bigip_security_log_profile – Manage security log profiles on a BIG-IP¶
New in version 1.13.0.
Parameters¶
Parameter | Choices/Defaults | Configuration | Comments | |||
---|---|---|---|---|---|---|
application_security
dictionary
|
Configures the system to log traffic to the web application.
|
|||||
config
dictionary
|
This section specifies the settings determining where to log traffic and which traffic to log.
|
|||||
facility
string
|
Specifies the facility category of the logged traffic.
|
|||||
guarantee_logging
string
|
|
Specifies, when checked
enabled , that the system logs all requests, even though this may slow your web application.When set to
disabled , specifies that the system logs requests as long as it does not slow your web application. |
||||
guarantee_response_logging
string
|
|
Specifies, when set to
enabled , that the system logs all responses, even though this may slow your web application.When set to
disabled , the system logs responses as long as it does not slow your web application. |
||||
local_storage
string
|
|
Specifies that the system stores all traffic in the system.
|
||||
max_entry_length
string
|
Specifies how much of the entry length the server logs.
|
|||||
protocol
string
|
Specifies which protocol the remote server supports.
|
|||||
remote_storage
string
|
|
Specifies that the system stores all traffic on a remote logging server.
|
||||
report_anomalies
string
|
|
Specifies, when set to
enabled , that the system sends a report string to the remote system when a brute force attack starts and ends. |
||||
report_challenge_failure
string
|
|
Specifies, when set to
enabled , that the system sends a report string to the remote system when a challenge fails.When set to
disabled , the system does not send a report string to the remote system log when a challenge fails. |
||||
response_logging
string
|
|
Specifies whether the system logs HTTP responses.
When set to
none the system does not log HTTP responses.When set to
illegal the system logs only illegal HTTP responses.When set to
all the system logs all HTTP responses. |
||||
servers
list
/ elements=raw
|
Specifies the name of the remote logging server.
|
|||||
ip
string
|
Specifies the IP address of the remote logging server.
|
|||||
port
integer
|
Specifies the port number of the remote logging server.
|
|||||
storage_format
dictionary
|
Specifies the format in which the traffic items are logged.
|
|||||
delimiter
string
|
Specifies the delimiter string, when
type is set to predefined . |
|||||
fields
list
/ elements=string
|
Specifies the traffic items that the server logs.
|
|||||
type
string
|
|
Specifies the format type for log messages.
When set to
predefined the system uses a set of fields, set in a specific order, to log messages.When set to
user-defined the system uses a user-defined string to log messages. |
||||
user_string
string
|
Specifies the format the system uses to log messages is in the form of a user-defined string.
|
|||||
storage_filter
dictionary
|
This section specifies the settings for the type of requests the system or server logs.
|
|||||
http_methods
list
/ elements=string
|
Specifies that the system logs only the requests that use the HTTP methods specified.
|
|||||
log_challenge_failure_requests
string
|
|
Specifies, when set to
enabled , that the system logs requests that fail the challenge.When set to
disabled , the system does not log requests that fail the challenge. |
||||
logic_operation
string
|
|
Specifies whether requests must meet one or all criteria in the storage filter.
Specifies, when set to
or , that the requests must meet atleast one of the criterion.Specifies, when set to
and , that the requests must meet all of the criterion. |
||||
login_result
list
/ elements=string
|
Specifies that the system logs only the requests that generate specific login results.
|
|||||
protocols
list
/ elements=string
|
Specifies that the system logs requests using the protocols specified.
|
|||||
request_type
string
|
Specifies the type of request the system logs.
|
|||||
resp_status_codes
list
/ elements=string
|
Specifies that the system logs only the requests that generate specific response status codes.
|
|||||
search_in
string
|
|
Specifies the part of the request that the system looks for the string provided in the
search_string parameter. |
||||
search_string
string
|
Specifies the string that the system looks for in the part of the request specified in the
search_in parameter. |
|||||
auto_discovery
string
|
Specifies log publisher that the system uses to log Auto Discovered Service/Server events.
Defines log publisher as configured on the BIG-IP.
If desired log publisher is configured on a different partition to where log profile is created a publisher name must be specified in full_path format e.g. /Foo/my-publisher.
|
|||||
bot_defense
dictionary
|
Configures system logging of events from the Bot Defense mechanism.
When configuring a new profile with
bot_defense both publisher and one of log_* options must be specified.When modifying a profile's
bot_defense settings at least one log_* options must remain set to yes on the device. In case when during modify operation the device returns an API errors user must consult device configuration to determine if the selected option can be set to no . |
|||||
log_alarm
boolean
|
|
Enable/Disable logging of requests triggering ALARM mitigation action of the Bot Defense logging profile.
|
||||
log_block
boolean
|
|
Enable/Disable logging of requests triggering Block mitigation action of the Bot Defense logging profile.
|
||||
log_browser
boolean
|
|
TBD
|
||||
log_browser_verification_action
boolean
|
|
TBD
|
||||
log_captcha
boolean
|
|
TBD
|
||||
log_challenge_failure_request
boolean
|
|
TBD
|
||||
log_device_id_collection_request
boolean
|
|
TBD
|
||||
log_honeypot_page
boolean
|
|
TBD
|
||||
log_mobile_application
boolean
|
|
TBD
|
||||
log_none
boolean
|
|
TBD
|
||||
log_rate_limit
boolean
|
|
TBD
|
||||
log_redirect_to_pool
boolean
|
|
TBD
|
||||
log_suspicious_browser
boolean
|
|
TBD
|
||||
log_tcp_reset
boolean
|
|
TBD
|
||||
log_trusted_bot
boolean
|
|
TBD
|
||||
log_unknown
boolean
|
|
TBD
|
||||
log_untrusted_bot
boolean
|
|
TBD
|
||||
publisher
string
|
Specifies the name of the local log publisher used for Bot Defense log messages.
