Follow

How To Configure Log Export

 

Description

This article is for customers who want to include F5 Silverline event activity in their own SIEM / Log Collection systems.

  • Log Export allows events that are generated by Silverline (DDoS mitigation, Threat Intelligence, WAF, iRules) to be transmitted in near-real time (UTC) to a secured log receiver.  
  • Customers can integrate or generate reports based on the data to assess the state of their security perimeter and threat mitigation strategy.

Important Note: Log Export is NOT enabled by default

1. In Silverline Portal, Navigate to Config

2. Check if Log Export appears as option

3. If not, Contact SOC to request

 

Environment

  • Silverline DDoS
  • Silverline WAF
  • Threat Intelligence
  • iRules

 

Procedure

Important Note: Log Export 2 logs will be sent from each Point of Presence (mPop/rPoP) that a proxy is deployed in. To ensure you receive all log messages you must allow a specific list of F5 Silverline SNAT IPs to your firewall allow-list. Failure to do so may result in some, or all, log messages being undelivered.

If you have Log Export 1 enabled, please use How To Upgrade my Log Export 1 Configuration to Log Export 2

  1. Login to the F5 Silverline Customer Portal

  2. In the Portal, go to: Config > Log Export 
    Note: if you do not have an option for Log Export open a support request with the Silverline SOC

  3. On the Log Export page, click Create Endpoint that corresponds to your log server
    • We currently support DataDog, LogDNA, Splunk Cloud, Sumo Logic, and Syslog

  4. On the Add Log Export Destination page:
    • Check the Event Types you wish to receive log data
    • From the Format drop-down box to the right of each event that you selected, choose the log format that the log data should be sent in
      • We currently support Syslog (RFC 3164), Syslog (RFC 5424), Comma Separated Key Values (CSKV), or JSON
    • In Destination Host enter the routable IP address for your log receiver
    • In Destination Port enter the TCP port for your log receiver
    • In Token enter the authentication token for your log receiver, if required
    •  TLS Strict Verification choose this option if you want to use strict certificate validation.
       
      In LE1 customer could use cert which has the self-signed cert (even if at the last in the chain).
      Log Export 2 supports both self-signed & CA-signed certs, but the TLS Strict Verification option must be OFF to provide the same functionality for self-signed certs as we had in LE1.
       
       
      When this option is turned ON, LE2 authenticates the customer server cert, using a list of known certificate authorities(CA). When OFF, the LE2 still creates a TLS connection but does NOT authenticate against the CA cert chain.
      Since self-signed certs are not signed by CAs, the authentication will fail, hence TLS Strict Verification must be OFF. The connection is still secure, just that at the client-side validation/authentication of the server cert is not done (can not be done).

      Note:Your log receiver must support TLS encryption
  5. Click Save and your configuration will be queued for global deployment

 

Testing

Once the deployment has been completed a Configuration box will display at the top of the Log Export Page. You can generate a test message to test your configuration.

If you require additional assistance with your Log Export 2 configuration, please open a ticket with the F5 Silverline Security Operations Center by sending an email containing your request to support@f5silverline.com.

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request