Problem with sending BotDefense logs to remote server

So there seems to be a gap in answering this. Before it gets too difficult it should be noted that remote logging for bot only supports Splunk format as a destination.

Environment

Not able to set up HSL for Bot Defense

Log Destinations, Log Publishers, Bot Defense Logging Profile

HSL for ASM/AdvWAF

Cause

Bot Defense only supports the splunk format destination

K15316506: How to send logs via High Speed Logging to Splunk

https://my.f5.com/manage/s/article/K15316506

K09439152: High Speed Logging (HSL) For Bot Defense

https://my.f5.com/manage/s/article/K09439152

Type: Specifies the type of log destination. Options are ArcSight, IPFIX (logs of IP traffic that are sent to an LTM pool of IPFIX collectors), Management Port, Remote High-Speed Log, Remote Syslog, and Splunk. (The Splunk format is a predefined format of key value pairs.) A table of settings appears below this field. The settings are customized for the log type.

The workaround is only if you do not have a Splunk formatted destination. But it will show up.

And of course you can use log stash to transform the log from Splunk to ELK in this scenario.

Hey! You're not doing anything wrong bot defense logging uses a different logging profile setup than ASM. Unfortunately, it doesn’t support remote log servers directly like ASM does. You’d need to forward the logs manually from local storage or use something like iRules or external log forwarding tools to get them to your remote server. Bit of a hassle, I know.

Hi Michal06​,

you need to configure remote logging. When you have a remote publisher configured, you can select it from the dropdown.

https://clouddocs.f5.com/training/community/f5cert/html/class8/module11/lab2.html

KR
Daniel