Follow

How To Configure Log Export

 

Log Export 1 has been decommissioned on November 15th, 2021. Log Export2 will be renamed as Log Export.

Description

This article is for customers who want to include F5 Silverline event activity in their own SIEM / Log Collection systems.

  • Log Export allows events that are generated by Silverline (DDoS mitigation, Threat Intelligence, WAF, iRules) to be transmitted in near-real time (UTC) to a secured log receiver.  
  • Customers can integrate or generate reports based on the data to assess the state of their security perimeter and threat mitigation strategy.

Important Note: Log Export is NOT enabled by default

1. In Silverline Portal, Navigate to Config

2. Check if Log Export appears as option

3. If not, Contact SOC to request

 

Environment

  • Silverline DDoS
  • Silverline WAF
  • Threat Intelligence
  • iRules

 

Procedure

Important Note: Log Export logs will be sent from each Point of Presence (mPop/rPoP) that a proxy is deployed in. To ensure you receive all log messages you must allow a specific list of F5 Silverline SNAT IPs to your firewall allow-list. Failure to do so may result in some, or all, log messages being undelivered.
  1. Login to the F5 Silverline Customer Portal

  2. In the Portal, go to Config > Log Export 
    Note: if you do not have an option for Log Export open a support request with the Silverline SOC

  3. On the Log Export page, click Create Endpoint that corresponds to your log server
    • We currently support Amazon S3, DataDog, LogDNA, Splunk Cloud, Sumo Logic, and Syslog

  4. On the Add Log Export Destination page:
  5. Click Save and your configuration will be queued for global deployment

Log Export Transport Encryption

The Log Export system transmits data via TLS+TCP.  

  • The log receiver on the customer's side must allow receipt of logs on TCP on the specified port
  • The log receiver must support TLS encryption of the traffic
  • A self-signed or any SSL certificate must be used on the receiver (syslog destination)

Examples

Example Configuration: Splunk

Customization may be required based on your security policy and SSL certificate requirements.

<splunk_install_folder>/etc/system/local/inputs.conf
[tcp-ssl:6514]
[tcp-ssl:6515]

[SSL]
sslPassword = <snip>
requireClientCert = false
#sslRootCAPath = /opt/splunk/etc/auth/cacert.pem
serverCert = /opt/splunk/etc/auth/server.pem
#index = silverline_log_export

Zendesk-Silverline-Splunk-input-gui.PNG

 

Example Configuration: Logstash

Customization may be required based on your security policy and SSL certificate requirements.

tcp {
type => syslog
port => 6514
ssl_enable => true
ssl_verify => false
ssl_cert => "/etc/logstash/rsth.crt"
ssl_key => "/etc/logstash/rsth.key"
tags => [ "syslog-over-tls", "to_redis" ]
}

Any log receiver that supports TLS+TCP for syslog messages is supported, however this is one-way SSL and the Silverline Log Export service will not send a client certificate to the receiver.

 

Other Collector/SIEM

If your collector/SIEM can receive and parse logs in any of the formats our logs are exported, you should be able to collect them. The formats the logs can be exported in are:

  • Syslog RFC 3164 - BSD
  • Syslog RFC 5424 - Enhanced Syslog
  • Comma-separated Key Values

Common Issues

  • Setting up syslog as a source type, instead of a format, results in an unreadable logs
  • Setting up tcp without encryption results in an unreadable logs
  • Setting up without SSL certificate -- A self-signed or any SSL certificate must be used on the receiver (syslog destination)
  • Verify port configuration in inputs.conf as both [tcp-ssl:6515] and [tcp:6515] show up as tcp-raw in GUI.

Silverline_Zendesk_splunk_search.JPG

Testing

Once the deployment has been completed a Configuration box will display at the top of the Log Export Page. You can generate a test message to test your configuration.

If you require additional assistance with your Log Export configuration, please open a ticket with the F5 Silverline Security Operations Center by sending an email containing your request to support@f5silverline.com.

 

Related Content

 
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request