We have BIG-IQ system. But At this time WAF event log on BIG-IQ not real -time
We have check event log on BIG-IP Device all ok. But on BIG-IQ not real -time
Plz help me
BIG-IQ: Time: Last Event log: July 21,2020
BIG-IP: Device: always real time
Event Log BIG-IQ
Event Log BIG-IP
For each request, which is logged on BIG-IP/BIG-IQ you have Support ID (id of logged request).
On your screenshot from BIG-IQ it is mentioned in "Support ID" column.
On BIG-IP it could be seen in "All Details" of selected request, also you can use filer to find needed one.
I have check and at this time on BIG-IP i cann't find all log befor Jul,21,2020.
On BIG-IQ we only check log only day Jul,21,2020.
I have check. event log WAF on BIG-IQ ( depend on other policy WAF). At this time policy it dont have on BIG-IP.
I have check support ID *6091 on BIG-IP but It is not have on BIG-IP. I have check , log on BIG-IQ depend on other Policy. and now on BIG-IP havent policy it.
==> So I cannt find it.
Thank you so much.
I have check on BIG-IQ. I see that:
In Configuration > Security > WAF >Virtual Server: I see that: Virtual Server applied Policy WAF inactive. But
Configuration >Local Traffic > Virtual Server : It's still with Active.
===> I think ===> No event log on BIG-IQ.
In Local Traffic > VIP:
plz help us
It looks like your BIG-IP and BIG-IQ are out of sync - you have VS with policy and logging profile on BIG-IP, but not on BIG-IQ, that is why on BIG-IQ you don't see any logs anymore.
I suggest to create needed configuration on BIG-IQ and then deploy it to all appropriate BIG-IPs.
About inactive policy - you need to make it active.. Do you know how?
I suggest to create needed configuration on BIG-IQ and then deploy it to all appropriate BIG-IPs. : I degree.
But. and now Virtual Server on WAF: inactive so we can not deploy from BIG-IQ to BIG-IP
(Note: On Virtual Server ( Local Traffic) BIG-IP and BIG-IQ still Activc (Previous picture)
Ivan: " About inactive policy - you need to make it active.. Do you know how? " At this time I not solution it yet"
Do you know how ?
You have BIG-IP (may be several) and BIG-IQ, so it looks like pretty complex configuration and issue can appear in different places, that is why it is not quite easy to understand what was happened, why and how to resolve it.
To activate policy try to deploy it first and then attach to VS.
So, AFAIU, currently you see requests logged on BIG-IP, but not on BIG-IQ. Right?
OR you see, that the same request (with the same support ID) is logged on BIG-IP and BIG-IQ, but with different time?
If request is logged on BIG-IP only, then most probably you don't have BIG-IQ remote logging profile attached to VS.
If you have such remote log profile, then please provide its configuration on BIG-IP and configuration of VS on BIG-IP.
Is 10.0.103.11 IP of LogNode or IP of BIG-IQ?... Make sure that BIG-IQ logging is configured through LogNode (https://techdocs.f5.com/kb/en-us/products/big-iq-security/manuals/product/bigiq-security-administrat...) and it is active.
In such case, from configuration point of view, all looks correct and should work.
The only thing that you can do is gather tcpdumps on BIG-IP, Log Nodes, BIG-IQ and check how remote logging passes... and look at logs on BIG-IP, Log Nodes, BIG-IQ to find some errors.
There is no way to provide more help without access to the system.
If you won't find any other helpful debug information, then I would suggest you to open official SR for F5,