Exporting data from AVR

This section shows how you can export data from the Application Visibility and Reporting (AVR) module to Telemetry Streaming. To see more information on AVR, see the BIG-IP Analytics Implementations guide.

Note

The configuration on this page was modified to use an existing Telemetry Streaming Log Publisher as opposed to a static IP address. There is also a new, optional section for TS and AVR in a fanout configuration. This documentation change was made in Telemetry Streaming 1.16, but the configuration can be used with any TS version.

The prerequisites for using TS with AVR include:

  • The AVR module must be provisioned
  • You must have an Event Listener, including an existing Log Publisher (see Event Listener class for instructions)
  • The Analytics profile for HTTP or TCP should be configured and assigned to the virtual server

Important

It is currently not possible to configure AVR to publish data to both Telemetry Streaming and BIG-IQ concurrently. Additionally, if a BIG-IP is managed by a BIG-IQ, and has Statistics Collection enabled, the entire AVR configuration of the BIG-IP will be overwritten to publish only to the BIG-IQ.


Modifying AVR configuration to use the Log Publisher

To use AVR with Telemetry Streaming, you must modify the AVR logging configuration to point to the existing Log Publisher. If you do not have an existing log publisher, see Configuring Logging Sources for guidance on creating one.

Use the following TMSH command, but be sure to change telemetry_publisher to the name of your Log Publisher if your publisher has a different name.

modify analytics global-settings { external-logging-publisher /Common/Shared/telemetry_publisher offbox-protocol hsl use-offbox enabled  }

Example output of AVR basic data:

{
    "hostname": "telemetry-bigip-14-0.localhost",
    "errdefs_msgno": "22282286",
    "Entity": "SystemMonitor",
    "AggrInterval": "30",
    "EOCTimestamp": "1555572150",
    "HitCount": "1",
    "SlotId": "0",
    "CpuHealth": "54",
    "AvgCpu": "5487",
    "AvgCpuDataPlane": "0",
    "AvgCpuControlPlane": "0",
    "AvgCpuAnalysisPlane": "0",
    "MaxCpu": "5487",
    "MemoryHealth": "53",
    "AvgMemory": "5343",
    "ThroughputHealth": "0",
    "TotalBytes": "0",
    "AvgThroughput": "0",
    "ConcurrentConnectionsHealth": "0",
    "AvgConcurrentConnections": "0",
    "MaxConcurrentConnections": "0",
    "telemetryEventCategory": "AVR"
}

Optional: Configuring AVR and Telemetry Streaming in a fanout scenario

If you want to configure AVR and Telemetry Streaming in a fanout configuration (where AVR can send to multiple destinations using the TS Log Publisher), you can add new Log Destinations to the existing Log Publisher. For more information, see Configuring Remote High Speed Logging in the AVR documentation. This includes configuration instructions using the BIG-IP Configuration utility. Note the Log Destination type must be Remote High-Speed Log. The TS Event Listener page shows how to configure Log Destinations with AS3 and TMSH.

If you need to add a Log Destination to an existing AS3 declaration (see Configure Logging Using AS3), you can simply add the new destination to the existing Log Publisher’s Destination array (named telemetry_publisher in our example), and the AS3 declaration.


Collecting data

Use the following sections for instructions on collecting specific types of data.

Collect HTTP data

Use the following guidance to collect HTTP data.

  1. Create an HTTP Analytics Profile using the TMSH command line (you could alternatively configure this using the UI: Local Traffic > Profiles > Analytics > HTTP analytics. The rest of the examples on this page only show TMSH commands).

    create ltm profile analytics telemetry-http-analytics { collect-geo enabled collect-http-timing-metrics enabled collect-ip enabled collect-max-tps-and-throughput enabled collect-methods enabled collect-page-load-time enabled collect-response-codes enabled collect-subnets enabled collect-url enabled collect-user-agent enabled collect-user-sessions enabled publish-irule-statistics enabled }
    
  2. Assign the analytics profile to a virtual server.

    modify ltm virtual <VIRTUAL_SERVER_NAME> profiles add { telemetry-http-analytics { context all } }
    

Example AVR output for HTTP Analytics profile:

{
    "hostname": "telemetry-bigip-14-0.localhost",
    "errdefs_msgno": "22282286",
    "Entity": "SystemMonitor",
    "AggrInterval": "30",
    "EOCTimestamp": "1555572150",
    "HitCount": "1",
    "SlotId": "0",
    "CpuHealth": "54",
    "AvgCpu": "5487",
    "AvgCpuDataPlane": "0",
    "AvgCpuControlPlane": "0",
    "AvgCpuAnalysisPlane": "0",
    "MaxCpu": "5487",
    "MemoryHealth": "53",
    "AvgMemory": "5343",
    "ThroughputHealth": "0",
    "TotalBytes": "0",
    "AvgThroughput": "0",
    "ConcurrentConnectionsHealth": "0",
    "AvgConcurrentConnections": "0",
    "MaxConcurrentConnections": "0",
    "telemetryEventCategory": "AVR"
}

Collect TCP data

  1. Create a TCP analytics profile. For example, using the TMSH command line:

    create ltm profile tcp-analytics telemetry-tcp-analytics { collect-city enabled collect-continent enabled collect-country enabled collect-nexthop enabled collect-post-code enabled collect-region enabled collect-remote-host-ip enabled collect-remote-host-subnet enabled collected-by-server-side enabled }
    
  2. Assign the analytics profile to virtual server. For example, using the TMSH command line:

    modify ltm virtual <VIRTUAL_SERVER_NAME> profiles add { telemetry-tcp-analytics { context all } }
    

