Deploying BIG-IP Telemetry Streaming with Azure Sentinel as its consumer.

AZURE SENTINEL and BIG-IP

...with Telemetry Streaming!

This work was completed as a collaboration of Remo Mattei r.mattei@f5.com and Bill Wester b.wester@f5.com, feel free to email us if you have questions.

One of the things that I have discovered recently is how neat it is to be able to leverage Azures new Sentinel to receive and display telemetry data from F5's BIG-IP devices. The devices don't even have to be in Azure, you could have dedicated hardware BIG-IPs and still send via Telemetry Streaming to Sentinel as your destination for statistics and logs. Let us explore a bit more on how to get all of the moving pieces together to a single cohesive implementation.

Telemetry Streaming is a way for you to forward events and statistics from the BIG-IP system to your preferred data consumer and visualization application. You can do all of this by POSTing a single JSON declaration to a declarative REST API endpoint.  

Telemetry Streaming uses a declarative model, meaning you provide a JSON declaration rather than a set of imperative commands.  

 

More info can be found here:  https://clouddocs.f5.com/products/extensions/f5-telemetry-streaming/latest/userguide/about-telemetry.html 

BIG-IP allows you to send logs to several external providers. Splunk, a well known one, is one of the most used out there. However, the new Azure Sentinel, a cloud solution, is something that many customers can take advantages from. This section, will help in understanding on how to setup BIG-IP to get the logs to Azure Sentinel.  

Setup BIG-IP

First of all, this is broken into two parts, one shows the logs of the BIG-IP System Metrics, like what OS, what modules are installed etc. The second, is about the module ASM. The two have a few things in common. They use the TS RPM file which is added to the BIG-IP, and the declaration, which tells the BIG-IP where to send the stream of data. To send data relate to BIG-IP System Metrics it is required to have AVR provisioned on the device. ASM is not required but we use it here as an example of how to enable another module. Here is a screenshot from the Azure which shows the required modules. One more important thing is that ASM will need to have AFM also enabled otherwise you will not get logs in Azure.  

ASM

 

Once enabled the required modules it will show 

 

System Metrics

 

 

Common components that you must install for this to work

First you need Telemetry Streaming:  

The TS RPM can be found here on GITHUB: https://github.com/F5Networks/f5-telemetry-streaming/releases/ 

You can use Visual Studio Code to install the RPM or your favorite way...

Here are some screen shots form VS Code, using the F5 Plugin. NOTE: in order to use VSCode to push AS3, DO etc you must install the F5 Plugin. 

 

Use the command options in Mac it’s command+shift+P (here you can search for RPM by just typing it in the box)

 

Select AS3 and make sure to install both AS3 and TS:


 

Select the version : (probably latest is best here)


 

The Telemetry Streaming declaration looks like this:

{

"class": "Telemetry",

"My_Listener": {

"class": "Telemetry_Listener",

"port": 6514

},

"Poller": {

"class": "Telemetry_System_Poller",

"interval": 60,

"enable": true,

"trace": false,

"allowSelfSignedCert": false,

"host": "localhost",

"port": 8100,

"protocol": "http",

"actions": [

{

"enable": true,

"includeData": {},

"locations": {

"system": true,

"virtualServers": true,

"httpProfiles": true,

"clientSslProfiles": true,

"serverSslProfiles": true

}

}

]

},

"Pull_Consumer": {

"class": "Telemetry_Pull_Consumer",

"type": "default",

"systemPoller": [

"Poller"

]

},

 

"Azure_Consumer": {

"class": "Telemetry_Consumer",

"type": "Azure_Log_Analytics",

"workspaceId": "workspaceID",

"passphrase": {

"cipherText": "primkey"

}

},

"schemaVersion": "1.12.0"

}

 

NOTE: You will need to get the workspaceID and the primarykey. You can use the azure cli for that:

