Integrate F5 Distributed Cloud remote logging with ELK
This technical article is useful for F5 XC users familiar with HTTP Load Balancer with WAF security and the implementation and use of the ELK Stack.
The focus is for F5 XC security logs integration with ELK exclusively.
F5 Distributed Cloud (XC) WAAP provides SaaS based services which consist of Web Application Firewall (WAF), API Security, Bot Defense, DDos Mitigation. The platform also provides centralized dashboard for management, monitoring service visibility and observability.
Even F5 XC platform has native dashboard for monitoring, many customers prefer to consolidate log/telemetry from various systems/platforms (including F5 XC) to their centralized SIEM system e.g., Splunk, QRadar, ELK, etc. For this reason, Global Log Receiver on F5 XC platform was released to fulfil the need.
The following is example use cases which make customer prefer to export F5 XC log to their centralized SIEM
- More control of log retention and data analytic (F5 XC has 30 days log retention included in based package)
- To comply with company security policy for log handling (keep it on-prem instead of on-cloud)
F5 XC and ELK connection diagram
ELK Deployment and HTTP Receiver configuration
Note: ELK deployment should be separated on each component (Elasticsearch, Logstash, Kibana) and apply HA configuration for resiliency if deployed on production environment. In this tutorial I just demonstrate how to integrate F5 XC with ELK so ELK on Docker was chosen for easy deployment.
to clone ELK stack files from github project
git clone https://github.com/deviantony/docker-elk.git
- Modify ./docker-elk/docker-compose.yml (by adding http receiver port 8080 under logstash section as shown below screenshot)
- Modify ./docker-elk/logstash/pipeline/logstash.conf (by adding the following entry in red box)
to start ELK stack in background
sudo docker-compose up -d
to check status of ELK stack containers
sudo docker ps
- Once the ELK stack already up and running, then you can access to ELK GUI http://<ELK IP>:5601 using default username/password (elastic/changeme)
F5 XC Global Log Receiver configuration
- On XC console, navigate to Shared Configuration > Manage > Global Log Receiver > Add Global Log Receiver
- Apply the following configuration, once it done, click “Save and Exit”
Verify XC log populated on ELK
- Generate attack traffic to the HTTP Load Balancer FQDN which is protected by F5 XC WAAP
- On ELK GUI, navigate to Analytics > Discover and choose “logs-*” as data view. You will be able to see XC security log.
Create ELK Dashboard using parsed XC log
- After XC log has been parsed, then you can create ELK dashboard using XC log data.
- ELK Dashboard can be accessed on http://<ELK IP>:5601
- The screenshot below shown ELK dashboard which contains the number of security events, attack percentage of each type of attack, demographic of origin country of attacker, URI path which was attacked.