on 04-Dec-202217:00 - edited on 06-Feb-202312:09 by LiefZimmerman
This technical article is useful for F5 XC users familiar with HTTP Load Balancer with WAF security and the implementation and use of the ELK Stack.
The focus is for F5 XC security logs integration with ELK exclusively.
F5 Distributed Cloud (XC) WAAP provides SaaS based services which consist of Web Application Firewall (WAF), API Security, Bot Defense, DDos Mitigation. The platform also provides centralized dashboard for management, monitoring service visibility and observability.
Even F5 XC platform has native dashboard for monitoring, many customers prefer to consolidate log/telemetry from various systems/platforms (including F5 XC) to their centralized SIEM system e.g., Splunk, QRadar, ELK, etc. For this reason, Global Log Receiver on F5 XC platform was released to fulfil the need.
The following is example use cases which make customer prefer to export F5 XC log to their centralized SIEM
More control of log retention and data analytic (F5 XC has 30 days log retention included in based package)
To comply with company security policy for log handling (keep it on-prem instead of on-cloud)
F5 XC and ELK connection diagram
ELK Deployment and HTTP Receiver configuration
Note: ELK deployment should be separated on each component (Elasticsearch, Logstash, Kibana) and apply HA configuration for resiliency if deployed on production environment. In this tutorial I just demonstrate how to integrate F5 XC with ELK so ELK on Docker was chosen for easy deployment.