Integrate F5 BIG-IP LTM - eventtracker.com · 3 Integrate F5 BIG-IP LTM Overview F5 BIG-IP Local Traffic Manager (LTM) turns your network into an agile infrastructure for application

Integrate F5 BIG-IP LTM

Publication Date: October 30, 2015

1


Abstract This guide provides instructions to configure F5 BIG-IP LTM to send the syslog events to EventTracker.

Scope The configurations detailed in this guide are consistent with EventTracker version 7.x and later, and F5 BIG-IP

LTM 1600 Series, Tmos version 9.4.5 onwards.

Audience F5 BIG-IP LTM users, who wish to forward syslog events to EventTracker manager.

The information contained in this document represents the current view of EventTracker. on the

issues discussed as of the date of publication. Because EventTracker must respond to changing

market conditions, it should not be interpreted to be a commitment on the part of EventTracker,

and EventTracker cannot guarantee the accuracy of any information presented after the date of

publication.

This document is for informational purposes only. EventTracker MAKES NO WARRANTIES,

EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the

rights under copyright, this paper may be freely distributed without permission from

EventTracker, if its content is unaltered, nothing is added to the content and credit to

EventTracker is provided.

EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from EventTracker, the furnishing of this document does not give you

any license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious.

No association with any real company, organization, product, person or event is intended or

should be inferred.

© 2017 EventTracker Security LLC. All rights reserved. The names of actual companies and

products mentioned herein may be the trademarks of their respective owners.

2


Table of Contents Abstract ................................................................................................................................................................. 1

Overview ................................................................................................................................................................ 3

Pre-requisite .......................................................................................................................................................... 3

Configure F5 BIG-IP LTM to forward logs to EventTracker ................................................................................... 3

For Version 9.4.5-9.4.8 ...................................................................................................................................... 3

For Version 10.0.0-10.2.4 .................................................................................................................................. 4

For Version 11.0.0-11.6.0 .................................................................................................................................. 4

EventTracker Knowledge Pack .............................................................................................................................. 5

Categories .......................................................................................................................................................... 5

Alerts ................................................................................................................................................................. 6

Reports .............................................................................................................................................................. 7

Import F5 BIG-IP LTM knowledge pack into EventTracker ................................................................................... 7

Import Categories .............................................................................................................................................. 9

Import Alerts ................................................................................................................................................... 10

Import Parsing Rules ....................................................................................................................................... 11

Import Flex Reports ......................................................................................................................................... 12

Verify F5 BIG-IP LTM knowledge pack in EventTracker....................................................................................... 13

Verify Categories ............................................................................................................................................. 13

Verify Alerts ..................................................................................................................................................... 13

Verify Parsing Rules ......................................................................................................................................... 15

Verify Flex Reports .......................................................................................................................................... 15

Create Dashboards in EventTracker .................................................................................................................... 16

Schedule Reports ............................................................................................................................................. 16

Create Dashlets ............................................................................................................................................... 19

Sample Dashboards ............................................................................................................................................. 22

Sample Reports ................................................................................................................................................... 24

3


Overview F5 BIG-IP

Local Traffic Manager (LTM) turns your network into an agile infrastructure for application delivery.

It’s a full proxy between users and application servers, creating a layer of abstraction to secure, optimize, and

load balance application traffic. This gives you the control to add servers easily, eliminate downtime, improve

application performance, and meet your security requirements.

EventTracker Supports F5 BIG-IP LTM 1600 Series, it forwards the syslog-ng messages to EventTracker

manager. EventTracker generates the alert and report for critical events.

Pre-requisite EventTracker V 7.x or later should be installed.

You must have a console with root access to the F5 BIG-IP system.

Configure F5 BIG-IP LTM to forward logs to EventTracker The mechanism that the F5 BIG-IP LTM uses to log events remotely is the Linux utility syslog-ng which is

enabled by default.