If desired log publisher is configured on a different partition to where log profile is created a publisher name must be specified in full_path format e.g. /Foo/my-publisher.
|
|||||
send_remote_challenge_failure_messages
boolean
|
|
to be determined
|
||||
classification
dictionary
|
Configures logging of events from the Classification engine.
|
|||||
log_matches
boolean
|
|
Enables/Disable logging of all events from the Classification engine.
|
||||
publisher
string
|
Specifies the name of the log publisher used for logging of Classification engine events.
If desired log publisher is configured on a different partition to where log profile is created a publisher name must be specified in full_path format e.g. /Foo/my-publisher.
|
|||||
description
string
|
Specifies descriptive text that identifies security log profile.
|
|||||
dns_security
dictionary
|
Configures the system to log dropped, malformed, or rejected requests for DNS Security.
|
|||||
log_dns_drop
boolean
|
|
Enable/Disable logging of dropped DNS requests.
|
||||
log_dns_filtered_drop
boolean
|
|
Enable/Disable logging of DNS requests dropped due to DNS query/header-opcode filtering.
The system does not log DNS requests that are dropped due to errors in the way the system processes DNS packets.
|
||||
log_dns_malformed
boolean
|
|
Enable/Disable logging of malformed DNS requests.
|
||||
log_dns_malicious
boolean
|
|
Enable/Disable logging of malicious DNS requests.
|
||||
log_dns_reject
boolean
|
|
Enable/Disable logging of rejected DNS requests.
|
||||
publisher
string
|
Specifies the name of the log publisher used for logging DNS security events.
If desired log publisher is configured on a different partition to where log profile is created a publisher name must be specified in full_path format e.g. /Foo/my-publisher.
|
|||||
storage_format
dictionary
|
Configures custom formatting of DNS security log messages.
|
|||||
delimiter
string
|
Specifies the delimiter string, when
type is set to field-list . |
|||||
fields
list
/ elements=string
|
Lists the items the server logs, and the order in which the server logs them due to that the order of in which items are specified on the list matters. The server displays the items in the log sequentially from top down.
The valid elements that can be specified in the list are: action, attack_type, context_name, date_time, dest_ip, dest_port, dns_query_name, dns_query_type, route_domain, src_ip, src_port, vlan.
|
|||||
type
string
|
|
Specifies the format type for log messages.
When set to
none the system uses default format type to log the messages to a Remote Syslog server.When set to
field-list the system uses a set of fields, set in a specific order, to log messages.When set to
user-defined the system uses to log messages is in the form of a user-defined string.When set to
none the fields and user_string parameters are ignored. |
||||
user_string
string
|
Specifies that the format the system uses to log messages is in the form of a user-defined string.
|
|||||
dos_protection
dictionary
|
Defines the log publishers used by the system to log detected DoS attacks.
|
|||||
application
string
|
Defines the log publisher used for log Application DoS attacks.
If desired log publisher is configured on a different partition to where log profile is created a publisher name must be specified in full_path format e.g. /Foo/my-publisher.
|
|||||
dns
string
|
Specifies the name of the log publisher used for logging DNS DoS events.
If desired log publisher is configured on a different partition to where log profile is created a publisher name must be specified in full_path format e.g. /Foo/my-publisher.
|
|||||
network
string
|
Specifies the name of the log publisher used for logging Network DoS events.
If desired log publisher is configured on a different partition to where log profile is created a publisher name must be specified in full_path format e.g. /Foo/my-publisher.
|
|||||
sip
string
|
Specifies the name of the log publisher used for logging SIP DoS events.
If desired log publisher is configured on a different partition to where log profile is created a publisher name must be specified in full_path format e.g. /Foo/my-publisher.
|
|||||
name
string
/ required
|
Specifies the name of the security log profile to manage.
|
|||||
nat
dictionary
|
Configures the system to log firewall NAT events.
|
|||||
end_inbound_session
dictionary
|
Configuration of log entries generated at the end of the incoming connection event for a translated endpoint.
|
|||||
action
string
|
|
When set to
enabled , sets system to log entries for the end of the incoming connection event for a translated endpoint.When set to
disabled , disables logging of the end of the incoming connection event for a translated endpoint.When set to
backup-allocation-only , sets the system to generate the associated type of log entries only when the translation address for the client is chosen from the backup pool. |
||||
storage_format
dictionary
|
Configures the custom formatting of NAT events log messages.
|
|||||
delimiter
string
|
Specifies the delimiter string, when
type is set to field-list . |
|||||
fields
list
/ elements=string
|
Lists the items the server logs, and the order in which the server logs them. The order in which items are specified in the list matters. The server displays the items in the log sequentially from top down.
The valid elements that can be specified in the list are: context_name, dest_ip, dest_port, event_name, protocol, route_domain, src_ip, src_port, sub_id, timestamp, translated_dest_ip, translated_dest_port, translated_route_domain, translated_src_ip, translated_src_port.
|
|||||
type
string
|
|
Specifies the format type for log messages.
When set to
none the system uses default format type to log the messages to a Remote Syslog server.When set to
field-list the system uses a set of fields, set in a specific order, to log messages.When set to
user-defined the system uses a user-defined string to log messages.When set to
none the fields and user_string parameters are ignored. |
||||
user_string
string
|
Specifies the format the system uses to log messages is in the form of a user-defined string.
|
|||||
end_outbound_session
dictionary
|
Configuration of log entries generated at end of translation event for a NAT client.
|
|||||
action
string
|
|
When set to
enabled , sets system to log entries for end of translation events for a NAT client.When set to
disabled , disables logging of end of translation events for a NAT client.When set to
backup-allocation-only , sets the system to generate the associated type of log entries only when the translation address for the client is chosen from the backup pool. |
||||
include_dest_addr_port
boolean
|
|
Enable or disable logging of destination IP address and port information.
|
||||
storage_format
dictionary
|
Configures the custom formatting of NAT events log messages.
|
|||||
delimiter
string
|
Specifies the delimiter string, when
type is set to field-list . |
|||||
fields
list
/ elements=string
|
Lists the items the server logs, and the order in which the server logs them. The order in which items are specified in the list matters. The server displays the items in the log sequentially from top down.
