F5BigLogProfile¶
Overview¶
The F5BigLogProfile Custom Resource (CR) is used to specify traffic processing events that the Traffic Management Microkernel (TMM) should capture, and send to one or more remote logging servers. The F5BigLogProfile specifically handles events that occur when TMM is processing traffic with any of the Protection or NAT CNF CRs. The F5BigLogHslpub CR specifies the remote logging destionation IP address and service port, and the logging format. The F5BigLogHslpub CR should be configured and installed first, and then referenced in the F5BigLogProfile CR configuration.
This document guides you through understanding, configuring and installing a simple F5BigLogHslPub and F5BigLogProfile CR.
CR parameters¶
F5BigLogHslpub¶
The table below describe the CR spec
parameters. Configure and install the F5BigLogHslpub CR prior to installing the F5BigLogProfile CR.
Parameter | Description |
---|---|
loadBalancingMethod |
Defines the load balancing mode used to distribute traffic across multiple pool members: ROUND_ROBIN (default), or RATIO_LEAST_CONN_MEMBER |
pool.name |
A user defined name for the HSL logging pool. |
pool.endpoint |
Specifies a list of one or more IP address and service ports for logging endpoint(s). |
syslog.name |
A user defined name for the syslog configuration. |
syslog.format |
Specifies the logging format: rfc5424 (default), rfc3164, or legacy-bigip. |
syslog.protocol |
Specifies the protocol to use when connecting to the logging endpoint: udp (default) or tcp. |
syslog.distribution |
Specifies the distribution method used to send messages to pool members: adaptive (default) - connections to pool members are added as required to provide enough logging bandwidth. This can have an undesirable effect of logs accumulating on only one pool member when it provides sufficient logging bandwidth on its own. balanced - sends each successive log to a new pool member, balancing the logs among them according to the pool's load balancing method. replicate - replicates each log to all pool members, for redundancy. |
syslog.pool |
Specifies a pool of logging enpoints using the spec.pool.name value. |
F5BigLogProfile¶
The table below describes only the parameters used in this document. For the full list of CR parameters, refer to the F5BigLogProfile Reference.
nat
Parameter | Description |
---|---|
enabled |
Enables firewall NAT events: true or false (default). |
publisher |
Specifies the name of the log publisher used for logging Network Address Translation events. |
outbound.start.mode |
Enables event log entries at start of the translation event for a NAT client: disabled (default), enabled, and backup. |
outbound.start.includeDestAddrPort |
Include the destination IP address and port in the log message: true (default) or false. |
outbound.end.mode |
Enables event log entries at end of translation event for a NAT client: disabled (default), enabled, or backup. |
outbound.end.includeDestAddrPort |
Include the destination IP address and port in the log message: true (default) or false. |
inbound.start.mode |
Enables log entries at the start of the incoming connection event for a translated endpoint: disabled (default), enabled, or backup. |
errors.mode |
Enables event log entries when a NAT translation errors occur: disabled (default), enabled, or backup. |
firewall
Parameter | Description |
---|---|
enabled |
Enables logging of firewall event messages: true or false (default). |
trafficStats.activeFlows |
Enables logging the number of active flows on client side: true or false. |
trafficStats.reapedFlows |
Enables logging the number of reaped flows on client side: true or false (default). |
trafficStats.missedFlows |
Enables logging the number of TCP packets (non SYN/ACK) were dropped because of the flow table lookup failed: true or false (default). |
trafficStats.publisher |
Specifies the name of the log publisher to be used for trafficStats log messages. |
network.events.aclMatchAccept |
Enables logging the packets that match ACL rules configured when the F5BigFwPolicy action parameter is set to accept: true or false (default). |
network.events.aclMatchDrop |
Enables logging the packets that match when the F5BigFwPolicy action parameter is set to drop: = Drop: true or false (default). |
network.events.aclMatchReject |
Enables logging the packets that match when the F5BigFwPolicy action parameter is set to reject: true or false (default). |
