CirrusRequest for review of appropriateness of commands related to F5 log retention period setting
hello. My name is Muntae Kim.
Due to the EoTS of the BIG-IP SW used by our client, we are inevitably unable to open the case and would like to ask for your assistance.
1. Customer information:
- Model name: BIG-IP I7800
- SW information: TMOS 14.1.5
- License: LTM (Forward Proxy) + URL Filtering
- Configuration information: Decryption of 443 traffic outbound from the internal PC to the outside.
- Disk space for loading logs: approximately 200G
2. Review requirements
We have been instructed by our customer to load audit logs for ltm events and audit logs for more than 30 days, so we are considering setting this up considering the disk space of the I7800 product currently in operation. (Currently, audit logs are said to be kept for only about 4 days.)
Regarding log loading settings, refer to the following article (https://my.f5.com/manage/s/article/K13367) and try to set it according to the customer's environment. We would like to request a technical review to ensure that there are no issues.
2.1. Commands related to log rotation command execution frequency
A. Purpose of application: The script will be executed on a monthly basis and the log will be rotated (removed).
B. Command to be applied to customer: #mv /etc/cron.daily/logrotate /etc/cron.monthly/
2.2. Change how long log files can be removed
A. Purpose: By setting the variable value to 30, we want the logrotate script to delete log files older than the number of days specified in the Logrotate.LogAge database variable. We confirmed that by default the variable is set to 8, so our customer wants to configure it to delete archive copies older than 30 days.
B. Command to be applied to customer: #modify /sys db logrotate.logage value 30: Set in the range between 0 and 100
C. Save settings: #save /sys config
2.3. Change the number of archive copies the system keeps – no modification required
A. Purpose of application: Specifies the maximum number of log files that the system keeps for each log file. By default, the BIG-IP system is configured to keep up to 24 archive copies of each log file.
B. Result of self-review: We anticipate that no modifications will be necessary, but we request you to review whether modifications are necessary through this order.
C. Command to be applied to customer: #modify /sys log-rotate common-backlogs <value>: Set in the range between 0 and 100
D. Save settings: #save /sys config
thank you
I would be cognizant that you will be changing settings away from default values. This is usually not done unless there is a good use case. In your case, more logs means eating more space on /var/log. If you run out of space, TMM traffic may stop.
Logs should be offloaded from the F5 for retention. Syslog or HSL to something like Splunk. Logging on the F5 is meant to be either temporary or ephemeral to support troubleshooting, NOT audit requirements.
Finally, audit may be more unhappy with one running BIG-IP software out of support and full of CVEs! I would upgrade to either BIG-IP v15.x or 17.x.
