Hi  

Thanks you so much.

We have configuration DNS and NTP on BIG-IQ and BIG-IP.

But I done know " Do you have different time for the same "Support ID"?" What is Support ID ?

Thanks

Hung Hoang

For each request, which is logged on BIG-IP/BIG-IQ you have Support ID (id of logged request).

On your screenshot from BIG-IQ it is mentioned in "Support ID" column.

On BIG-IP it could be seen in "All Details" of selected request, also you can use filer to find needed one.

Hi  

Thanks you.

I have check and at this time on BIG-IP i cann't find all log befor Jul,21,2020.

On BIG-IQ we only check log only day Jul,21,2020.

 I have check. event log WAF on BIG-IQ ( depend on other policy WAF). At this time policy it dont have on BIG-IP.

Thanks

Hung Hoang

Hi  

I have check support ID *6091 on BIG-IP but It is not have on BIG-IP. I have check , log on BIG-IQ depend on other Policy. and now on BIG-IP havent policy it.

==> So I cannt find it.

Thanks

Hung Hoang

Hello Hung,

It looks like your BIG-IP and BIG-IQ are out of sync - you have VS with policy and logging profile on BIG-IP, but not on BIG-IQ, that is why on BIG-IQ you don't see any logs anymore.

I suggest to create needed configuration on BIG-IQ and then deploy it to all appropriate BIG-IPs.

About inactive policy - you need to make it active.. Do you know how?

Thanks, Ivan

Hi  

I suggest to create needed configuration on BIG-IQ and then deploy it to all appropriate BIG-IPs. : I degree.

But. and now Virtual Server on WAF: inactive so we can not deploy from BIG-IQ to BIG-IP

(Note: On Virtual Server ( Local Traffic) BIG-IP and BIG-IQ still Activc (Previous picture)

Ivan: " About inactive policy - you need to make it active.. Do you know how? " At this time I not solution it yet"

Do you know how ?

Thanks

Hung Hoang

Hoang,

You have BIG-IP (may be several) and BIG-IQ, so it looks like pretty complex configuration and issue can appear in different places, that is why it is not quite easy to understand what was happened, why and how to resolve it.

To activate policy try to deploy it first and then attach to VS.

Thanks, Ivan

Hi  

"To activate policy try to deploy it first and then attach to VS."

We have try but it's still error.!

Thanks

Hung Hoang

What error do you see?

Hi  

After I tshoot it. and now I can deploy WAF policy from BIG-IQ to BIG-IP.

But WAF event log still not real time .

Do you know idea for solution it ?

Thanks

Hung Hoang

So, AFAIU, currently you see requests logged on BIG-IP, but not on BIG-IQ. Right?

OR you see, that the same request (with the same support ID) is logged on BIG-IP and BIG-IQ, but with different time?

If request is logged on BIG-IP only, then most probably you don't have BIG-IQ remote logging profile attached to VS.

If you have such remote log profile, then please provide its configuration on BIG-IP and configuration of VS on BIG-IP.

Thanks, Ivan

Is 10.0.103.11 IP of LogNode or IP of BIG-IQ?... Make sure that BIG-IQ logging is configured through LogNode (https://techdocs.f5.com/kb/en-us/products/big-iq-security/manuals/product/bigiq-security-administrat...) and it is active.

Thanks, Ivan

Yep

IP address 10.0.103.11, 10.0.103.12 and 10.0.103.13 iss IP for Lof Node (BIG-IQ DCD)

all Node is active now .

Thanks

Hung Hoang

Hoang,

In such case, from configuration point of view, all looks correct and should work.

The only thing that you can do is gather tcpdumps on BIG-IP, Log Nodes, BIG-IQ and check how remote logging passes... and look at logs on BIG-IP, Log Nodes, BIG-IQ to find some errors.

There is no way to provide more help without access to the system.

If you won't find any other helpful debug information, then I would suggest you to open official SR for F5,

Thanks, Ivan