F5BigLogProfile

Overview

The F5BigLogProfile Custom Resource (CR) is used to specify traffic processing events that the Traffic Management Microkernel (TMM) should capture, and send to one or more remote logging servers. The F5BigLogProfile specifically handles events that occur when TMM is processing traffic with any of the Protection or NAT CNF CRs. The F5BigLogHslpub CR specifies the remote logging destionation IP address and service port, and the logging format. The F5BigLogHslpub CR should be configured and installed first, and then referenced in the F5BigLogProfile CR configuration.

This document guides you through understanding, configuring and installing a simple F5BigLogHslPub and F5BigLogProfile CR.

CR parameters

F5BigLogHslpub

The table below describe the CR spec parameters. Configure and install the F5BigLogHslpub CR prior to installing the F5BigLogProfile CR.

Parameter Description
loadBalancingMethod Defines the load balancing mode used to distribute traffic across multiple pool members: ROUND_ROBIN (default), or RATIO_LEAST_CONN_MEMBER
pool.name A user defined name for the HSL logging pool.
pool.endpoint Specifies a list of one or more IP address and service ports for logging endpoint(s).
syslog.name A user defined name for the syslog configuration.
syslog.format Specifies the logging format: rfc5424 (default), rfc3164, or legacy-bigip.
syslog.protocol Specifies the protocol to use when connecting to the logging endpoint: udp (default) or tcp.
syslog.distribution Specifies the distribution method used to send messages to pool members: adaptive (default) - connections to pool members are added as required to provide enough logging bandwidth. This can have an undesirable effect of logs accumulating on only one pool member when it provides sufficient logging bandwidth on its own. balanced - sends each successive log to a new pool member, balancing the logs among them according to the pool's load balancing method. replicate - replicates each log to all pool members, for redundancy.
syslog.pool Specifies a pool of logging enpoints using the spec.pool.name value.

F5BigLogProfile

The table below describes only the parameters used in this document. For the full list of CR parameters, refer to the F5BigLogProfile Reference.

nat

Parameter Description
enabled Enables firewall NAT events: true or false (default).
outbound.start.mode Enables event log entries at start of the translation event for a NAT client: disabled (default), enabled, and backup.
outbound.start.includeDestAddrPort Include the destination IP address and port in the log message: true (default) or false.
outbound.end.mode Enables event log entries at end of translation event for a NAT client: disabled (default), enabled, or backup.
outbound.end.includeDestAddrPort Include the destination IP address and port in the log message: true (default) or false.
inbound.start.mode Enables log entries at the start of the incoming connection event for a translated endpoint: disabled (default), enabled, or backup.
errors.mode Enables event log entries when a NAT translation errors occur: disabled (default), enabled, or backup.
publisher Specifies the name of the log publisher used for logging Network Address Translation events.

firewall

Parameter Description
enabled Enables logging of firewall event messages: true or false (default).
trafficStats.activeFlows Enables logging the number of active flows on client side: true or false.
trafficStats.reapedFlows Enables logging the number of reaped flows on client side: true or false (default).
trafficStats.missedFlows Enables logging the number of TCP packets (non SYN/ACK) were dropped because of the flow table lookup failed: true or false (default).
trafficStats.publisher Specifies the name of the log publisher to be used for trafficStats log messages.
network.events.aclMatchAccept Enables logging the packets that match ACL rules configured when the F5BigFwPolicy action parameter is set to accept: true or false (default).
network.events.aclMatchDrop Enables logging the packets that match when the F5BigFwPolicy action parameter is set to drop: = Drop: true or false (default).
network.events.aclMatchReject Enables logging the packets that match when the F5BigFwPolicy action parameter is set to reject: true or false (default).
network.events.translationFields Enables logging the translated server side fields including the Source Address/Port, Destination Address/Port, IP Protocol, and Vlan: true or false (default).
network.publisher Specifies the name of the log publisher to be used for network log messages.

CR Examples

F5BigLogHslpub

apiVersion: "k8s.f5net.com/v1"
kind: F5BigLogHslpub
metadata:
  name: "cnf-hsl-pub"
  namespace: "cnf-gateway"
spec:
  pool:
    - name: "pool1"
      endpoint:
       - "10.10.10.100:514"
  syslog:
  - name: "syslog1"
    protocol: "tcp"
    distribution: "adaptive"
    pool: "pool1"

F5BigLogProfile

apiVersion: "k8s.f5net.com/v1"
kind: F5BigLogProfile
metadata:
  name: "cnf-log-profile"
  namespace: "cnf-gateway"
spec:
  firewall:
    enabled: true
    trafficStats:
      publisher: "cnf-hsl-pub"
      reapedFlows: true
      missedFlows: true
      activeFlows: true
    network:
      publisher: "cnf-hsl-pub"
      events:
        aclMatchAccept: true
        aclMatchDrop: true
        tcpEvents: true
        aclToBoxDeny: true
        translationFields: true

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigLogProfile and F5BigLogHslpub CR shortNames are logprof and hslpub respectively.

View CR instance:

oc get logprof -n <namespace>
oc get hslpub -n <namespace>

View CR configuration:

oc get logprof -n <namespace> -o yaml
oc get hslpub -n <namespace> -o yaml

Requirements

Ensure you have:

Installation

The F5BigLogHslpub defines the remote logging endpoints that receive logging data, and the F5BigLogProfile defines the types of events to capture and send. Use the following steps to configure and install both of the logging CRs.

  1. Install the F5BigLogHslpub CR:

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigLogHslpub
    metadata:
      name: "cnf-hsl-pub"
      namespace: "cnf-gateway"
    spec:
      pool:
        - name: "pool1"
          endpoint:
           - "10.10.10.100:514"
           - "10.10.10.101:514"
      syslog:
      - name: "syslog1"
        format: "rfc5424"
        protocol: "tcp"
        distribution: "adaptive"
        pool: "pool1"
    
  2. Install the F5BigLogProfile CR:

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigLogProfile
    metadata:
      name: "cnf-log-profile"
      namespace: "cnf-gateway"
    spec:
      nat:
        enabled: true
        logSubscriberID: true
        publisher: "cnf-hsl-pub"
        inbound:
          start:
            mode: "enabled"
          end:
            mode: "enabled"
        quotaExceeded:
          mode: "enabled"
        errors:
          mode: "enabled"
      firewall:
        enabled: true
        trafficStats:
          publisher: "cnf-hsl-pub"
          reapedFlows: true
          missedFlows: true
          activeFlows: true
        network:
          publisher: "cnf-hsl-pub"
          events:
            aclMatchAccept: true
            aclMatchDrop: true
            tcpEvents: true
            aclToBoxDeny: true
           translationFields: true
    
  3. Continue to the Next step section to begin using the F5BigLogProfile.

Next step

Select and install one of the Traffic Management CNF CRs to begin processing application traffic:

  • F5BigContextSecure - Full proxy TCP and UDP application layer gateway services.
  • F5BigAlgFtp - File Transfer Protocol (FTP) application layer gateway services.
  • F5BigAlgTftp - Trivial File Transfer Protocol (TFTP) application layer gateway services.
  • F5BigAlgPptp - Point-to-Point Tunneling Protocol (PPTP) application layer gateway services.
  • F5BigAlgRtsp - Real Time Streaming Protocol (RTSP) application layer gateway services.

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.