Bot Log is not showing in BIG-IQ

Question

Hi, I am Emon and I am new member at f5 world.

I am using BIG-IP 15.1.8.2 and BIG-IQ 8.3.0 (CM and DCD). The Big-IQ is not showing the bot log as seen in the BIG-IP (ASM/WAF) itself. BIG-IP box's Event Log all bot request is seen but biq iq bot request option show empty (image attached).

This type graph is seen but exact bot log request not seen.

I configure remote log publisher Remote High Speed Log within Splunk. I also select Local Publisher and Remote pubisher at a time.

More Info: BIG-IP and IQ connected through management ip. ASM/WAF log showing fine but Bot Request Log not showing.

Can you explain what happend that's why bot request log not showing. Please give me proper instruction how can I configure BIG-IP and IQ.

Thanks.

f5_design_engineer · Accepted Answer

Hi&nbsp;Emon_423837&nbsp;&nbsp;,
&nbsp;
For Sending Security Logs yo BIG-IQ
1. Add BIG-IP to the BIG-IQ CM
2. Enable Web Application Security in BIG-IQ DCD
3. Configuration of the Security Log profile
4. Attach the log profile to the protected Virtual Servr
5. Monitoring Profiles from BIG-IQ
&nbsp;
Can you please share the BOT Logging profile details.
&nbsp;
Actually, the BIG-IQ DCD has a listening service in the 8514 port then we have to configure a log profile in the BIG-IP device to send events to the 8514 port.
Once it is configured, there will be security events in the BIG-IQ Central Management (CM) device, thus, we can already watch these logs for troubleshooting and applications visibility from BIG-IQ CM.
&nbsp;
For more details could you plese check the link as follows:
https://techdocs.f5.com/en-us/bigiq-8-0-0/managing-bot-defense-using-big-iq/log-bot-defense-req-over-dcd.html
Have you&nbsp;
Activate ASM Web Application Security events logging service for one or more BIG-IQ Data Collection Devices (DCD)
https://my.f5.com/manage/s/article/K51005651
&nbsp;
Creating a DCD Pool
&nbsp;
Define this pool in Log Destination
System &gt;&gt; Logs: Configuration : Log Destinations
System &gt;&gt; Logs: Configuration : Log Destinations
Now create one log destination for Splunk and here forward the destination to the previously created log destination
System &gt;&gt; Logs: Configuration : Log Destinations
Now check if you got 2 log destinations:
System &gt;&gt; Logs: Configuration : Log Destinations
Now create one log Publisher:
System &gt;&gt; Logs: Configuration :Log Publisher &gt;&gt; Log_pub_DCD
&nbsp;
Can you check your logging profie and see if Bot protection is selected:
&nbsp;
&nbsp;
Select all the request log options of your choice
&nbsp;
&nbsp;
&nbsp;
&nbsp;
Save the logging profile
&nbsp;
&nbsp;
Attach/Assign this logging profile to the required Virtual Sever:
I am suspecting you may have missed this step, in case else check all the steps once again using the help of the screenshots I attached here:
&nbsp;
After that hopefuy you can also see the logs in the Bot&nbsp;
Hi&nbsp;&nbsp;,For Sending Security Logs yo BIG-IQ
1. Add BIG-IP to the BIG-IQ CM
2. Enable Web Application Security in BIG-IQ DCD
3. Configuration of the Security Log profile
4. Attach the log profile to the protected Virtual Servr
5. Monitoring Profiles from BIG-IQ
&nbsp;
Can you please share the BOT Logging profile details.
&nbsp;
Actually, the BIG-IQ DCD has a listening service in the 8514 port then we have to configure a log profile in the BIG-IP device to send events to the 8514 port.
Once it is configured, there will be security events in the BIG-IQ Central Management (CM) device, thus, we can already watch these logs for troubleshooting and applications visibility from BIG-IQ CM.
&nbsp;
For more details could you plese check the link as follows:
https://techdocs.f5.com/en-us/bigiq-8-0-0/managing-bot-defense-using-big-iq/log-bot-defense-req-over-dcd.html
Have you&nbsp;
Activate ASM Web Application Security events logging service for one or more BIG-IQ Data Collection Devices (DCD)
https://my.f5.com/manage/s/article/K51005651

&nbsp;
Creating a DCD Pool , do not forget to metion the service port as 8514

Define this pool in Log Destination
System &gt;&gt; Logs: Configuration : Log Destinations

System &gt;&gt; Logs: Configuration : Log Destinations

&nbsp;
Now create one log destination for Splunk and here forward the destination to the previously created log destination
System &gt;&gt; Logs: Configuration : Log Destinations

&nbsp;
Now check if you got 2 log destinations:
System &gt;&gt; Logs: Configuration : Log Destinations

