-IP, do you know if HSL or Telemetry Streaming would be best to minimize the impact on BIG-IP?
1 Reply
redadmin1972I'm following up to clear things up and ask a more direct question: Which one of these three logging options would be best for virtual server request/response logging at scale? If you have any insight, I would appreciate it! Thank you
- iRule logging (Link)
- Request Logging Profile (Link)
- Telemetry Streaming (Link - AS3 Config Link - Telemetry Streaming Config)
PS. if you are having trouble with getting the Telemetry Streaming/Event Listener logging (option 3) to work in the future, make sure to enable loopback addressing and create a route to the 255.255.255.254 virtual server address referenced in the docs:
tmsh modify sys db tmm.tcl.rule.node.allow_loopback_addresses value true tmsh create net route 255.255.255.254 network 255.255.255.254/32 interface INTERNAL tmsh save sys config
