Follow

How to Configure Log Export

 Description

 

This document describes how to configure Log Export 1 which will be decommissioned on November 15th, 2021. For current instructions on how to configure Log Export see How to Configure Log Export 2
  • Customers who would like to include F5 Silverline event activity in their own SIEM / Log Collection systems may do so via the Log Export functionality (not enabled by default).
  • Log Export allows events that are generated by Silverline (DDoS mitigation, Threat Intelligence, WAF) to be transmitted in near-real time (UTC) to a secured log receiver.  
  • Customers can integrate or generate reports based on the data to assess the state of their security perimeter and threat mitigation strategy.

Important Note: Log Export is NOT enabled by default

1. In Silverline Portal, Navigate to Config

2. Check if Log Export appears as option

3. If not, Contact SOC to request

 

Environment

  • Silverline WAF
  • Silverline DDoS
  • Threat Intelligence
  • Log Export

 

Procedure

How to Configure Log Export

1. In the Portal, go to: Config > Log Export

2. Click Add button

3. Check the boxes for the configuration options you want to enable to receive data:

  • Message Types:  Select if you would like DDoS, L7 DDoS, WAF, iRules and Threat Intelligence events to be sent to the configured destination.  Note that, if you are a customer of selected services (DDoS/WAF/iRules Threat Intelligence) the Types selection boxes may appear different than what is depicted in the image above.
  • Destination Host:  Enter the IP address of the destination to receive the logs.
    • Note:  The Destination IP address must be UNIQUE from any of the configured back-end IP addresses for customer Proxy configurations.
    • Note:  The Log Export feature does not currently support a destination defined by FQDN.
  • Destination Port:  Enter the TCP port to enabled to receive the logs.
  • Format: Select the format for the log output. -- More information on Syslog formats: Syslog (Wikipedia)
    • RFC3164 (Syslog)
    • RFC5424 (Enhanced Syslog)
    • Comma Separated Values (CSV)

Important Notes

4. Click Save to commit your changes. 

  • As soon as you save the configuration, it is pushed to production.

 

Log Export Transport Encryption

The Log Export system transmits data via TLS+TCP.  

  • The log receiver on the customer's side must allow receipt of logs on TCP on the specified port
  • The log receiver must support TLS encryption of the traffic
  • A self-signed or any SSL certificate must be used on the receiver (syslog destination)

Examples

Example Configuration: Splunk

Customization may be required based on your security policy and SSL certificate requirements.

<splunk_install_folder>/etc/system/local/inputs.conf
[tcp-ssl:6514]
[tcp-ssl:6515]

[SSL]
sslPassword = <snip>
requireClientCert = false
#sslRootCAPath = /opt/splunk/etc/auth/cacert.pem
serverCert = /opt/splunk/etc/auth/server.pem
#index = silverline_log_export

splunk-input-gui.jpg

 

Example Configuration: Logstash

Customization may be required based on your security policy and SSL certificate requirements.

tcp {
type => syslog
port => 6514
ssl_enable => true
ssl_verify => false
ssl_cert => "/etc/logstash/rsth.crt"
ssl_key => "/etc/logstash/rsth.key"
tags => [ "syslog-over-tls", "to_redis" ]
}

Any log receiver that supports TLS+TCP for syslog messages is supported, however this is one-way SSL and the Silverline Log Export service will not send a client certificate to the receiver.

 

Other Collector/SIEM

If your collector/SIEM can receive and parse logs in any of the formats our logs are exported, you should be able to collect them. The formats the logs can be exported in are:

  • Syslog RFC 3164 - BSD
  • Syslog RFC 5424 - Enhanced Syslog
  • Comma-separated Key Values

Common Issues

  • Setting up syslog as a source type, instead of a format, results in an unreadable logs
  • Setting up tcp without encryption results in an unreadable logs
  • Setting up without SSL certificate -- A self-signed or any SSL certificate must be used on the receiver (syslog destination)
  • Verify port configuration in inputs.conf as both [tcp-ssl:6515] and [tcp:6515] show up as tcp-raw in GUI.

splunk-search.jpg

 

Related Content

Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request