Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Logging all AFM Rules

Go to solution
mplaksin0
Cirrus
Cirrus

‎20-Jul-2023 12:41

Hello, I have multiple AFM rules, more than 300 distributed in multiple "rule-lists". Some have the "logging" option enabled and others do not.
I need to enable the "logging" option for all partition rules, is there a method for this? Or some script?
Thank you

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Ben_Novak
F5 Employee
F5 Employee
In response to mplaksin0

‎03-Aug-2023 11:21

Yes.  The enablement of logging on the different firewall rules, will probably need to be scripted.  

HSL (high speed logging), is just a destionation to send those logs.  That is configured in the security logging profile under the "Publisher".

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
Ben_Novak
F5 Employee
F5 Employee

‎21-Jul-2023 06:08

I suggest extreme caution when looking to enable logging for every firewall rule in AFM.  Depending on load, it could use considerable resources.

Also consider configuring High Speed Logging (HSL) to send logs directly to a SIEM.  This will offload the local disk writes of regular logging.  https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-imple...

K15368: The BIG-IP AFM system logs network firewall events using the logging profile associated with the network firewall rule.  https://my.f5.com/manage/s/article/K15368

This article also has a ton of good information:  K13723376: Troubleshooting | BIG-IP AFM operations guide; https://my.f5.com/manage/s/article/K13723376#link_05_01

To answer your original question, a script is probably your best approach. I would look for a TMSH command to modify an AFM rule to enable logging.  Then, depending on your skillset, it could be as simple as listing all the AFM rules in text document or spreadsheet and wrapping that list in that command.  Then you can apply it through the CLI, probably 20 at a time, or apply it all as a batch transaction.  https://clouddocs.f5.com/cli/tmsh-reference/v16/modules/cli/cli_transaction.html

This could also be done via iControlREST but the cli is probably the quickest.

 

Go to solution
mplaksin0
Cirrus
Cirrus

‎03-Aug-2023 11:10

Hi Ben, how are you?
Thanks for the reply.
I'm not sure I understand. If I enable high speed logging, do I still have to generate scripts to enable logging on all rules?
Thanks

0 Kudos

Go to solution
Ben_Novak
F5 Employee
F5 Employee
In response to mplaksin0

‎03-Aug-2023 11:21

Yes.  The enablement of logging on the different firewall rules, will probably need to be scripted.  

HSL (high speed logging), is just a destionation to send those logs.  That is configured in the security logging profile under the "Publisher".

0 Kudos
Copyright © 2023 Khoros, LLC