The valid elements that can be specified in the list are: context_name, dest_ip, dest_port, event_name, protocol, route_domain, src_ip, src_port, sub_id, timestamp, translated_dest_ip, translated_dest_port, translated_route_domain, translated_src_ip, translated_src_port.
|
|||||
type
string
|
|
Specifies the format type for log messages.
When set to
none , the system uses the default format type to log the messages to a Remote Syslog server.When set to
field-list , the system uses a set of fields, set in a specific order, to log messages.When set to
user-defined , the system uses a user-defined string to log messages.When set to
none , the fields and user_string parameters are ignored. |
||||
user_string
string
|
Specifies the format the system uses to log messages is in the form of a user-defined string.
|
|||||
errors
dictionary
|
Configuration of log entries generated when a NAT translation errors occur.
|
|||||
action
string
|
|
When set to
enabled , sets the system to log entries generated when a NAT translation errors occur.When set to
disabled , disables logging of entries generated when a NAT translation errors occur. |
||||
storage_format
dictionary
|
Configures the custom formatting of NAT events log messages.
|
|||||
delimiter
string
|
Specifies the delimiter string, when
type is set to field-list . |
|||||
fields
list
/ elements=string
|
Lists the items the server logs, and the order in which the server logs them. The order in which items are specified in the list matters. The server displays the items in the log sequentially from top down.
The valid elements that can be specified in the list are: context_name, dest_ip, dest_port, event_name, protocol, route_domain, src_ip, src_port, sub_id, timestamp, translated_dest_ip, translated_dest_port, translated_route_domain, translated_src_ip, translated_src_port.
|
|||||
type
string
|
|
Specifies the format type for log messages.
When set to
none the system uses default format type to log the messages to a Remote Syslog server.When set to
field-list the system uses a set of fields, set in a specific order, to log messages.When set to
user-defined the system uses a user-defined string to log messages.When set to
none the fields and user_string parameters are ignored. |
||||
user_string
string
|
Specifies the format the system uses to log messages is in the form of a user-defined string.
|
|||||
log_subscriber_id
boolean
|
|
Enable or disable logging of the subscriber ID associated with a subscriber IP address.
|
||||
lsn_legacy_mode
boolean
|
|
Enable or disable use of legacy CGNAT/LSN logging facility instead of the new Firewall NAT logging capability.
When set to
true , the start_outbound_session , start_inbound_session , end_inbound_session , end_outbound_session , quota_exceeded and errors , must not be enabled. Specifying action to be either enabled or backup-allocation-only while lsn_legacy_mode is true will result in API errors. |
||||
publisher
string
|
Specifies the name of the log publisher used for logging Network Address Translation events.
If the desired log publisher is configured on a different partition to where log profile is created a publisher name must be specified in full_path format e.g. /Foo/my-publisher.
|
|||||
quota_exceeded
dictionary
|
Configuration of log entries generated when a NAT client exceeds allocated resources.
|
|||||
action
string
|
|
When set to
enabled , sets the system to log entries generated when a NAT client exceeds allocated resources.When set to
disabled , disables logging of events when a NAT client exceeds allocated resources. |
||||
storage_format
dictionary
|
Configures the custom formatting of NAT events log messages.
|
|||||
delimiter
string
|
Specifies the delimiter string, when
type is set to field-list . |
|||||
fields
list
/ elements=string
|
Lists the items the server logs, and the order in which the server logs them. The order in which items are specified in the list matters. The server displays the items in the log sequentially from top down.
The valid elements that can be specified in the list are: context_name, dest_ip, dest_port, event_name, protocol, route_domain, src_ip, src_port, sub_id, timestamp, translated_dest_ip, translated_dest_port, translated_route_domain, translated_src_ip, translated_src_port.
|
|||||
type
string
|
|
Specifies the format type for log messages.
When set to
none the system uses default format type to log the messages to a Remote Syslog server.When set to
field-list , the system uses a set of fields, set in a specific order, to log messages.When set to
user-defined the system uses a user-defined string to log messages.When set to
none the fields and user_string parameters are ignored. |
||||
user_string
string
|
Specifies the format the system uses to log messages is in the form of a user-defined string.
|
|||||
rate_limit_aggregate_rate
string
|
Defines a rate limit for all combined NAT log messages per second. Beyond this rate limit, log messages are not logged.
Valid values are
0 - 4294967295 messages/sec, or indefinite . With values 4294967295 and indefinite being synonymous. |
|||||
rate_limit_end_inbound_session
string
|
Sets a rate limit for logging of log entries at the end of the incoming connection event for a translated endpoint.
If this rate limit is exceeded, log messages of this type are not logged until the threshold drops below the specified rate.
Valid values are
0 - 4294967295 messages/sec, or indefinite . With values 4294967295 and indefinite being synonymous. |
|||||
rate_limit_end_outbound_session
string
|
Sets a rate limit for logging of log entries at the end of translation event for a NAT client.
If this rate limit is exceeded, log messages of this type are not logged until the threshold drops below the specified rate.
Valid values are
0 - 4294967295 messages/sec, or indefinite . With values 4294967295 and indefinite being synonymous. |
|||||
rate_limit_errors
string
|
Sets a rate limit for logging of events when NAT translation errors occur.
If this rate limit is exceeded, log messages of this type are not logged until the threshold drops below the specified rate.
Valid values are
0 - 4294967295 messages/sec, or indefinite . With values 4294967295 and indefinite being synonymous. |
|||||
rate_limit_quota_exceeded
string
|
Sets a rate limit for logging of log entries when a NAT client exceeds allocated resources.
If this rate limit is exceeded, log messages of this type are not logged until the threshold drops below the specified rate.
Valid values are
0 - 4294967295 messages/sec, or indefinite . With values 4294967295 and indefinite being synonymous. |
|||||
rate_limit_start_inbound_session
string
|
Sets a rate limit for logging of log entries at the start of the incoming connection event for a translated endpoint.
If this rate limit is exceeded, log messages of this type are not logged until the threshold drops below the specified rate.
Valid values are
0 - 4294967295 messages/sec, or indefinite . With values 4294967295 and indefinite being synonymous. |
|||||
rate_limit_start_outbound_session
string
|
Sets a rate limit for logging of log entries at the start of the translation event for a NAT client.
