F5 BIG-IP
- 19 Dec 2024
- 3 Minutes to read
- Contributors
- Print
- DarkLight
F5 BIG-IP
- Updated on 19 Dec 2024
- 3 Minutes to read
- Contributors
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
F5 BIG-IP is an application delivery and security platform designed to improve the performance, availability, and security of applications deployed in on-premises, cloud, or hybrid environments. It is widely used for load balancing, traffic management, and application security, ensuring seamless and secure access to applications for users.
This feed source supports F5 LTM, ASM and APM products.
Integration Method: Syslog, HTTP Collector via F5 Telemetry Streaming
Tables: HTTP Activity, Network Activity
Setup Overview
Data ingestion with this data source is via the HTTP collector. To leverage this, the setup will be in several steps:
DataBee
Creating a F5 BigIP datasource and getting the API key
Getting the datasource_id from the DataBee console
Getting the URL where F5 TS will send the data to
Getting the tenantid
BigIP
Setting up telemetry streaming
DataBee Configuration
Log into the DataBee console, navigate to the Data>Datasources tab and click on Add Data Source. Search for “bigip" and click it
Select HTTP Collector as the ingest mechanism
Fill in the basic contact information
Select the defaults on the next dialog box
Click on generate new API key. Save this API Key as it will be used later. Click Submit
Navigate back to the Data>Datasource tab and click on the newly created F5 BIGIP card and copy the ID. This is the datasource_id that will be used later.
From the console, navigate to the system
Go to the HTTP Collector box and copy the Endpoint URL. We will require the domain. In this example us-demo-2-api.demo.databee.buzz is the domain. It will be used at a later step.
Navigate to “My Profile” and copy the Tenant ID value
BigIP Configuration
This integration leverages the DataBee HTTP collector. Events are sent via HTTPs. The logs can also be sent via syslog. To leverage this transport mechanism, F5 telemetry streaming has to be set up.
In the sample diagram below, DVWA is the application protected by F5.
For more information on F5 telemetry streaming, refer to:
Initial Setup
Downloading the RPM file
Install Telemetry Streaming package into F5 BIG-IP. Refer to https://clouddocs.f5.com/products/extensions/f5-telemetry-streaming/latest/quick-start.html
Navigate to iApps > Package Management LX and install the following packages:
Configure Logging Manually
If you are using a standard BIG-IP system (one that does not have restrictions on the number of virtual servers like the Per-App VE), use the following guidance to initially configure the system.
Create an iRule (localhost forwarder).
Local Traffic > iRules > iRule List
iRule Name | telemetry_local_rule |
Definition | when CLIENT_ACCEPTED { node 127.0.0.1 6514 } |
Create the virtual server for the local listener.
Local Traffic > Virtual Servers > Virtual Server List
Name | telemetry_local |
Description | Only required when TS is a local listener |
Source Address | 0.0.0.0/0 |
Destination Address/Mask | 255.255.255.254 |
Service Port | 6514 |
Protocol Profile (Client) | f5-tcp-progressive |
Source Address Translation | Auto Map |
iRules | telemetry_local_rule |
Default Persistence Profile | source_addr |
Create the pool.
Local Traffic > Pools > Pool List
Name | Telemetry |
Health Monitors | tcp |
New Members | Address: 255.255.255.254 Service Port: 6514 |
Create the Log Destination (Remote HSL):
System > Logs > Configuration > Log Destinations
Name | telemetry_hsl |
Type | Remote High-Speed Log |
Pool Name | Telemetry |
Protocol | TCP |
Create the Log Destination (Format):
System > Logs > Configuration > Log Destinations
Name | telemetry_formatted |
Type | splunk |
Forward To | telemetry_hsl |
Create the Log Publisher:
System > Logs > Configuration > Log Publisher
Name | telemetry_publisher |
Destinations | telemetry_formatted |
LTM Request Log profile
The Request Logging profile gives you the ability to configure data within a log file for HTTP requests and responses, in accordance with specified parameters.
Create an LTM Request Log Profile using the following TMSH command. Note: If you are creating the profile in the user interface, the \ are not required.
IMPORTANT: This step has been updated with the TS 1.18 release to include LTM response logging.
Create LTM Profile:
Create a LTM Request Log Profile:
Local Traffic > Profiles > Other > Request Logging > New Request Logging Profile
Name | telemetry_traffic_log_profile |
Parent Profile | request-log |
Request Logging | Enabled |
Template | event_source="request_logging",hostname="$BIGIP_HOSTNAME",client_ip="$CLIENT_IP",server_ip="$SERVER_IP",http_method="$HTTP_METHOD",http_uri="$HTTP_URI",virtual_name="$VIRTUAL_NAME",event_timestamp="$DATE_HTTP" |
HSL Protocol | TCP |
Pool Name | telemetry |
Response Logging | Enabled |
Log By Default | Enabled (Tick Mark) |
Template | event_source="response_logging",hostname="$BIGIP_HOSTNAME",client_ip="$CLIENT_IP",server_ip="$SERVER_IP",http_method="$HTTP_METHOD",http_uri="$HTTP_URI",virtual_name="$VIRTUAL_NAME",event_timestamp="$DATE_HTTP",http_statcode="$HTTP_STATCODE",http_status="$HTTP_STATUS",response_ms="$RESPONSE_MSECS" |
HSL Protocol | TCP |
Pool Name | telemetry |
Attach the profile to the virtual server:
Navigate to Local Traffic > Virtual Servers > Virtual Server List > [Virtual Server Name]
Go to Configuration: Advance search for “Request Logging Profile” add telemetry_traffic_log_profile
Declarations
This step is used to tell F5 BIGIP about the DataBee collector. It is pushed to F5 BigIP via a HTTP call. You will need to get the following information from DataBee
HTTP domain - Only use the domain
APIkey
TenantID
Datasource ID
Once you have this information, use a CURL command or tool like Postman to make the HTTP request.
Was this article helpful?