Example AVR output for TCP Analytics:

{  
    "hostname":"hostname.hostname",
    "SlotId":"0",
    "errdefs_msgno":"22323211",
    "STAT_SRC":"TMSTAT",
    "Entity":"TcpStat",
    "EOCTimestamp":"1556589630",
    "AggrInterval":"30",
    "HitCount":"3",
    "tcp_prof":"/Common/tcp",
    "vip":"/Common/VIRTUAL_SERVER_NAME",
    "globalBigiqConf":"N/A",
    "ObjectTagsList":"N/A",
    "active_conns":"0",
    "max_active_conns":"0",
    "accepts":"0",
    "accept_fails":"0",
    "new_conns":"0",
    "failed_conns":"0",
    "expired_conns":"0",
    "abandoned_conns":"0",
    "rxrst":"0",
    "rxbadsum":"0",
    "rxbadseg":"0",
    "rxooseg":"0",
    "rxcookie":"0",
    "rxbad_cookie":"0",
    "hw_cookie_valid":"0",
    "syncacheover":"0",
    "txrexmits":"0",
    "sndpack":"0",
    "tenant":"Common",
    "application":"",
    "telemetryEventCategory":"AVR"
}

Collect DNS data

  1. Create a DNS analytics profile. For example, using the TMSH command line:

    create ltm profile dns telemetry-dns { avr-dnsstat-sample-rate 1 }
    
  2. Assign the analytics profile to a GTM listener. For example, using the TMSH command line:

    modify gtm  listener <GTM_LISTENER_NAME> { profiles replace-all-with { telemetry-dns { } } }
    

Example AVR output for :


Example AVR output for DNS analytics profile:

{  
    "hostname":"hostname.hostname",
    "SlotId":"0",
    "errdefs_msgno":"22282300",
    "Entity":"DNS_Offbox_All",
    "ObjectTagsList":"N/A",
    "AggrInterval":"30",
    "EOCTimestamp":"1556578980",
    "HitCount":"4",
    "ApplicationName":"<Unassigned>",
    "VSName":"/Common/GTM_LISTENER_NAME",
    "DosProfileName":"<no-profile>",
    "AttackId":"0",
    "QueryType":"A",
    "QueryName":"example.com",
    "SourceIP":"X.X.X.X",
    "SourceIpRouteDomain":"0",
    "CountryCode":"N/A",
    "TransactionOutcome":"Valid",
    "AttackVectorName":"Not attacked",
    "AttackTriggerName":"Not attacked",
    "AttackMitigationName":"Not attacked",
    "IsInternalActivity":"0",
    "IsAttackingIp":"0",
    "telemetryEventCategory":"AVR"
}

Collect ASM data

  1. Create an ASM policy and assign it to a virtual server. For instructions on creating an ASM policy, see BIG-IP ASM: Creating a Simple Security Policy.

Example AVR output for ASM:

{  
    "hostname":"hostname.hostname",
    "globalBigiqConf":"N/A",
    "ObjectTagsList":"N/A",
    "SlotId":"0",
    "errdefs_msgno":"22282308",
    "Entity":"HTTP_ASM_STATS_ALL_APPIQ",
    "AggrInterval":"30",
    "EOCTimestamp":"1556591280",
    "HitCount":"1",
    "ApplicationName":"<Unassigned>",
    "VSName":"/Common/VIRTUAL_SERVER_NAME",
    "Policy":"/Common/ASM_POLICY_NAME",
    "Action":"Legal",
    "Severity":"Informational",
    "ViolationRating":"2",
    "NetworkProtocol":"HTTP",
    "ClientIP":"N/A",
    "ClientIPRouteDomain":"0",
    "DeviceId":"0",
    "IPReputation":"N/A",
    "GeoCountry":"N/A",
    "UserName":"N/A",
    "SessionID":"18004967043998892602",
    "URL":"N/A",
    "ResponseCode":"200",
    "Method":"GET",
    "IsMobileDevice":"0",
    "DosMobileAppClientType":"Uncategorized",
    "DosMobileAppVersion":"N/A",
    "DosMobileAppDisplayName":"N/A",
    "telemetryEventCategory":"AVR"
}

Collect AFM data

  1. Create an AFM DoS policy and assign it to a virtual server. For instructions on creating an AFM DoS policy, see BIG-IP AFM: Detecting and Preventing DNS DoS Attacks on a Virtual Server.

Example AVR output for AFM:

{  
    "hostname":"hostname.hostname",
    "SlotId":"0",
    "errdefs_msgno":"22323241",
    "STAT_SRC":"TMSTAT",
    "Entity":"AfmDosStat",
    "EOCTimestamp":"1556592720",
    "AggrInterval":"30",
    "HitCount":"3",
    "VSName":"Device",
    "AttackVectorName":"Unknown TCP option type",
    "DosProfileName":"/Common/AFM_DOS_PROFILE_NAME",
    "AttackType":"Device",
    "globalBigiqConf":"N/A",
    "AttackCount":"0",
    "TotalEvents":"0",
    "SoftwareDrops":"0",
    "HardwareDrops":"0",
    "BadActorEvents":"0",
    "BadActorDrops":"0",
    "WLEvents":"0",
    "AvgDetection":"0",
    "MinMitigation":"0",
    "MaxMitigation":"4294967295",
    "AvgBadActorDetection":"0",
    "MinBadActorMitigation":"0",
    "MaxBadActorMitigation":"4294967295",
    "telemetryEventCategory":"AVR"
}