If this rate limit is exceeded, log messages of this type are not logged until the threshold drops below the specified rate.
Valid values are
0 - 4294967295 messages/sec, or indefinite . With values 4294967295 and indefinite being synonymous. |
|||||
start_inbound_session
dictionary
|
Configuration of log entries generated at the start of the incoming connection event for a translated endpoint.
|
|||||
action
string
|
|
When set to
enabled , sets the system to log entries for start of the incoming connection event for a translated endpoint.When set to
disabled , disables logging of the start of the incoming connection event for a translated endpoint.When set to
backup-allocation-only , sets the system to generate the associated type of log entries only when the translation address for the client is chosen from the backup pool. |
||||
storage_format
dictionary
|
Configures the custom formatting of NAT events log messages.
|
|||||
delimiter
string
|
Specifies the delimiter string, when
type is set to field-list . |
|||||
fields
list
/ elements=string
|
Lists the items the server logs, and the order in which the server logs them. The order in which items are specified in the list matters. The server displays the items in the log sequentially from top down.
The valid elements that can be specified in the list are: context_name, dest_ip, dest_port, event_name, protocol, route_domain, src_ip, src_port, sub_id, timestamp, translated_dest_ip, translated_dest_port, translated_route_domain, translated_src_ip, translated_src_port.
|
|||||
type
string
|
|
Specifies the format type for log messages.
When set to
none , the system uses default format type to log the messages to a Remote Syslog server.When set to
field-list , the system uses a set of fields, set in a specific order, to log messages.When set to
user-defined , the system uses a user-defined string to log messages.When set to
none the fields and user_string parameters are ignored. |
||||
user_string
string
|
Specifies the format the system uses to log messages is in the form of a user-defined string.
|
|||||
start_outbound_session
dictionary
|
Configuration of log entries generated at the start of the incoming connection event for a translated endpoint.
|
|||||
action
string
|
|
When set to
enabled , sets the system to log entries for the start of the incoming connection event for a translated endpoint.When set to
disabled , disables logging of the start of the incoming connection event for a translated endpoint.When set to
backup-allocation-only , sets the system to generate the associated type of log entries only when the translation address for the client is chosen from the backup pool. |
||||
include_dest_addr_port
boolean
|
|
Enable or disable logging of destination IP address and port information.
|
||||
storage_format
dictionary
|
Configures custom formatting of NAT events log messages.
|
|||||
delimiter
string
|
Specifies the delimiter string, when
type is set to field-list . |
|||||
fields
list
/ elements=string
|
Lists the items the server logs, and the order in which the server logs them. The order in which items are specified in the list matters. The server displays the items in the log sequentially from top down.
The valid elements that can be specified in the list are: context_name, dest_ip, dest_port, event_name, protocol, route_domain, src_ip, src_port, sub_id, timestamp, translated_dest_ip, translated_dest_port, translated_route_domain, translated_src_ip, translated_src_port.
|
|||||
type
string
|
|
Specifies the format type for log messages.
When set to
none , the system uses the default format type to log the messages to a Remote Syslog server.When set to
field-list , the system uses a set of fields, set in a specific order, to log messages.When set to
user-defined , the system uses a user-defined string to log messages.When set to
none the fields and user_string parameters are ignored. |
||||
user_string
string
|
Specifies the format the system uses to log messages is in the form of a user-defined string.
|
|||||
network_security
dictionary
|
Configures the system to log network firewall events.
|
|||||
log_acl_match_accept
boolean
|
|
Enable/Disable logging of packets that match ACL rules configured with action = Accept.
|
||||
log_acl_match_drop
boolean
|
|
Enable/Disable logging of packets that match ACL rules configured with action = Drop."
|
||||
log_acl_match_reject
boolean
|
|
Enable/Disable logging of packets that match ACL rules configured with action = Reject."
|
||||
log_acl_to_box_deny
boolean
|
|
Enable/Disable logging of any packet that is dropped or denied by management port firewall rules.
This option takes effect only when management port firewall rules are configured on the device.
|
||||
log_geo_always
boolean
|
|
Enable/Disable logging of Geo IP Location information.
|
||||
log_ip_errors
boolean
|
|
Enable/Disable logging of IP errors.
|
||||
log_tcp_errors
boolean
|
|
Enable/Disable logging of TCP errors.
|
||||
log_tcp_events
boolean
|
|
Enable/Disable logging of TCP events (open and close of TCP sessions).
|
||||
log_translation_fields
boolean
|
|
Enable/Disable logging of translation fields in ACL and TCP events.
|
||||
log_user_always
boolean
|
|
Enable/Disable logging of certain subscriber information (e.g. subscriber ID and/or subscriber group) if it is available.
This option is in effect only when device has a provisioned and configured PEM module in addition to AFM.
|
||||
log_uuid_field
boolean
|
|
Enable/Disable logging of UUID of the specific rule that triggered the log message.
|
||||
publisher
string
|
Specifies the name of the log publisher used for logging network events.
If desired log publisher is configured on a different partition to where log profile is created a publisher name must be specified in full_path format e.g. /Foo/my-publisher.
|
|||||
rate_limit_acl_match_accept
string
|
Sets a rate limit for all network firewall log messages with this acl match accept action.
If this rate limit is exceeded, log messages of this action type are not logged until the threshold drops below the specified rate.
Valid values are
0 - 4294967295 messages/sec, or indefinite . With values 4294967295 and indefinite being synonymous. |
|||||
rate_limit_acl_match_drop
string
|
Sets a rate limit for all network firewall log messages with this acl match drop action.
If this rate limit is exceeded, log messages of this action type are not logged until the threshold drops below the specified rate.
Valid values are
0 - 4294967295 messages/sec, or indefinite . With values 4294967295 and indefinite being synonymous. |
|||||
rate_limit_aggregate_rate
string
|
Defines a rate limit for all combined network firewall log messages per second. Beyond this rate limit, log messages are not logged.
Rate Limits are calculated per-second, per TMM, with each TMM throttling as needed, independently of other TMMs.
