About logging profiles
Logging profiles determine where events are logged, and which items (such as which parts of requests, or which type of errors) are logged. Events can be logged either locally on the system and viewed in the Event Logs screens, or remotely by the client’s server. The system forwards the log messages to the client’s server using the Syslog service.
You can use one logging profile for Application Security, Protocol Security, Advanced Firewall, and DoS Protection. By default, the system includes two logging profiles that log data locally for Application Security: one to log all requests and another to log illegal requests. You can use the system-supplied logging profiles, or you can create a custom logging profile.
The logging profile records requests to the virtual server. By default when you create a security policy using the Deployment wizard, the system associates the log illegal requests profile to the virtual server associated with the policy. You can change which logging profile is associated with the security policy by editing the virtual server.
Note: If running Application Security Manager on a BIG-IP system using Virtualized Clustered Multiprocessing (vCMP), for best performance, F5 recommends configuring remote logging to store Application Security Manager logs remotely rather than locally.
A logging profile has two parts: the storage configuration and the storage filter. The storage configuration specifies where to store the logs, either locally and/or remotely. The storage filter determines what information gets stored. For remote logging, you can send logging files for storage on a remote system (such as a syslog server), on a reporting server (as key/value pairs), or on an ArcSight server (in CEF format). Note that configuring external logging servers is not the responsibility of F5 Networks.
Creating a logging profile
You can create a custom logging profile to log application security events.
- On the Main tab, click Security > Event Logs > Logging Profiles. The Logging Profiles list screen opens.
- Click Create. The New Logging Profile screen opens.
- In the Profile Name field, type a unique name for the profile.
- Select the Application Security check box. The screen displays additional fields.
- On the Application Security tab, for Configuration, select Advanced.
- By default, logs are stored locally. The Local Storage check box is selected and cannot be cleared unless you enable Remote Storage to store logs remotely. This prevents you from creating a logging profile that does not log any traffic.
- To store logs locally only, leave the Local Storage check box selected.
- To store logs remotely, select the Remote Storage check box.
- To store logs both places, select both check boxes.
- Optional for local logging: To ensure that the system logs requests for the security policy, even when the logging utility is competing for system resources, select the Guarantee Local Logging check box.
- From the Response Logging list, select one of the following options.
Option | Description |
Off | Do not log responses. |
For Illegal Requests Only | Log responses for illegal requests. |
For All Requests | Log responses for all requests. when the Storage Filter Request Type is set to All Requests. (Otherwise, logs only illegal requests.) |
9. By default, the system logs the first 10000 bytes of responses, up to 10 responses per second. You can change the limits by using the response logging system variables.
10. By default, the system logs all requests. To limit the type of requests that the system or server logs, set up the Storage Filter.
11. If setting up local event logging only, click Finished. To set up remote logging, continue to set up remote logging.
When you store the logs locally, the logging utility may compete for system resources. Using the Guarantee Logging setting ensures that the system logs the requests in this situation but may result in a performance reduction in high-volume traffic applications.
Setting up remote logging
To set up remote logging, you need to have created a logging profile.
You can configure a custom logging profile to log application security events remotely on syslog or reporting servers.
- On the Main tab, click Security > Event Logs > Logging Profiles. The Logging Profiles list screen opens.
- Click the name of the logging profile for which you want to set up remote logging.
- Select the Remote Storage check box.
- From the Remote Storage Type list, select the appropriate type:
- To store traffic on a remote logging server like syslog, select Remote. Messages are in syslog format.
- For the Protocol setting, select the protocol that the remote storage server uses: TCP (the default setting) or UDP.
- If setting up local event logging only, click Finished. To set up remote logging, continue to set up remote logging. The selected protocol applies to all remote server settings on this screen, including all server IP addresses.
- For Server Addresses, specify one or more remote servers, Type the Forwarder IP Address, and Port Number as 11578 and click Add.
- If using the Remote storage type, for Facility, select the facility category of the logged traffic. Select the value as LOG_LOCAL6.
Tip: If you have more than one security policy you can use the same remote logging server for both applications and use the facility filter to sort the data for each.
9. If using the Remote storage type, in the Storage Format setting, you can specify how the log displays information, which traffic items the server logs, and what order it logs them:
-
- To determine how the log appears, select Field-List to display the items in the Selected Items list in CSV format with a delimiter you specify; select User-Defined to display the items in the Selected Items list in addition to any free text you type in the Selected Items list.
- To specify which items, appear in the log, move items from the Available Items list into the Selected Items list.
- To control the order in which predefined items appear in the server logs, select an item in the Selected Items list, and click the Up or Down button.
10. For Maximum Query String Size, specify how much of a request the server logs.
-
-
- To log the entire request, select Any.
- To limit the number of bytes that are logged per request, select Length and type the maximum number of bytes to log.
-
11. For Maximum Entry Length, specify how much of the entry length the server logs. The default length is 1K for remote servers that support UDP, and 2K for remote servers that support TCP and TCP-RFC3195. You can change the default maximum entry length for remote servers that support TCP.
12. If you want the system to send a report string to the remote system log when a brute force attack or web scraping attack starts and ends, select Report Detected Anomalies.
13. In the Storage Filter area, make any changes as required.
14. Click Update (or Finished, whichever is appropriate).
When you create a logging profile for remote storage, the system stores the data for the associated security policy on one or more remote systems. The system stores the data in Comma Separated Value (CSV) format or another format that you define.
Comments
0 comments
Please sign in to leave a comment.