Configuring SPK Firewall Logging¶
Overview¶
NOTE: Firewall features introduced on SPK 1.8.0.
When you configure L4 Firewall Policies on the SPK Controller, you also can setup firewall logging which will send log messages to a remote syslog server during a firewall event. The guide will go through configuring firewall logging and enabling it for your firewall policies.
This guide will main be focused on getting firewall logging setup. We will show firewall log message examples at the end to show a working example.
Enable Secure SPK Logging¶
This section will go through setting up firewall logging.
Before You Begin¶
- This guide assumes the SPK Controller is deployed in the
spk-secure
namespace so you will see references of that throughout this guide. Update the namespace to where your SPK Controller is deployed in your environment. - The guide assumes a remote syslog server with an IP of 10.10.20.11 on port 514.
Firewall Logging Configurations¶
Creating a file,
hsl.yaml
, based on the example below. The yaml is a F5BigLogHslpub CR that represents the high speed log publisher.apiVersion: k8s.f5net.com/v1 kind: F5BigLogHslpub metadata: name: logpublisher namespace: spk-secure spec: pool: - name: pool endpoint: - 10.10.20.11:514 syslog: - name: syslog format: rfc5424 protocol: udp distribution: adaptive pool: pool
Create the high speed log publisher.
oc create -f hsl.yaml
Create a yaml,
log-profile.yaml
, based on the example below. This is the F5BigLogProfile that represents the logging profile.apiVersion: k8s.f5net.com/v1 kind: F5BigLogProfile metadata: name: logprofile namespace: spk-secure spec: publisher: logpublisher firewall: enabled: true network: events: aclMatchAccept: true aclMatchDrop: true aclMatchReject: true
Create the log profile.
oc create -f log-profile.yaml
The configuration above is a basic log profile that will capture matching ACL accept, drop, or reject firewall events. Additional settings can be found in the CRD references below.
Customize Logging Format¶
The log profile will use a default log format if it is not specified. The format itself is customizable. A snippet of a customized firewall log message format defined in the log profile is shown below.
apiVersion: k8s.f5net.com/v1
kind: F5BigLogProfile
spec:
firewall:
network:
format:
type: user-defined
userDefinedFieldList: "Firewall Policy Name: ${acl_policy_name}, Firewall Policy Type: ${acl_policy_type}, Firewall Rule Name: ${acl_rule_name}, Firewall Rule Action: ${action}, TMM Hostname: ${bigip_hostname}, Context Name: ${context_name}, Context Type: ${context_type}, Destination IP: ${dest_ip}, Destination Port: ${dest_port}, Drop Reason: ${drop_reason}, TMM IP: ${management_ip_address}, Protocol: ${protocol}, Source IP: ${src_ip}, Source Port: ${src_port}, Interface: ${vlan}"
Refer to the following K05327372 for all available fields.
We will show the default message output along with the user-defined customized one from the example format defined in the snippet above.
Associate Log Profile to Firewall Global Context¶
Now that a log profile is created, you can now enable firewall logging by associating the logging
profile to the F5BigContextGlobal CR named global-context
. Below show the spec.logProfile
set to the log profile, logprofile
, created above.
Be sure to also enable spec.defaultActionLog
in your global-context
so the log messages that
do not match a firewall policy rule are also generated when the defaultAction
is applied.
NOTE: Enabling logging on the global context can get verbose.
apiVersion: "k8s.f5net.com/v1"
kind: F5BigContextGlobal
metadata:
name: global-context
spec:
logProfile: logprofile
firewall:
enforcedPolicy: firewallpolicy
defaultAction: reject
defaultActionLog: true
Be sure to also enable logging in any firewall policy rules defined. Below show a snippet
where logging
is set to true
on a rule.
apiVersion: "k8s.f5net.com/v1"
kind: F5BigFwPolicy
metadata:
name: firewallpolicy
namespace: spk-secure
spec:
rule:
- name: sc-rule-tcp
logging: true
Example Firewall Log Messages¶
This section will show example log messages as a result of firewall events.
The remote syslog server is setup to output firewall log messages to /var/log/syslog
so the
example output in this section are lines from /var/log/syslog
.
Default Firewall Log Messages¶
Below is a snippet of the default firewall log messages when spec.firewall.network.format
is not
defined.
Jul 17 22:22:12 f5-tmm-9cbcc4dbd-zr76f tmm[14] "10.131.0.151","f5-tmm-9cbcc4dbd-zr76f","Global","global-context","No-lookup","10.10.20.10","No-lookup","10.10.20.44","36664","9001","external","TCP","0","","","","","","","","Enforced","firewallpolicy-firewallpolicy","sc-rule-tcp-ingress-firewallpolicyrule","","Accept","","","","0000000000000000","unknown","unknown","unknown","unknown","","","","","No-lookup","No-lookup"
Jul 17 22:22:12 f5-tmm-9cbcc4dbd-zr76f tmm[14] "10.131.0.151","f5-tmm-9cbcc4dbd-zr76f","Virtual Server","spk-app-tcp-app-f5ing-testapp-virtual-server","No-lookup","10.10.20.10","No-lookup","10.10.20.44","36664","9001","external","TCP","0","","","","","","","","Enforced","","(Default)","","Accept","","","","0000000000000000","unknown","unknown","unknown","unknown","","","","","No-lookup","No-lookup"
User Defined Firewall Log Messages¶
Below is an example of firewall log messages using the user-defined format. The customized format shown in this example is the same one used in the example from the Customize Logging Format section above.
Jul 17 21:40:21 f5-tmm-9cbcc4dbd-zr76f tmm[14] Firewall Policy Name: firewallpolicy-firewallpolicy, Firewall Policy Type: Enforced, Firewall Rule Name: sc-rule-tcp-ingress-firewallpolicyrule, Firewall Rule Action: Accept, TMM Hostname: f5-tmm-9cbcc4dbd-zr76f, Context Name: global-context, Context Type: Global, Destination IP: 10.10.20.44, Destination Port: 9001, Drop Reason: , TMM IP: 10.131.0.151, Protocol: TCP, Source IP: 10.10.20.10, Source Port: 35154, Interface: external
Jul 17 21:40:21 f5-tmm-9cbcc4dbd-zr76f tmm[14] Firewall Policy Name: , Firewall Policy Type: Enforced, Firewall Rule Name: (Default), Firewall Rule Action: Accept, TMM Hostname: f5-tmm-9cbcc4dbd-zr76f, Context Name: spk-app-tcp-app-f5ing-testapp-virtual-server, Context Type: Virtual Server, Destination IP: 10.10.20.44, Destination Port: 9001, Drop Reason: , TMM IP: 10.131.0.151, Protocol: TCP, Source IP: 10.10.20.10, Source Port: 35154, Interface: external
Feedback¶
Provide feedback to improve this document by emailing spkdocs@f5.com.