Valid values are
0 - 4294967295 messages/sec, or indefinite . With values 4294967295 and indefinite being synonymous. |
|||||
rate_limit_ip_errors
string
|
Sets a rate limit for logging of IP error packets.
If this rate limit is exceeded, log messages of this type are not logged until the threshold drops below the specified rate.
Valid values are
0 - 4294967295 messages/sec, or indefinite . With values 4294967295 and indefinite being synonymous. |
|||||
rate_limit_match_reject
string
|
Sets a rate limit for all network firewall log messages with this acl match reject action.
If this rate limit is exceeded, log messages of this action type are not logged until the threshold drops below the specified rate.
Valid values are
0 - 4294967295 messages/sec, or indefinite . With values 4294967295 and indefinite being synonymous. |
|||||
rate_limit_tcp_errors
string
|
Sets a rate limit for logging of TCP error packets.
If this rate limit is exceeded, log messages of this type are not logged until the threshold drops below the specified rate.
Valid values are
0 - 4294967295 messages/sec, or indefinite . With values 4294967295 and indefinite being synonymous. |
|||||
rate_limit_tcp_events
string
|
Sets a rate limit for logging of TCP events.
If this rate limit is exceeded, log messages of this type are not logged until the threshold drops below the specified rate.
Valid values are
0 - 4294967295 messages/sec, or indefinite . With values 4294967295 and indefinite being synonymous. |
|||||
storage_format
dictionary
|
Configures custom formatting of network events log messages.
|
|||||
delimiter
string
|
Specifies the delimiter string, when
type is set to field-list . |
|||||
fields
list
/ elements=string
|
Lists the items the server logs, and the order in which the server logs them due to that the order of in which items are specified on the list matters. The server displays the items in the log sequentially from top down.
The valid elements that can be specified in the list are: acl_policy_name, acl_policy_type, acl_rule_name, acl_rule_uuid, action, bigip_hostname, context_name, context_type, date_time, dest_fqdn, dest_geo, dest_ip, dest_ipint_categories, dest_port, drop_reason, management_ip_address, protocol, route_domain, sa_translation_pool, sa_translation_type, source_fqdn, source_ipint_categories, source_user, src_geo, src_ip, src_port, translated_dest_ip, translated_dest_port, translated_ip_protocol, translated_route_domain, translated_src_ip, translated_src_port, translated_vlan, vlan.
|
|||||
type
string
|
|
Specifies the format type for log messages.
When set to
none the system uses default format type to log the messages to a Remote Syslog server.When set to
field-list the system uses a set of fields, set in a specific order, to log messages.When set to
user-defined the system uses to log messages is in the form of a user-defined string.When set to
none the fields and user_string parameters are ignored. |
||||
user_string
string
|
Specifies that the format the system uses to log messages is in the form of a user-defined string.
|
|||||
packet_filter
dictionary
|
Configures logging of IPv6 Extension Header packet filter rule match events.
|
|||||
publisher
string
|
Specifies the name of the log publisher used for logging of IPv6 Extension Header Packet Filter rule match events.
If desired log publisher is configured on a different partition to where log profile is created a publisher name must be specified in full_path format e.g. /Foo/my-publisher.
|
|||||
rate
integer
|
Configures a rate limit for all combined IPv6 Extension Header packet filter log messages per second.
Beyond this rate limit, log messages are not logged until the threshold drops below the specified rate.
Valid value range is
1 - 1000 messages/sec |
|||||
partition
string
|
Default: "Common"
|
Device partition to manage resources on.
|
||||
protocol_inspection
dictionary
|
Configures system logging of events from the Protocol Inspection engine.
|
|||||
log_packet
boolean
|
|
Enables/Disable logging of packet payload for Protocol Inspection events.
|
||||
publisher
string
|
Specifies the name of the log publisher used for logging of Protocol Inspection events.
If desired log publisher is configured on a different partition to where log profile is created a publisher name must be specified in full_path format e.g. /Foo/my-publisher.
|
|||||
sip_security
dictionary
|
Configure the system to log dropped and malformed malicious SIP requests, global and request failures, redirected responses, and server errors for SIP Security.
|
|||||
log_sip_drop
boolean
|
|
Enable/Disable logging of dropped SIP requests.
|
||||
log_sip_global_failures
boolean
|
|
Enable/Disable logging of SIP global failures.
The system does not log DNS requests that are dropped due to errors in the way the system processes DNS packets.
|
||||
log_sip_malformed
boolean
|
|
Enable/Disable logging of malformed SIP requests.
|
||||
log_sip_redirect_responses
boolean
|
|
Enable/Disable logging of SIP redirection responses.
|
||||
log_sip_request_failures
boolean
|
|
Enable/Disable logging of SIP request failures.
|
||||
log_sip_server_errors
boolean
|
|
Enable/Disable logging of SIP server errors.
|
||||
publisher
string
|
Specifies the name of the log publisher used for logging SIP protocol security events.
If desired log publisher is configured on a different partition to where log profile is created a publisher name must be specified in full_path format e.g. /Foo/my-publisher.
|
|||||
storage_format
dictionary
|
Configures custom formatting of SIP security log messages.
|
|||||
delimiter
string
|
Specifies the delimiter string, when
type is set to field-list . |
|||||
fields
list
/ elements=string
|
Lists the items the server logs, and the order in which the server logs them due to that the order of in which items are specified on the list matters. The server displays the items in the log sequentially from top down.
The valid elements that can be specified in the list are: action, context_name, date_time, dest_ip, dest_port, route_domain, sip_callee, sip_caller, sip_method_type, src_ip, src_port, vlan.
|
|||||
type
string
|
|
Specifies the format type for log messages.
