Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Integrate F5 Distributed Cloud remote logging with ELK

supicha_sungam
F5 Employee
F5 Employee

on ‎04-Dec-2022 17:00 - edited on ‎06-Feb-2023 12:09 by Community Manager

Scope

This technical article is useful for F5 XC users familiar with HTTP Load Balancer with WAF security and the implementation and use of the ELK Stack.

The focus is for F5 XC security logs integration with ELK exclusively.

Introduction

F5 Distributed Cloud (XC) WAAP provides SaaS based services which consist of Web Application Firewall (WAF), API Security, Bot Defense, DDos Mitigation. The platform also provides centralized dashboard for management, monitoring service visibility and observability.

supicha_sungam_0-1668046710459.png

Even F5 XC platform has native dashboard for monitoring, many customers prefer to consolidate log/telemetry from various systems/platforms (including F5 XC) to their centralized SIEM system e.g., Splunk, QRadar, ELK, etc. For this reason, Global Log Receiver on F5 XC platform was released to fulfil the need.

The following is example use cases which make customer prefer to export F5 XC log to their centralized SIEM

  • More control of log retention and data analytic (F5 XC has 30 days log retention included in based package)
  • To comply with company security policy for log handling (keep it on-prem instead of on-cloud)

F5 XC and ELK connection diagram

 

supicha_sungam_1-1668046783448.png

ELK Deployment and HTTP Receiver configuration

Note: ELK deployment should be separated on each component (Elasticsearch, Logstash, Kibana) and apply HA configuration for resiliency if deployed on production environment. In this tutorial I just demonstrate how to integrate F5 XC with ELK so ELK on Docker was chosen for easy deployment.

Step:

  • Type
    git clone https://github.com/deviantony/docker-elk.git ​
    to clone ELK stack files from github project
  •  Modify ./docker-elk/docker-compose.yml (by adding http receiver port 8080 under logstash section as shown below screenshot)
supicha_sungam_2-1668046783467.png
  • Modify ./docker-elk/logstash/pipeline/logstash.conf (by adding the following entry in red box)
supicha_sungam_3-1668046783489.png
  • Type
    sudo docker-compose up -d ​
    to start ELK stack in background
  • Type
    sudo docker ps​
     to check status of ELK stack containers
supicha_sungam_4-1668046783496.png
  • Once the ELK stack already up and running, then you can access to ELK GUI http://<ELK IP>:5601 using default username/password (elastic/changeme)

F5 XC Global Log Receiver configuration

Step:

  • On XC console, navigate to Shared Configuration > Manage > Global Log Receiver > Add Global Log Receiver
  • Apply the following configuration, once it done, click “Save and Exit”
supicha_sungam_5-1668046783518.png

Verify XC log populated on ELK

Step:

  • Generate attack traffic to the HTTP Load Balancer FQDN which is protected by F5 XC WAAP
  • On ELK GUI, navigate to Analytics > Discover and choose “logs-*” as data view. You will be able to see XC security log.
supicha_sungam_6-1668046783567.png

Create ELK Dashboard using parsed XC log

Step:

  • After XC log has been parsed, then you can create ELK dashboard using XC log data.
  • ELK Dashboard can be accessed on http://<ELK IP>:5601
  • The screenshot below shown ELK dashboard which contains the number of security events, attack percentage of each type of attack, demographic of origin country of attacker, URI path which was attacked.
supicha_sungam_7-1668046783608.png

Additional Links

F5 Distributed Cloud (XC) Services

F5 XC Global Log Receiver

 

Labels:
Version history
Last update:
‎06-Feb-2023 12:09
Updated by:
Community Manager
Contributors
Copyright © 2023 Khoros, LLC