How I did it - "Configuring remote logging for F5 Distributed Cloud Services"
Up to this point all the “How I Did it” series installments have been focused on F5’s flagship product the BIG-IP. But not this time. For this installment I’ll be turning my attention towards F5’s latest offering, F5 Distributed Cloud (XC) Services. Specifically, I'll provide a brief overview of the concepts and steps required to enable log streaming from the F5 XC platform to third party analytics and SEIM vendors.
Rather than including the step-by-step instructions, I've included a video walkthrough of the configuration process. Hey, if a picture is worth a thousand words, then a video has to be worth well…
F5 Distributed Cloud Services
F5 XC provides a global cloud native platform where customers can deploy, manage and secure their applications regardless of whether the application resides in a public cloud, in a private data center, or a colocation facility, (see below). It provides a variety of both ADN and CDN services.
Although the F5 XC console UI provides very good observability natively, many enterprises prefer to aggregate their telemetry from various sources and centralize visibility/analytics down to a “single pane of glass”. To this end, the F5 XC platform includes the Global Log Receiver service.
Global Log Receiver
There are a few different options for remote logging from the F5 XC platform. This includes querying an F5 XC API logging endpoint, configuring a basic log receiver, and the Global log receiver. A basic log receiver can be configured to send customer edge logs, ( sent in Syslog format only) to either a TCP or UDP endpoint. In contrast, a Global log receiver can be configured to securely send logs to a variety of vendor-specific endpoints over HTTP(s).
Multi-vendor support
The Global log receiver currently includes integrations with Splunk, Datadog, AWS S3, Azure Blob, and Azure Event Hubs. In addition, the log receiver includes a generic HTTP(s) configuration option. Additional vendor-specific integrations are currently being developed.
Log format
To ensure events are easily consumable across a variety of providers, the global log receiver delivers events in JSON format. Delivering JSON-formatted logs ensures they are ready to be parsed, visualized, and analyzed.
Namespaces
Namespaces provide logical grouping and isolation of objects within a distributed cloud tenant. A Global log receiver can be configured to select events associated with the current namespace, events from all namespaces within an F5 XC tenant, or a specific namespace(s).
Check it Out
Rather than walk you through the entire configuration, how about a movie? Click on the link (image) below for a brief walkthrough demo integrating the F5 Distributed Cloud (XC) Services platform with Splunk and Datadog.
Additional Links
F5 Distributed Cloud (XC) Services
F5 Distributed Cloud Services API Reference
- Walter_KacynskiCirrostratus
Are there any user guides that describe the data format that the JSON events produce?
- Greg_CowardEmployee
Hello, Yes there is information available on the output from variouse logging profiles and can be found at https://clouddocs.f5.com/products/extensions/f5-telemetry-streaming/latest/output-example.html.
In addition, you can view the output schema on GitHub at https://github.com/F5Networks/f5-telemetry-streaming/tree/master/examples/output.
Hope this helps,
Greg
- Walter_KacynskiCirrostratus
The schema here is a bit confusing since the TS data is specific to BIG-IP modules. I'm not sure how these translate into the F5 XC versions. I need to look at bot defense and CSD components which are not part of the BIG-IP solution space.
- MachprodNimbostratus
Hi,
In addition with that can you speak about Customer Edge Log Receiver, for an Edge Deployment, in addition of logs you mention, wecould need technical logs from a CE.
For exemple, in a Secure Mesh Site > Advanced Configuration > Logs Streaming. Which kind ok logs can we retrieve, from which interface inbound or outbound, does it consume resource etc...
Best R.
- Walter_KacynskiCirrostratus
It would be really helpful if F5 were to partner with Splunk on a version Splunk Add-on for F5 BIG-IP | Splunkbase that is supported for F5 XC customers.