network.events.translationFields |
Enables logging the translated server side fields including the Source Address/Port, Destination Address/Port, IP Protocol, and Vlan: true or false (default). |
network.publisher |
Specifies the name of the log publisher to be used for network log messages. |
CR Examples¶
F5BigLogHslpub
apiVersion: "k8s.f5net.com/v1"
kind: F5BigLogHslpub
metadata:
name: "cnf-hsl-pub"
namespace: "cnf-gateway"
spec:
pool:
- name: "pool1"
endpoint:
- "10.10.10.100:514"
syslog:
- name: "syslog1"
protocol: "tcp"
distribution: "adaptive"
pool: "pool1"
F5BigLogProfile
apiVersion: "k8s.f5net.com/v1"
kind: F5BigLogProfile
metadata:
name: "cnf-log-profile"
namespace: "cnf-gateway"
spec:
firewall:
enabled: true
trafficStats:
publisher: "cnf-hsl-pub"
reapedFlows: true
missedFlows: true
activeFlows: true
network:
publisher: "cnf-hsl-pub"
events:
aclMatchAccept: true
aclMatchDrop: true
tcpEvents: true
aclToBoxDeny: true
translationFields: true
F5BigLogProfile: Example of user-defined field list
apiVersion: "k8s.f5net.com/v1"
kind: F5BigLogProfile
metadata:
name: "cnf-log-profile"
namespace: "cnf-gateway"
spec:
firewall:
enabled: true
network:
publisher: "cnf-hsl-pub"
events:
aclMatchAccept: true
aclMatchDrop: true
aclMatchReject: true
translationFields: true
format:
type: user-defined
userDefinedFieldList: "DateTime:${date_time},Host:${bigip_hostname},MgmtIP:${management_ip_address},FwPolicy:${acl_policy_name},SrcIP:${src_ip},SrcPort:${src_port},DstIP:${dest_ip},DstPort:${dest_port},TrSrcIP:${translated_src_ip},TrDstIP:${translated_dest_ip},TrSrcPort:${translated_src_port},TrDstPort:${translated_dest_port},Protocol:${protocol},Action:${action},Context:${context_name}"
F5BigLogProfile: Example of field-list
apiVersion: "k8s.f5net.com/v1"
kind: F5BigLogProfile
metadata:
name: "cnf-log-profile"
namespace: "cnf-gateway"
spec:
firewall:
enabled: true
network:
publisher: "cnf-hsl-pub"
events:
aclMatchAccept: true
aclMatchDrop: true
aclMatchReject: true
translationFields: true
format:
type: field-list
networkFieldList:
delimiter: ";"
items:
- "date_time"
- "bigip_hostname"
- "management_ip_address"
- "acl_policy_name"
- "src_ip"
- "src_port"
- "dest_ip"
- "dest_port"
- "translated_src_ip"
- "translated_dest_ip"
- "translated_src_port"
- "translated_dest_port"
- "protocol"
- "action"
- "context_name"
CR shortName¶
CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigLogProfile and F5BigLogHslpub CR shortNames are logprof and hslpub respectively.
View CR instance:
oc get logprof -n <namespace>
oc get hslpub -n <namespace>
View CR configuration:
oc get logprof -n <namespace> -o yaml
oc get hslpub -n <namespace> -o yaml
Installation¶
The F5BigLogHslpub defines the remote logging endpoints that receive logging data, and the F5BigLogProfile defines the types of events to capture and send. Use the following steps to configure and install both of the logging CRs.
Install the F5BigLogHslpub CR:
apiVersion: "k8s.f5net.com/v1" kind: F5BigLogHslpub metadata: name: "cnf-hsl-pub" namespace: "cnf-gateway" spec: pool: - name: "pool1" endpoint: - "10.10.10.100:514" - "10.10.10.101:514" syslog: - name: "syslog1" format: "rfc5424" protocol: "tcp" distribution: "adaptive" pool: "pool1"
Install the F5BigLogProfile CR:
apiVersion: "k8s.f5net.com/v1" kind: F5BigLogProfile metadata: name: "cnf-log-profile" namespace: "cnf-gateway" spec: nat: enabled: true logSubscriberID: true publisher: "cnf-hsl-pub" inbound: start: mode: "enabled" end: mode: "enabled" quotaExceeded: mode: "enabled" errors: mode: "enabled" firewall: enabled: true trafficStats: publisher: "cnf-hsl-pub" reapedFlows: true missedFlows: true activeFlows: true network: publisher: "cnf-hsl-pub" events: aclMatchAccept: true aclMatchDrop: true tcpEvents: true aclToBoxDeny: true translationFields: true
Continue to the Next step section to begin using the F5BigLogProfile.
Next step¶
Select and install one of the Traffic Management CNF CRs to begin processing application traffic:
- F5BigContextSecure - Full proxy TCP and UDP application layer gateway services.
- F5BigAlgFtp - File Transfer Protocol (FTP) application layer gateway services.
- F5BigAlgTftp - Trivial File Transfer Protocol (TFTP) application layer gateway services.
- F5BigAlgPptp - Point-to-Point Tunneling Protocol (PPTP) application layer gateway services.
- F5BigAlgRtsp - Real Time Streaming Protocol (RTSP) application layer gateway services.
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.