When set to
none the system uses default format type to log the messages to a Remote Syslog server.When set to
field-list the system uses a set of fields, set in a specific order, to log messages.When set to
user-defined the system uses to log messages is in the form of a user-defined string.When set to
none the fields and user_string parameters are ignored. |
||||
user_string
string
|
Specifies that the format the system uses to log messages is in the form of a user-defined string.
|
|||||
state
string
|
|
When
present , ensures the security log profile is created.When
absent , ensures the security log profile is removed. |
Examples¶
- name: Create a security log profile
bigip_security_log_profile:
name: "test_log_profile"
description: "this is a log profile test"
auto_discovery: "local-db-publisher"
dos_protection:
application: "local-db-publisher"
network: "local-db-publisher"
protocol_inspection:
log_packet: "yes"
publisher: "local-db-publisher"
packet_filter:
rate: 300
publisher: "local-db-publisher"
bot_defense:
publisher: "local-db-publisher"
log_alarm: "yes"
log_browser: "yes"
- name: Modify a security log profile
bigip_security_log_profile:
name: "test_log_profile"
packet_filter:
rate: 100
bot_defense:
log_alarm: "no"
- name: Delete a security log profile
bigip_security_log_profile:
name: "test_log_profile"
state: absent
- name: Create a security log profile with network security
bigip_security_log_profile:
name: "test_log_profile"
description: "this is a log profile test"
auto_discovery: "local-db-publisher"
dos_protection:
application: "local-db-publisher"
network: "local-db-publisher"
protocol_inspection:
log_packet: "yes"
publisher: "local-db-publisher"
packet_filter:
rate: 300
publisher: "local-db-publisher"
bot_defense:
publisher: "local-db-publisher"
log_alarm: "yes"
log_browser: "yes"
network_security:
publisher: "local-db-publisher"
log_acl_match_accept: "yes"
log_acl_match_drop: "yes"
rate_limit_acl_match_accept: "1000"
rate_limit_acl_match_drop: "indefinite"
storage_format:
type: "field-list"
delimiter: "-"
fields:
- "acl_policy_name"
- "acl_rule_name"
- "date_time"
- "action"
- "src_ip"
- name: Modify a security log profile sip security
bigip_security_log_profile:
name: "test_log_profile"
packet_filter:
rate: 100
sip_security:
log_sip_drop: "yes"
log_sip_server_errors: "yes"
storage_format:
type: "field-list"
delimiter: ";"
fields:
- "date_time"
- "dest_ip"
- "sip_callee"
- "sip_caller"
Return Values¶
The following are the fields unique to this module:
Key | Returned | Description | |||
---|---|---|---|---|---|
auto_discovery
string
|
changed |
The log publisher the system uses to log Auto Discovered Service/Server events.
Sample:
/Common/foo-publisher
|
|||
bot_defense
complex
|
changed |
The system logging of events from the Bot Defense mechanism.
|
|||
log_alarm
boolean
|
changed |
Enable/Disable logging of requests triggering ALARM mitigation action of the Bot Defense logging profile.
Sample:
True
|
|||
log_block
boolean
|
changed |
Enable/Disable logging of requests triggering Block mitigation action of the Bot Defense logging profile.
Sample:
True
|
|||
log_browser
boolean
|
changed |
TBD
Sample:
True
|
|||
log_browser_verification_action
boolean
|
changed |
TBD
Sample:
True
|
|||
log_captcha
boolean
|
changed |
TBD
Sample:
True
|
|||
log_challenge_failure_request
boolean
|
changed |
TBD
Sample:
True
|
|||
log_device_id_collection_request
boolean
|
changed |
TBD
Sample:
True
|
|||
log_honeypot_page
boolean
|
changed |
TBD
Sample:
True
|
|||
log_mobile_application
boolean
|
changed |
TBD
Sample:
True
|
|||
log_none
boolean
|
changed |
TBD
Sample:
True
|
|||
log_rate_limit
boolean
|
changed |
TBD
Sample:
True
|
|||
log_redirect_to_pool
boolean
|
changed |
TBD
Sample:
True
|
|||
log_suspicious_browser
boolean
|
changed |
TBD
Sample:
True
|
|||
log_tcp_reset
boolean
|
changed |
TBD
Sample:
True
|
|||
log_trusted_bot
boolean
|
changed |
TBD
Sample:
True
|
|||
log_unknown
boolean
|
changed |
TBD
Sample:
True
|
|||
log_untrusted_bot
boolean
|
changed |
TBD
Sample:
True
|
|||
publisher
string
|
changed |
The name of the local log publisher used for Bot Defense log messages.
Sample:
/Common/foo-publisher
|
|||
send_remote_challenge_failure_messages
boolean
|
changed |
TBD
Sample:
True
|
|||
classification
complex
|
changed |
The system logging of events from the Classification engine.
|
|||
log_matches
boolean
|
changed |
Enables/Disable logging of all events from the Classification engine.
Sample:
True
|
|||
publisher
string
|
changed |
The name of the log publisher used for logging of Classification engine events.
Sample:
/Common/foo-publisher
|
|||
description
string
|
changed |
Specifies descriptive text that identifies security log profile.
Sample:
this is a text
|
|||
dns_security
complex
|
changed |
Configures the system to log dropped, malformed, or rejected requests for DNS Security.
|
|||
log_dns_drop
boolean
|
changed |
Enable/Disable logging of dropped DNS requests.
Sample:
True
|
|||
log_dns_filtered_drop
boolean
|
changed |
Enable/Disable logging of DNS requests dropped due to DNS query/header-opcode filtering.
Sample:
True
|
|||
log_dns_malformed
boolean
|
changed |
Enable/Disable logging of malformed DNS requests.
Sample:
True
|
|||
log_dns_malicious
boolean
|
changed |
Enable/Disable logging of malicious DNS requests.
Sample:
True
|
|||
log_dns_reject
boolean
|
changed |
Enable/Disable logging of rejected DNS requests.
Sample:
True
|
|||
publisher
string
|
changed |
The name of the log publisher used for logging DNS security events.
Sample:
/Common/foo-publisher
|
|||
storage_format
complex
|
changed |
The formatting of DNS security log messages.
|
|||
delimiter
string
|
changed |
The delimiter string.
Sample:
-
|
|||
fields
list
|
changed |
The items the server logs.
Sample:
['action', 'vlan']
|
|||
type
string
|
changed |
The format type for log messages.
