cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

WAF Event Log on BIG-IQ not Real - Time

Hoang_Hung
Altostratus
Altostratus

Hi all

We have BIG-IQ system. But At this time WAF event log on BIG-IQ not real -time

We have check event log on BIG-IP Device all ok. But on BIG-IQ not real -time

Plz help me

BIG-IQ: Time: Last Event log: July 21,2020

BIG-IP: Device: always real time

 

Thanks all

Event Log BIG-IQ

 

0691T000009i5FpQAI.png

Event Log BIG-IP

0691T000009i5FlQAI.png

18 REPLIES 18

Ivan_Chernenkii
F5 Employee
F5 Employee

Hello Hoang,

 

Do you have different time for the same "Support ID"?

Do you configure dns and ntp on BIG-IP and BIG-IQ?

 

Thanks, Ivan

Hi  

Thanks you so much.

We have configuration DNS and NTP on BIG-IQ and BIG-IP.

But I done know " Do you have different time for the same "Support ID"?" What is Support ID ?

 

Thanks

Hung Hoang

For each request, which is logged on BIG-IP/BIG-IQ you have Support ID (id of logged request).

On your screenshot from BIG-IQ it is mentioned in "Support ID" column.

On BIG-IP it could be seen in "All Details" of selected request, also you can use filer to find needed one.

Hi  

Thanks you.

I have check and at this time on BIG-IP i cann't find all log befor Jul,21,2020.

On BIG-IQ we only check log only day Jul,21,2020.

 I have check. event log WAF on BIG-IQ ( depend on other policy WAF). At this time policy it dont have on BIG-IP.

 

Thanks

Hung Hoang

Dojs
Cirrostratus
Cirrostratus

Check the time of Support ID *6091 on BIG IP. To validate the right time

Hi  

I have check support ID *6091 on BIG-IP but It is not have on BIG-IP. I have check , log on BIG-IQ depend on other Policy. and now on BIG-IP havent policy it.

==> So I cannt find it.

 

Thanks

Hung Hoang

Hoang_Hung
Altostratus
Altostratus

Hi  and  

Thank you so much.

I have check on BIG-IQ. I see that:

In Configuration > Security > WAF >Virtual Server: I see that: Virtual Server applied Policy WAF inactive. But

Configuration >Local Traffic > Virtual Server : It's still with Active.

===> I think ===> No event log on BIG-IQ.

 

 

0691T000009i8XcQAI.jpg

In Local Traffic > VIP:

0691T000009i8XhQAI.jpg

plz help us

 

Thanks

Hung Hoang

Hello Hung,

 

It looks like your BIG-IP and BIG-IQ are out of sync - you have VS with policy and logging profile on BIG-IP, but not on BIG-IQ, that is why on BIG-IQ you don't see any logs anymore.

I suggest to create needed configuration on BIG-IQ and then deploy it to all appropriate BIG-IPs.

About inactive policy - you need to make it active.. Do you know how?

 

Thanks, Ivan

Hi  

I suggest to create needed configuration on BIG-IQ and then deploy it to all appropriate BIG-IPs. : I degree.

But. and now Virtual Server on WAF: inactive so we can not deploy from BIG-IQ to BIG-IP

(Note: On Virtual Server ( Local Traffic) BIG-IP and BIG-IQ still Activc (Previous picture)

Ivan: " About inactive policy - you need to make it active.. Do you know how? " At this time I not solution it yet"

Do you know how ?

 

Thanks

Hung Hoang

 

Hoang,

 

You have BIG-IP (may be several) and BIG-IQ, so it looks like pretty complex configuration and issue can appear in different places, that is why it is not quite easy to understand what was happened, why and how to resolve it.

To activate policy try to deploy it first and then attach to VS.

 

Thanks, Ivan

Hi  

"To activate policy try to deploy it first and then attach to VS."

We have try but it's still error.!

 

Thanks

Hung Hoang

What error do you see?

Hi  

After I tshoot it. and now I can deploy WAF policy from BIG-IQ to BIG-IP.

But WAF event log still not real time .

Do you know idea for solution it ?

 

Thanks

Hung Hoang

So, AFAIU, currently you see requests logged on BIG-IP, but not on BIG-IQ. Right?

OR you see, that the same request (with the same support ID) is logged on BIG-IP and BIG-IQ, but with different time?

 

If request is logged on BIG-IP only, then most probably you don't have BIG-IQ remote logging profile attached to VS.

If you have such remote log profile, then please provide its configuration on BIG-IP and configuration of VS on BIG-IP.

 

Thanks, Ivan

Hoang_Hung
Altostratus
Altostratus

Hi  

Yep .Currently I see requests logged on BIG-IP, but not on BIG-IQ.

I have congfig remote log profile, then attached it to VS.

I sent to you information detail attach picture.

 

Thanks

Hung Hoang

0691T000009iCsZQAU.png0691T000009iCseQAE.png

Is 10.0.103.11 IP of LogNode or IP of BIG-IQ?... Make sure that BIG-IQ logging is configured through LogNode (https://techdocs.f5.com/kb/en-us/products/big-iq-security/manuals/product/bigiq-security-administrat...) and it is active.

 

Thanks, Ivan

Yep

IP address 10.0.103.11, 10.0.103.12 and 10.0.103.13 iss IP for Lof Node (BIG-IQ DCD)

all Node is active now .

 

Thanks

Hung Hoang

Hoang,

 

In such case, from configuration point of view, all looks correct and should work.

The only thing that you can do is gather tcpdumps on BIG-IP, Log Nodes, BIG-IQ and check how remote logging passes... and look at logs on BIG-IP, Log Nodes, BIG-IQ to find some errors.

There is no way to provide more help without access to the system.

 

If you won't find any other helpful debug information, then I would suggest you to open official SR for F5,

 

Thanks, Ivan