Configuration of Remote High-Speed Logging in F5 BIG-IP

The scope of efficient logging systems provides a holistic view of the implemented systems and the logs generated by the WAF, especially the illegal and blocked requests help to discover the threats and attack vectors. In the case of F5 BIG-IP, the major limitation of the local storage logs of F5 BIG-IP – only 3 million requests or 2 GB of storage on F5 WAF is provisioned for the log storage. Such provision of logs limits the administrator with the following option:

• Either only log the illegal requests of the high-volume hosted services
• Or, use the logging management system – syslog server or other.

This brings us to the same page for the administrator, to configure the logs to fetch on the remote server – high-speed logging.

The demonstrated version used for the configuration is F5 BIG-IP 16.1.3.3 Build 0.0.3 Point Release 3

F5 BIG-IP High Speed Remote Logging

The whole configuration of the high-speed remote logging has been summarized and described below: You need to ensure the destinated remote log server are configured to listen to and receive log messages from the F5 BIG-IP system, also the ip address of the remote log servers and the used service port on it.

Create a SIEM Node

• Create a node of the destinated server
• On the Main Tab:
• Local Traffic > Node > Create

Create a SIEM service port pool

• Create a pool with the service port of the destinated server
• On the Main Tab:
• Local Traffic > Pool > Create

Select the desired Health Monitor and Service Port: Define the used service port and select the Node from the Node List Click ADD

Then select the finished button.

Create a Log Destination

• Create a profile for High-Speed Logging:
• On Main Tab:
• System > Logs > Configuration > Log Destination

Then on the configuration panel:

• Click Create
• Select Remote High-Speed log type
• Select the Pool Name (the previously create Pool)

You can find the available options functionality by Navigation on: Help Tab > Browse on the Options

Create Log destination with HSL

• After the creation of the High-Speed Logging Profile.
• On the same Tab:
• System > Logs > Configuration > Log Destination
• Create a new Profile – to define for the specific format for the remote High-Speed Log.

On the forwarding destination: Select the previously created profile of remote High-Speed Logging for the specified port.

Create a Log Publisher

• Then create a log publisher.
• On Main Tab:
• System > Logs > Configuration: Log Published

On the Configuration Panel:

• Click on Create
• Fill up the Name Field and Select the last created Profile – The defined Log Format on the Log Destination option.

Create a Logging profile

We need to create a new logging profile, those logging profile will be attached to the virtual server whose logs will be fetched through high-speed remote logging.

• On the Main Tab,
• Security > Event Logs: Logging Profiles

On the configuration Panel:

• Click on Create,
• On the Application Security option – Check the option
• Configure the server addresses and on the Storage Format – Select the required Items

On the DoS Protection, Remote Publisher – Select the Log Publisher (created on the Step 5)

On the Bot Protection, select the classification type required to log by the logging profile then select the Log Publisher (Created on the Step 5)

Attach the logging profile on the virtual server whose logs need to be fetched on the remote log server.

• On the Main Tab:
• Local Traffic > Virtual Server
• Select the Virtual Server, on the Security Tab:
• Select the newly created logging Profile.

After all the configuration has been completed, verify whether the logs of F5 BIG-IP has been fetched to the destinated remote server.

Reference: F5 Tech Docs