Sample:
user-defined
|
|||
user_string
string
|
changed |
User-defined string.
Sample:
$action
|
|||
dos_protection
complex
|
changed |
The log publishers used by the system to log detected DoS attacks.
|
|||
application
string
|
changed |
The log publisher used for log Application DoS attacks.
Sample:
/Common/foo-publisher
|
|||
dns
string
|
changed |
The log publisher used for logging DNS DoS events.
Sample:
/Common/foo-publisher
|
|||
network
string
|
changed |
The log publisher used for logging Network DoS events.
Sample:
/Common/foo-publisher
|
|||
sip
string
|
changed |
The log publisher the system uses to log SIP DoS events.
Sample:
/Common/foo-publisher
|
|||
nat
complex
|
changed |
Configures the system to log firewall NAT events.
|
|||
end_inbound_session
complex
|
changed |
Configuration of log entries generated the end of the incoming connection event for a translated endpoint.
|
|||
action
string
|
changed |
Configures system to log entries for the end of the incoming connection event for a translated endpoint.
Sample:
enabled
|
|||
storage_format
complex
|
changed |
The formatting of NAT events log messages.
|
|||
delimiter
string
|
changed |
The delimiter string.
Sample:
-
|
|||
fields
list
|
changed |
The items the server logs.
Sample:
['dest_ip', 'dest_port']
|
|||
type
string
|
changed |
The format type for log messages.
Sample:
user-defined
|
|||
user_string
string
|
changed |
User-defined string.
Sample:
$dest_ip
|
|||
end_outbound_session
complex
|
changed |
Configuration of log entries generated at end of translation event for a NAT client.
|
|||
action
string
|
changed |
Configures system to log entries for the end of translation event for a NAT client.
Sample:
enabled
|
|||
include_dest_addr_port
boolean
|
changed |
Enable/Disable logging of destination IP address and port information.
Sample:
True
|
|||
storage_format
complex
|
changed |
The formatting of NAT events log messages.
|
|||
delimiter
string
|
changed |
The delimiter string.
Sample:
-
|
|||
fields
list
|
changed |
The items the server logs.
Sample:
['dest_ip', 'dest_port']
|
|||
type
string
|
changed |
The format type for log messages.
Sample:
user-defined
|
|||
user_string
string
|
changed |
User-defined string.
Sample:
$dest_ip
|
|||
errors
complex
|
changed |
Configuration of log entries generated when a NAT translation errors occur.
|
|||
action
string
|
changed |
Configures system to log entries generated when a NAT translation errors occur.
Sample:
enabled
|
|||
storage_format
complex
|
changed |
The formatting of NAT events log messages.
|
|||
delimiter
string
|
changed |
The delimiter string.
Sample:
-
|
|||
fields
list
|
changed |
The items the server logs.
Sample:
['dest_ip', 'dest_port']
|
|||
type
string
|
changed |
The format type for log messages.
Sample:
user-defined
|
|||
user_string
string
|
changed |
User-defined string.
Sample:
$dest_ip
|
|||
log_subscriber_id
boolean
|
changed |
Enable/Disable logging of the subscriber ID associated with a subscriber IP address.
Sample:
True
|
|||
lsn_legacy_mode
boolean
|
changed |
Enable/Disable use of legacy CGNAT/LSN logging facility instead of the new Firewall NAT logging capability.
Sample:
True
|
|||
publisher
string
|
changed |
The name of the log publisher used for logging Network Address Translation events.
Sample:
/Common/foo-publisher
|
|||
quota_exceeded
complex
|
changed |
Configuration of log entries generated when a NAT client exceeds allocated resources.
|
|||
action
string
|
changed |
Configures system to log entries generated when a NAT client exceeds allocated resources.
Sample:
enabled
|
|||
storage_format
complex
|
changed |
The formatting of NAT events log messages.
|
|||
delimiter
string
|
changed |
The delimiter string.
Sample:
-
|
|||
fields
list
|
changed |
The items the server logs.
Sample:
['dest_ip', 'dest_port']
|
|||
type
string
|
changed |
The format type for log messages.
Sample:
user-defined
|
|||
user_string
string
|
changed |
User-defined string.
Sample:
$dest_ip
|
|||
rate_limit_aggregate_rate
string
|
changed |
The rate limit for all combined NAT log messages per second.
Sample:
indefinite
|
|||
rate_limit_end_inbound_session
string
|
changed |
The rate limit for logging of log entries at the end of the incoming connection event for a translated endpoint.
Sample:
indefinite
|
|||
rate_limit_end_outbound_session
string
|
changed |
The rate limit for logging of log entries at end of translation event for a NAT client.
Sample:
indefinite
|
|||
rate_limit_errors
string
|
changed |
The rate limit for logging of events when NAT translation errors occur.
Sample:
indefinite
|
|||
rate_limit_quota_exceeded
string
|
changed |
The rate limit for logging of log entries when a NAT client exceeds allocated resources.
Sample:
indefinite
|
|||
rate_limit_start_inbound_session
string
|
changed |
The rate limit for logging of log entries at the start of the incoming connection event for a translated endpoint.
Sample:
indefinite
|
|||
rate_limit_start_outbound_session
string
|
changed |
The rate limit for logging of log entries at start of the translation event for a NAT client.
Sample:
indefinite
|
|||
start_inbound_session
complex
|
changed |
Configuration of log entries generated at the start of the incoming connection event for a translated endpoint.
|
|||
action
string
|
changed |
Configures system to log entries for start of the incoming connection event for a translated endpoint.
Sample:
enabled
|
|||
storage_format
complex
|
changed |
The formatting of NAT events log messages.
|
|||
delimiter
string
|
changed |
The delimiter string.
Sample:
-
|
|||
fields
list
|
changed |
The items the server logs.
Sample:
['dest_ip', 'dest_port']
|
|||
type
string
|
changed |
The format type for log messages.
Sample:
user-defined
|
|||
user_string
string
|
changed |
User-defined string.
Sample:
$dest_ip
|
|||
start_outbound_session
complex
|
changed |
Configuration of log entries generated at the start of the incoming connection event for a translated endpoint.
|
|||
action
string
|
changed |
Configures system to log entries for the start of the incoming connection event for a translated endpoint.