az monitor log-analytics workspace list --out table 
CustomerId Location Name ProvisioningState PublicNetworkAccessForIngestion PublicNetworkAccessForQuery ResourceGroup RetentionInDays 
------------------------------------ ------------- ---------------------------------------------------------- ------------------- --------------------------------- ----------------------------- ------------------------- ----------------- 
a05d4bfb-27c8-49a6-96e2-351d2dc78c61 eastus adrianLA Succeeded Enabled Enabled adrian_rg_01 7 
63be43ed-b3f5-4e9f-bc92-226bb3393d11 eastus DefaultWorkspace-77c6ebef-d849-4527-a355-742d8d7d3fdc-EUS Succeeded Enabled Enabled defaultresourcegroup-eus 30 
2ccbd35a-dfdf-4a5e-ab5f-1d5314f52e4b southeastasia DefaultWorkspace-77c6ebef-d849-4527-a355-742d8d7d3fdc-SEA Succeeded Enabled Enabled defaultresourcegroup-sea 30 
9436f742-069a-4e29-aac0-e1258f7b1f87 westus2 calalangakslog Succeeded Enabled Enabled calalang-rg 30 
ac071b51-f0c6-43b6-8bef-16b9197fde0f westus2 edgar-log Succeeded Enabled Enabled defaultresourcegroup-eus 31 
555ae8d5-75bc-4058-becf-df510c09f8d3 westus2 DefaultWorkspace-77c6ebef-d849-4527-a355-742d8d7d3fdc-WUS2 Succeeded Enabled Enabled defaultresourcegroup-wus2 30 
f633bdb1-d560-43cd-a664-cc7a93ed8781 westus2 edgar-log-analytics Succeeded Enabled Enabled edgar-rg 30 
9334eb7c-16fc-4db9-a84f-5824a7177ccb centralus DefaultWorkspace-77c6ebef-d849-4527-a355-742d8d7d3fdc-CUS Succeeded Enabled Enabled defaultresourcegroup-cus 30 
091c2cf3-853d-4297-9001-41d2109c28ec westus DefaultWorkspace-77c6ebef-d849-4527-a355-742d8d7d3fdc-WUS Succeeded Enabled Enabled defaultresourcegroup-wus 30 
52471748-d9c7-46ba-9f9f-72ed8e92a201 westus remo-analytics Succeeded Enabled Enabled remo-telemetry 30 
bc8e90ca-f59c-4fbf-a28b-213fe1cfcfda westus wester-log Succeeded Enabled Enabled wester_rg 30 

 

 

Here you can see the name of the resource group then run the following command: 

az monitor log-analytics workspace get-shared-keys --resource-group wester_rg --workspace-name wester-log 

 

Which will print out the primarykey 

The workspace is CustomerId from the main table.  

 

To install this declaration you can use POSTMAN, curl, or Visual Studio Code; we used Visual Studio Code.  

Copy the text into a new VScode tab, make sure it’s in json format and then use the command pallet to post it

Verify by using the TS version at the bottom of VSCode, it will execute a GET to the BIG-IP that is connected.  

 

 

ASM 

In order to use ASM you will need to configure a VIP with the IP of 255.255.255.254, and the port to the 6514, as well as an iRule. This can be done with an AS3 declaration or TMSH.  

Sample of AS3 declaration 

{ 

     "class""ADC", 

     "schemaVersion""3.10.0", 

     "remark""Example depicting creation of BIG-IP module log profiles", 

     "Common": { 

         "Shared": { 

             "class""Application", 

             "template""shared", 

             "telemetry_local_rule": { 

                 "remark""Only required when TS is a local listener", 

                 "class""iRule", 

                 "iRule""when CLIENT_ACCEPTED {\n node 127.0.0.1 6514\n}" 

            }, 

             "telemetry_local": { 

                 "remark""Only required when TS is a local listener", 

                 "class""Service_TCP", 

                 "virtualAddresses": [ 

                     "255.255.255.254" 

                ], 

                 "virtualPort"6514, 

                 "iRules": [ 

                     "telemetry_local_rule" 

                ] 

            }, 

             "telemetry": { 

                 "class""Pool", 

                 "members": [ 

                    { 

                         "enable"true, 

                         "serverAddresses": [ 

                             "255.255.255.254" 

                        ], 

                         "servicePort"6514 

                    } 

                ], 

                 "monitors": [ 

                    { 

                         "bigip""/Common/tcp" 

                    } 

                ] 

            }, 

             "telemetry_hsl": { 

                 "class""Log_Destination", 

                 "type""remote-high-speed-log", 

                 "protocol""tcp", 

                 "pool": { 

                     "use""telemetry" 

                } 

            }, 

             "telemetry_formatted": { 

                 "class""Log_Destination", 

                 "type""splunk", 

                 "forwardTo": { 

                     "use""telemetry_hsl" 

                } 

            }, 

             "telemetry_publisher": { 

                 "class""Log_Publisher", 

                 "destinations": [ 

                    { 

                         "use""telemetry_formatted" 

                    } 

                ] 

            }, 

             "telemetry_traffic_log_profile": { 

                 "class""Traffic_Log_Profile", 

                 "requestSettings": { 

                     "requestEnabled"true, 

                     "requestProtocol""mds-tcp", 

                     "requestPool": { 

                         "use""telemetry" 

                    }, 

                     "requestTemplate""event_source=\"request_logging\",hostname=\"$BIGIP_HOSTNAME\",client_ip=\"$CLIENT_IP\",server_ip=\"$SERVER_IP\",http_method=\"$HTTP_METHOD\",http_uri=\"$HTTP_URI\",virtual_name=\"$VIRTUAL_NAME\",event_timestamp=\"$DATE_HTTP\"" 

                } 

            }, 

             "telemetry_security_log_profile": { 

                 "class""Security_Log_Profile", 

                 "application": { 

                     "localStorage"false, 

                     "remoteStorage""splunk", 

                     "protocol""tcp", 

                     "servers": [ 

                        { 

                             "address""255.255.255.254", 

                             "port""6514" 

