Does anyone did traffic logging?

SWJO · ‎22-Jan-2020

Hi guys

I`m searching method which can logging or inspecting traffic information.

Target license are LTM and CGNAT.

I have looking for Telemetry streaming but that seems providing sampling information.

I need full traffic information not sampling data. also don`t need mirroring.

I think using i-Rule with HSL can be a method but I`m wondering how much traffic can be logging.

-> how much means about CPS 150K.

-> and BIGIP`s disk can be able to hold the logs.

NUT2889 · ‎22-Jan-2020

Hi,

Yes, the purpose of HSL is for syslog protocol. You can forward to external syslog server by TCP / UDP based on syslog receiver.

NUT2889 · ‎22-Jan-2020

Hi,

F5 not suggest to store log locally. From my experience F5 support recommend customer forward log to SIEM / Big Data Solution / BIG-IQ instead.

SWJO · ‎22-Jan-2020

Hi.

Then is there possible method not store logs in box but forward to remote?

NUT2889 · ‎22-Jan-2020

Hi,

Previously message might not clear for you. If we talk about technical perspective.

If you have security module running on F5 device.
1. Logging profile with local log publisher to store on F5 locally.
2. Logging profile with remote log publisher forward log to SIEM / Big Data / BIG-IQ
If you don't have security module on F5 device.
1. iRule to generate HSL by sending log to SIEM / Big Data / BIG-IQ
2. iRule for log locally

SWJO · ‎22-Jan-2020

Hi.

I don`t have security module.

So select 2.

there are 2 selections.

before select, I`m first time out HSL.

Does HSL can send syslog remote not store on BIGIP?

NUT2889 · ‎22-Jan-2020

Hi,

Yes, the purpose of HSL is for syslog protocol. You can forward to external syslog server by TCP / UDP based on syslog receiver.

SWJO · ‎22-Jan-2020

Hi.

Thanks for your advice.

DevCentral