Follow

How to edit, test, verify and delete Log Export Destinations

Description

  • How to edit configured log export destinations
  • How to test if log export destinations are working
  • How to delete log export destinations
  • How to verify Log Export version

Note: These all assume that a log export destination has already been configured.

 

Environment

  • Silverline WAF
  • Silverline DDoS
  • Threat Intelligence
  • Log Export 1 and LogExport 2

 

Procedure

  1. In the Portal, go to: Config > Log Export
  2. Any configured Log Export destinations appear here.
  3. Click one of the 3 buttons for the desired action:
    • Edit:  Allows the editing of the current Log Export destination.
    • Test:  Generates a Test Log message  to the configured destination. 
      • You can search your log server entries for the string, <reason=”mock test message, to locate the test message entry. In LE2 log format will be RFC5424.

        • If your log server has received this message, Log Export is correctly configured correctly.

        • If you do not receive the test message
      • Example Test Message:
        <134>1 0001-01-01T00:00:00Z sjc1.f5silverline.com log-export-formatter - - -  type=l7ddos, action="", client_ip_geo_location="", client_request_uri="", date_time="", dos_attack_detection_mode="", dos_attack_id="", dos_attack_latency="", dos_attack_name="", dos_attack_tps="", dos_baseline_latency="", dos_baseline_tps="", dos_baseline_traffic_percent="", dos_current_traffic_percent="", dos_dropped_requests_count="", dos_incoming_requests_count="", dos_mitigation_action="", dos_mitigation_reason="", errdefs_msg_name="", errdefs_msgno="", reported_entity_type="", severity="", client_ip="", support_id="", request_status="", reason="mock test message from : sjc1"
    • Delete:  Removes the Log Export Destination
    • LE2 can be recognized by fields:
      1. log-export-formatter (in LE1 it was log_export)
      2. proxy_id = diageo-27958 (in LE1 it was 27958)
    • log-export-formatter will be present in a log message only if the message format is RFC5424.
      By looking at log messages, we may not be able to say if a log is from LE1 or LE2 since LE2 is built to produce same output as of LE1(threepo).
      But due to the enhancements made to LE2, we may be able to look at some messages and say it is from LE2. For example,
      • LE2 processed l7ddos messages have source_ip field in them.
      • If msg format is RFC5424, LE1 msg has log-export as prefix to each message, where as log-export-formatter is the prefix for LE2 msgs.

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request