                        } 

                    ], 

                     "storageFilter": { 

                         "requestType""illegal-including-staged-signatures" 

                    } 

                }, 

                 "network": { 

                     "publisher": { 

                         "use""telemetry_publisher" 

                    }, 

                     "logRuleMatchAccepts"false, 

                     "logRuleMatchRejects"true, 

                     "logRuleMatchDrops"true, 

                     "logIpErrors"true, 

                     "logTcpErrors"true, 

                     "logTcpEvents"true 

                } 

            } 

        } 

    } 

 } 

 

To post an AS3 declaration like above use Visual Studio Code 

Use the command menu and select F5 Post an AS3 Declaration from the tab you have pasted the code  

OUTPUT from the declaration above: 

 

 

iRule used 

 


Assign the Telemetry Policy to the Virtual Service by selecting the option in the advanced menu 

 

Once you have the modules installed, and configured the appropriate settings, like above, then you will see data coming in Azure Sentinel. Here is an example: 

ASM

System Metrics

For System Metrics to work, you will need to have AVR installed, you do not need an AS3 declaration or an iRule. 

Once you have AVR installed, and have pushed the declaration to the BIG-IP, you will need to execute the following command in your BIG-IP.  

tmsh modify analytics global-settings { offbox-protocol tcp offbox-tcp-addresses add { 127.0.0.1 } offbox-tcp-port 6514 use-offbox enabled } 
tmsh save /sys config 

 

Check the logs in your BIG-IP 

less /var/log/restnoded/restnoded.log 

 

You will see something like:  

Fri, 18 Sep 2020 06:36:04 GMT - info: [telemetry] Starting system poller Poller::Poller. Interval = 60 sec. 
Fri, 18 Sep 2020 06:36:04 GMT - info: [telemetry] 1 consumer plug-in(s) loaded 

 

Next you will need to go into the Azure Portal, and you can find a nice pre-defined Sentinel Workbook to view and start to work with:

You will select the "template" and then fill out the correct workspace from the dropdown, then select the correct hostname from the dropdown and you will start to see data showing up.

Azure Sentinel displaying the workbook

 

As you enable more modules, they will show up in the Azure Sentinel and will show how it’s enabled.  You can also add / modify / enhance the workbook to show more data that is in Sentinel sent from the BIG-IP.

Remo and I hope you found this article helpful and enjoy using BIG-IPs with Sentinel!

Published Oct 26, 2020
Version 1.0
  • There's another mistake in this guide. For the ASM logs to get to Sentinel, the Security_Log_Profile declaration needs to have the IP address 127.0.0.1 in it - NOT the VIP 255.255.255.254. If you do that, it does not work.

  • One more note: the self IP on the chose VLAN you're using for routing the 255.255.255.254 traffic needs to allow TCP 6514, either by setting the "port lockdown" to NONE or adding a custom port.

  • antonym I figured this out, somehow.  I needed to add a static route to the route table for the 255.255.255.254/32 address pointing to one of my existing VLANs.  This is my config for the route table, which allows the TCP monitor to work correctly:

    net route InternalTraffic {
        gw 10.133.7.17
        network 10.0.0.0/8
    }
    net route external_default_gateway {
        gw 10.133.5.1
        network default
    }
    net route telemetry {
        description "Allows monitor to work"
        interface /Common/internal
        network 255.255.255.254/32
    }

     

  • One of the reasons this doesn't work is that in the declaration above the guys have put a tcp monitor on the "telemetry" pool. A tcp connection attempt to 255.255.255.254 from the monitor fails (not sure why as the log profile uses TCP to route using that pool) but this marks the member down and the logging fails.

    I found the only way to get this to work is to remove the monitor. You should then be able to see traffic hitting the pool member. You can also test using a tcpdump :

    tcpdump -nn -A -s 0 -i any host 255.255.255.254

    - which will show the request logs hitting the local loopback (and you can see the request log data in the trace).

  • Hello Dojs,

    sorry for the late response. I will be happy to help if you still have issues. Let me know.

     

    Remo

  • Dojs's avatar
    Dojs
    Icon for Cirrostratus rankCirrostratus

    I tried to run, but i didn't found any policy created on AS3 page. And it returned

     

    {

        "code": 422,

        "declarationFullId": "",

        "message": "Unable to find specified WAF policy /Common/test-policy for /Sample_app_sec_01/HTTP_Service/service/policyWAF"

    }

     

    I try to build on a policy existent, a permit IP, but no one works :(

  • Yes, you must have a WAF policy set you can follow this guide:

     

    https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/declarations/application-security.html

     

    youll note in each step there is a specified WAF policy like:

     

    "policyWAF": {

    "bigip": "/Common/test-policy"

    }

  • Dojs's avatar
    Dojs
    Icon for Cirrostratus rankCirrostratus

    In my case i'm using advwaf and the NODE 255.255.255.254 dont be online. Was created the VS as shown in AS3, but it didn't work.

    I did the same configuration on APM and works, there is some config to enable loopback on ASM first?