Sample:
enabled
|
|||
include_dest_addr_port
boolean
|
changed |
Enable/Disable logging of destination IP address and port information.
Sample:
True
|
|||
storage_format
complex
|
changed |
The formatting of NAT events log messages.
|
|||
delimiter
string
|
changed |
The delimiter string.
Sample:
-
|
|||
fields
list
|
changed |
The items the server logs.
Sample:
['dest_ip', 'dest_port']
|
|||
type
string
|
changed |
The format type for log messages.
Sample:
user-defined
|
|||
user_string
string
|
changed |
User-defined string.
Sample:
$dest_ip
|
|||
network_security
complex
|
changed |
Configures the system to log network firewall events.
|
|||
log_acl_match_accept
boolean
|
changed |
Enable/Disable logging of packets that match ACL rules action accept.
Sample:
True
|
|||
log_acl_match_drop
boolean
|
changed |
Enable/Disable logging of packets that match ACL rules action drop.
Sample:
True
|
|||
log_acl_match_reject
boolean
|
changed |
Enable/Disable logging of packets that match ACL rules action reject.
Sample:
True
|
|||
log_acl_to_box_deny
boolean
|
changed |
nable/Disable logging of any packet that is dropped or denied by management port firewall rules.
Sample:
True
|
|||
log_geo_always
boolean
|
changed |
Enable/Disable logging of Geo IP Location information.
Sample:
True
|
|||
log_ip_errors
boolean
|
changed |
Enable/Disable logging of IP errors.
Sample:
True
|
|||
log_tcp_errors
boolean
|
changed |
Enable/Disable logging of TCP errors.
Sample:
True
|
|||
log_tcp_events
boolean
|
changed |
Enable/Disable logging of TCP events.
Sample:
True
|
|||
log_translation_fields
boolean
|
changed |
Enable/Disable logging of translation fields in ACL and TCP events.
Sample:
True
|
|||
log_user_always
boolean
|
changed |
Enable/Disable logging of certain subscriber information.
Sample:
True
|
|||
log_uuid_field
boolean
|
changed |
Enable/Disable logging of UUID of the specific rule that triggered the log message.
Sample:
True
|
|||
publisher
string
|
changed |
The name of the log publisher used for logging network events.
Sample:
/Common/foo-publisher
|
|||
rate_limit_acl_match_accept
string
|
changed |
The rate limit for all network firewall log messages with this acl match accept action.
Sample:
indefinite
|
|||
rate_limit_acl_match_drop
string
|
changed |
The rate limit for all network firewall log messages with this acl match drop action.
Sample:
indefinite
|
|||
rate_limit_aggregate_rate
string
|
changed |
The rate limit for all combined network firewall log messages per second.
Sample:
indefinite
|
|||
rate_limit_ip_errors
string
|
changed |
The rate limit for logging of IP error packet.
Sample:
indefinite
|
|||
rate_limit_match_reject
string
|
changed |
The rate limit for all network firewall log messages with this acl match reject action.
Sample:
indefinite
|
|||
rate_limit_tcp_errors
string
|
changed |
The rate limit for logging of TCP error packets.
Sample:
indefinite
|
|||
rate_limit_tcp_events
string
|
changed |
The rate limit for logging of TCP events.
Sample:
indefinite
|
|||
storage_format
complex
|
changed |
The formatting of network events log messages.
|
|||
delimiter
string
|
changed |
The delimiter string.
Sample:
-
|
|||
fields
list
|
changed |
The items the server logs.
Sample:
['action', 'vlan']
|
|||
type
string
|
changed |
The format type for log messages.
Sample:
user-defined
|
|||
user_string
string
|
changed |
User-defined string.
Sample:
$action
|
|||
packet_filter
complex
|
changed |
Configures logging of IPv6 Extension Header packet filter rule match events.
|
|||
publisher
string
|
changed |
The name of the log publisher used for logging of IPv6 Extension Header Packet Filter rule match events.
Sample:
/Common/foo-publisher
|
|||
rate
integer
|
changed |
The rate limit for all combined IPv6 Extension Header packet filter log messages per second.
Sample:
400
|
|||
protocol_inspection
complex
|
changed |
Configures logging of events from the Protocol Inspection engine.
|
|||
publisher
string
|
changed |
The name of the log publisher used for logging of Protocol Inspection events.
Sample:
/Common/foo-publisher
|
|||
rate
boolean
|
changed |
Enables/Disable logging of packet payload for Protocol Inspection events.
Sample:
True
|
|||
sip_security
complex
|
changed |
Configures the system to log dropped and malformed malicious SIP requests, global and request failures, redirected responses, and server errors for SIP Security.
|
|||
log_sip_drop
boolean
|
changed |
Enable/Disable logging of dropped SIP requests.
Sample:
True
|
|||
log_sip_global_failures
boolean
|
changed |
Enable/Disable logging of SIP global failures.
Sample:
True
|
|||
log_sip_malformed
boolean
|
changed |
Enable/Disable logging of malformed SIP requests.
Sample:
True
|
|||
log_sip_redirect_responses
boolean
|
changed |
Enable/Disable logging of SIP redirection responses.
Sample:
True
|
|||
log_sip_request_failures
boolean
|
changed |
Enable/Disable logging of SIP request failures.
Sample:
True
|
|||
log_sip_server_errors
boolean
|
changed |
Enable/Disable logging of SIP server errors.
Sample:
True
|
|||
publisher
string
|
changed |
The name of the log publisher used for logging SIP protocol security events.
Sample:
/Common/foo-publisher
|
|||
storage_format
complex
|
changed |
The formatting of SIP security log messages.
|
|||
delimiter
string
|
changed |
The delimiter string.
Sample:
-
|
|||
fields
list
|
changed |
The items the server logs.
Sample:
['action', 'vlan']
|
|||
type
string
|
changed |
The format type for log messages.
Sample:
user-defined
|
|||
user_string
string
|
changed |
User-defined string.
Sample:
$action
|