Forum Discussion
CirrusWAF Event Log on BIG-IQ not Real - Time
Hi all
We have BIG-IQ system. But At this time WAF event log on BIG-IQ not real -time
We have check event log on BIG-IP Device all ok. But on BIG-IQ not real -time
Plz help me
BIG-IQ: Time: Last Event log: July 21,2020
BIG-IP: Device: always real time
Thanks all
Event Log BIG-IQ
Event Log BIG-IP
Ivan_ChernenkiiEmployee
Hello Hoang,
Do you have different time for the same "Support ID"?
Do you configure dns and ntp on BIG-IP and BIG-IQ?
Thanks, Ivan
Hoang_HungHi
Thanks you so much.
We have configuration DNS and NTP on BIG-IQ and BIG-IP.
But I done know " Do you have different time for the same "Support ID"?" What is Support ID ?
Thanks
Hung Hoang
- Ivan_Chernenkii
For each request, which is logged on BIG-IP/BIG-IQ you have Support ID (id of logged request).
On your screenshot from BIG-IQ it is mentioned in "Support ID" column.
On BIG-IP it could be seen in "All Details" of selected request, also you can use filer to find needed one.
DojsCirrostratus
Check the time of Support ID *6091 on BIG IP. To validate the right time
- Hoang_Hung
Hi
I have check support ID *6091 on BIG-IP but It is not have on BIG-IP. I have check , log on BIG-IQ depend on other Policy. and now on BIG-IP havent policy it.
==> So I cannt find it.
Thanks
Hung Hoang
- Hoang_Hung
Hi and
Thank you so much.
I have check on BIG-IQ. I see that:
In Configuration > Security > WAF >Virtual Server: I see that: Virtual Server applied Policy WAF inactive. But
Configuration >Local Traffic > Virtual Server : It's still with Active.
===> I think ===> No event log on BIG-IQ.
In Local Traffic > VIP:
plz help us
Thanks
Hung Hoang
- Ivan_Chernenkii
Hello Hung,
It looks like your BIG-IP and BIG-IQ are out of sync - you have VS with policy and logging profile on BIG-IP, but not on BIG-IQ, that is why on BIG-IQ you don't see any logs anymore.
I suggest to create needed configuration on BIG-IQ and then deploy it to all appropriate BIG-IPs.
About inactive policy - you need to make it active.. Do you know how?
Thanks, Ivan
- Hoang_Hung
Hi
I suggest to create needed configuration on BIG-IQ and then deploy it to all appropriate BIG-IPs. : I degree.
But. and now Virtual Server on WAF: inactive so we can not deploy from BIG-IQ to BIG-IP
(Note: On Virtual Server ( Local Traffic) BIG-IP and BIG-IQ still Activc (Previous picture)
Ivan: " About inactive policy - you need to make it active.. Do you know how? " At this time I not solution it yet"
Do you know how ?
Thanks
Hung Hoang
- Hoang_Hung
Hi
Yep .Currently I see requests logged on BIG-IP, but not on BIG-IQ.
I have congfig remote log profile, then attached it to VS.
I sent to you information detail attach picture.
Thanks
Hung Hoang
- Ivan_Chernenkii
Is 10.0.103.11 IP of LogNode or IP of BIG-IQ?... Make sure that BIG-IQ logging is configured through LogNode (https://techdocs.f5.com/kb/en-us/products/big-iq-security/manuals/product/bigiq-security-administration-4-4-0/16.html) and it is active.
Thanks, Ivan
- Hoang_Hung
Yep
IP address 10.0.103.11, 10.0.103.12 and 10.0.103.13 iss IP for Lof Node (BIG-IQ DCD)
all Node is active now .
Thanks
Hung Hoang
