F5 Networks BIG-IP LTM
The F5 Networks BIG-IP Local Traffic Manager (LTM) DSM for JSA collects networks security events from a BIG-IP device by using syslog.
Before events can be received in JSA, you must configure a log source for JSA, then configure your BIG-IP LTM device to forward syslog events. Create the log source before events are forwarded as JSA does not automatically discover or create log sources for syslog events from F5 BIG-IP LTM appliances.
F5 Networks BIG-IP LTM DSM specifications
When you configure F5 Networks BIG-IP LTM, understanding the specifications for the F5 Networks BIGIP LTM DSM can help ensure a successful integration. For example, knowing what the supported version of F5 Networks BIG-IP LTM is before you begin can help reduce frustration during the configuration process.
The following table describes the specifications for the F5 Networks BIG-IP LTM DSM.
Specification |
Value |
|---|---|
Manufacturer |
F5 Networks |
DSM name |
F5 Networks BIG-IP LTM |
RPM file name |
DSM-F5NetworksBigIP-JSA_versionbuild_ number.noarch.rpm |
Supported version |
9.4.2 to 14.x |
Protocol |
Syslog |
Event format |
Syslog, CSV |
Recorded event types |
All events |
Automatically discovered? |
No |
Includes identity? |
Yes |
Includes custom properties? |
No |
More information |
Syslog Log Source Parameters for F5 Networks BIG-IP LTM
Add a F5 Networks BIG-IP LTM log source on the JSA Console by using the syslog protocol.
When using the syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect syslog events from F5 Networks BIG-IP LTM:
Parameter |
Value |
|---|---|
Log Source type |
F5 Networks BIG-IP LTM |
Protocol Configuration |
Syslog |
Log Source Identifier |
Type the IP address or host name for the log source as an identifier for events from your F5 Networks BIG-IP LTM devices. |
Configuring Syslog Forwarding in BIG-IP LTM
You can configure your BIG-IP LTM device to forward syslog events.
You can configure syslog for the following BIG-IP LTM software version:
Configuring Remote Syslog for F5 BIG-IP LTM V11.x to V14.x
Configuring Remote Syslog for F5 BIG-IP LTM V10.x
Configuring Remote Syslog for F5 BIG-IP LTM V9.4.2 to V9.4.8
Configuring Remote Syslog for F5 BIG-IP LTM V11.x to V14.x
You can configure syslog for F5 BIG-IP LTM 11.x to V14.x.
To configure syslog for F5 BIG-IP LTM 11.x to V14.x take the following steps:
Log in to the command-line of your F5 BIG-IP device.
To log in to the Traffic Management Shell (tmsh), type the following command:
tmsh
To add a syslog server, type the following command:
modify /sys syslog remote-servers add {<Name> {host <IP address> remote-port 514}}
Where:
<Name> is a name that you assign to identify the syslog server on your BIG-IP LTM appliance.
<IP address> is the IP address of JSA.
For example,
modify /sys syslog remote-servers add {BIGIPsyslog {host 192.0.2.1 remote-port 514}}Save the configuration changes:
save /sys config
Events that are forwarded from your F5 Networks BIG-IP LTM appliance are displayed on the Log Activity tab in JSA.
Configuring Remote Syslog for F5 BIG-IP LTM V10.x
You can configure syslog for F5 BIG-IP LTM V10.x.
To configure syslog for F5 BIG-IP LTM V10.x take the following steps:
Log in to the command-line of your F5 BIG-IP device.
Type the following command to add a single remote syslog server:
bigpipe syslog remote server {<Name> {host <IP address>}}
Where:
<Name> is the name of the F5 BIG-IP LTM syslog source.
<IP address> is the IP address of JSA.
For example:
bigpipe syslog remote server {BIGIPsyslog {host 10.100.100.100}}
Save the configuration changes:
bigpipe save
Note:F5 Networks modified the syslog output format in BIG-IP V10.x to include the use of local/ before the host name in the syslog header. The syslog header format that contains local/ is not supported in JSA, but a workaround is available to correct the syslog header. For more information, see https://kb.juniper.net/KB20922.
Events that are forwarded from your F5 Networks BIG-IP LTM appliance are displayed on the Log Activity tab in JSA.
Configuring Remote Syslog for F5 BIG-IP LTM V9.4.2 to V9.4.8
You can configure syslog for F5 BIG-IP LTM V9.4.2 to V9.4.8.
To configure syslog for F5 BIG-IP LTM V9.4.2 to V9.4.8 take the following steps:
Log in to the command-line of your F5 BIG-IP device.
Type the following command to add a single remote syslog server:
bigpipe syslog remote server <IP address>
Where: <IP address> is the IP address of JSA.
For example:
bigpipe syslog remote server 192.0.2.1Type the following to save the configuration changes:
bigpipe save
The configuration is complete. Events that are forwarded from your F5 Networks BIG-IP LTM appliance are displayed on the Log Activity tab in JSA.
F5 Networks BIG-IP LTM Sample Event Messages
Use these sample event messages as a way of verifying a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
F5 Networks BIG-IP LTM sample event messages when you use the Syslog protocol
Sample 1: The following sample event message shows a Pool member's monitor status.
<133> Nov 5 14:01:50 f5networks.bigip.test notice mcpd[5281]: 01070638 :5: Pool member 2001:20:5004:1606::89 : 8790 monitor status down.
JSA field name |
Highlighted payload field name |
|---|---|
Event ID |
01070638 is extracted from the event. |
Destination IP v6 |
2001:20:5004:1606::89 is extracted from the event. |
Destination Port |
8790 is extracted from the event. |
Device Time |
Nov 5 14:01:50 is extracted from the event. |
Sample 2: The following sample event message shows that IP-INTELLIGENCE accepted a packet.
<134> Apr 23 08:16:55 f5networks.bigip.test info tmm[1286]: 23003142 "","10.240.252.242","hostname.test","","","","Virtual Server","/Common/TESTTESTA. AA.local_HTTPS_VIP","/Common/IP-Intelligence- ALL"," 192.168.146.233 "," 10.243.32.100 "," 47707 "," 443 ","/Common/ VLAN-332"," TCP ","0","scanners,windows_exploits,spam_sources"," Accept ","custom_category", "","","","","","","","","","0000000000000000"
JSA field name |
Highlighted payload field name |
|---|---|
Event ID |
Accept is extracted from the event. |
Source IP |
192.168.146.233 is extracted from the event. |
Source Port |
47707 is extracted from the event. |
Destination IP |
10.243.32.100 is extracted from the event. |
Destination Port |
443 is extracted from the event. |
Protocol |
TCP is extracted from the event. |
Device Time |
Apr 23 08:16:55 is extracted from the event. |