&nbsp;
&nbsp;
Now create one log Publisher:
System &gt;&gt; Logs: Configuration :Log Publisher &gt;&gt; Log_pub_DCD

Can you check your logging profie and see if Bot protection is selected:

Select all the request log options of your choice
&nbsp;

&nbsp;
&nbsp;
Save the logging profile

&nbsp;
Attach/Assign this logging profile to the required Virtual Sever:

I am suspecting you may have missed this step, in case else check all the steps once again using the help of the screenshots I attached here:
&nbsp;
After that hopefuy you can also see the logs in the Bot&nbsp;

&nbsp;
Click o any log to see its details:
&nbsp;

Bot Traffic Dashboard

Bot Traffic By Class

&nbsp;
Bot Traffic By Status

&nbsp;
Bot Traffic By Mitigation

&nbsp;
Bot Traffic Analytics

Layer 7 Security Dashboard

HTH
F5 Design Engineer
🙏

&nbsp;
&nbsp;

f5_design_engineer · Answer

Hi&nbsp;&nbsp;Emon_423837&nbsp;,&nbsp;
Control plane traffic can in and out from management interface as well based on you have to define a management route for that particual subnet like we do for normal routes. ou can give a try by adding MGMT route for DCD and see if it works. Based on my experience it hsould work as all our syslog servers for our hundresds of client we configure the SPLUNK or SYLOG reachablity thorugh MGMT interface by adding MGMT route insted of normal routes. MGMT routes cannot be created from GUI for that CLI is the only way. So give a try if not for this solution but it may be useful for other solutio in future.
K13284: Overview of management interface routing (11.x - 17.x)
Article Detail (f5.com)
https://my.f5.com/manage/s/article/K13284
Also thanks for the correction and thanks for acceping the solution. Highly appreciate it.
Best regards, F5 Design Engineer.
&nbsp;

emon_423837 · Answer

Hi F5_Design_Engineer ,Thanks you. I want to know one things,Is it possible to any pool member (Pool_DCD) can send traffic over the management interface?Because I think when I create a pool for send bot&amp;dos log for the DCD listener ip, f5 on big ip for sent log as a data traffic.(Attached image for visualize exact thing, what I want to say)When i do this type of connectivity some log will see not all log.Best Regards,Emon Hossain&nbsp;&nbsp;&nbsp;

f5_design_engineer · Answer

Hi Emon_423837&nbsp;,
Mixing control plane traffic and data plane traffic flwoing on same interfaces is not a good choice.
F5 strongly discourages you to configure a pool memeber or health monitor to send data plane traffic or probes using the management network because the management network is not intended for production traffic.
F5 recommends that the pool members/nodes reside on a network that is reachable through&nbsp;TMM interfaces&nbsp;so data plane trafic or health monitor probes are sent through TMM interfaces.
&nbsp;
When configuring management traffic, you should consider the following factors:

F5 strongly discourages you to configure a health monitor to send probes using the management network because the management network is not intended for production traffic. F5 recommends that the pool members/nodes reside on a network that is reachable through TMM interfaces so health monitor probes are sent through TMM interfaces.
F5 recommends that you add static routes for management traffic whose destination does not match the directly-connected management network. This configuration is useful when you handle SNMP traffic that is directed to an SNMP Manager that resides on another network, which is accessible only through the management network or other network services that are hosted on networks that are not accessible through the TMM interfaces.
A Virtual Clustered Multiprocessing (vCMP) host administrator can reconfigure the default&nbsp;management gateway for a&nbsp;vCMP guest. The applied configuration takes precedence and overrides the value configured on the vCMP guest.
Note: F5 recommends that you test any such changes during a maintenance window and consider the possible impact on your specific environment.
&nbsp;

HTH
Best regards
F5 Design Engineer

Forum Discussion

Bot Log is not showing in BIG-IQ

Activate ASM Web Application Security events logging service for one or more BIG-IQ Data Collection Devices (DCD)

Activate ASM Web Application Security events logging service for one or more BIG-IQ Data Collection Devices (DCD)

5 Replies

K13284: Overview of management interface routing (11.x - 17.x)

Activate ASM Web Application Security events logging service for one or more BIG-IQ Data Collection Devices (DCD)

Activate ASM Web Application Security events logging service for one or more BIG-IQ Data Collection Devices (DCD)

Recent Discussions

Geo Fence in ASM through irule for URI

Chrome V 124+ on MacOS - Virtual Server Access Issue

google-visualization-issues

The best load balance method on this scenario?

SMS server with BIGIP

Related Content

Bot Management Strategy - Defense against malicious bots with F5 Distributed Cloud Bot Defense

Security Best Practices for BIG-IP & BIG-IQ systems

Insufficient permissions BIG-IQ login error

Re: Get Started with BIG-IP Virtual Edition (VE), BIG-IQ VE or BIG-IP Cloud Edition Trial

What is BIG-IQ?