For Version 9.4.5-9.4.8 1. Use an SSH client to access the F5 Big-IP LTM device. 2. Type root and press ENTER. 3. Enter the F5 Big-IP LTM password. 4. Type bpsh, and press ENTER. 5. To configure the remote syslog server, type the following command:

bigpipe syslog remote server <IP_address> For example: bigpipe syslog remote server 10.1.1.1

6. To save the configuration, type the following command: bigpipe save

7. Type exit and press ENTER.

4


For Version 10.0.0-10.2.4 1. Use an SSH client to access the F5 Big-IP LTM device. 2. Type root and press ENTER. 3. Enter the F5 Big-IP LTM password. 4. Type bpsh, and press ENTER. 5. To add a single remote syslog server, use the following command syntax:

bigpipe syslog remote server {<name> {host <IP_address>}}

For example: bigpipe syslog remote server {server1.net {host 10.1.1.1}}

6. To save the configuration, type the following command: In versions 10.0.0 through 10.2.1: bigpipe save

In versions 10.2.2 and later: bigpipe save all

7. Type exit and press ENTER.

For Version 11.0.0-11.6.0 1. Use an SSH client to access the F5 Big-IP LTM device. 2. Type root and press ENTER. 3. Enter the F5 Big-IP LTM password. 4. Log in to the Traffic Management Shell (tmsh) by typing the following command:

tmsh

5. To add a single remote syslog server, use the following command syntax:

modify /sys syslog remote-servers add { <name> { host <IP address> remote-port <port> }}

For example, to add remote syslog server 172.28.31.40 with port 514 and name mysyslog, type the following command:

modify /sys syslog remote-servers add { mysyslog { host 10.1.1.1 remote-port 514 }}

6. To save the configuration, type the following command:

save /sys config

7. Type quit, and press ENTER.

5


EventTracker Knowledge Pack Once F5 BIG-IP LTM events are enabled and F5 BIG-IP LTM events are received in EventTracker, Alerts and

Reports can be configured in EventTracker.

The following Knowledge Packs are available in EventTracker to support F5 BIG-IP LTM monitoring.

Categories

BIG-IP LTM: ARP entry deleted - This category based report provides information related to ARP

deletion.

BIG-IP LTM: ARP static entry - This category based report provides information related to manual ARP

entry.

BIG-IP LTM: Authentication Fail - This category based report provides information related to

authentication failure.

BIG-IP LTM: Authentication Success - This category based report provides information related to

authentication success.

BIG-IP LTM: Configuration Fail - This category based report provides information related to

configuration error.

BIG-IP LTM: Connection Error - This category based report provides information related to connection

error.

BIG-IP LTM: Member unavailable for pool - This category based report provides information related

to empty pool or incorrect searched member.

BIG-IP LTM: Monitor created - This category based report provides information related to addition of

new system as monitor for local traffic management.

BIG-IP LTM: Monitor removed - This category based report provides information related to removal

of monitor from local traffic management.

BIG-IP LTM: New node added - This category based report provides information related to addition of

node to local traffic manager.

BIG-IP LTM: New route addition failed - This category based report provides information related to

failure of route addition process.

BIG-IP LTM: New route addition success - This category based report provides information related to

success of route addition process.

BIG-IP LTM: New SNAT added - This category based report provides information related to addition of

SNAT entry.

BIG-IP LTM: NTP server configured - This category based report provides information related to

modification in NTP server.

6


BIG-IP LTM: Packet filtering disabled - This category based report provides information related to

disability of packet filtering.

BIG-IP LTM: Packet filtering enabled - This category based report provides information related to

inability of packet filtering.

BIG-IP LTM: Packet filtering rule modified - This category based report provides information related

to modification in packet filtering rule.

BIG-IP LTM: Pool member creation failed - This category based report provides information related to

pool member creation failure.

BIG-IP LTM: Pool member creation success - This category based report provides information related

to pool member creation success.

BIG-IP LTM: Pool member deleted - This category based report provides information related to

deletion of pool member.

BIG-IP LTM: Pool member status down - This category based report provides information related to

down status of pool member.

BIG-IP LTM: Pool member status up - This category based report provides information related to up

status of pool member.

BIG-IP LTM: Remote server added - This category based report provides information related to

addition remote server.

BIG-IP LTM: Root Login Failure - This category based report provides information related to root

authentication failure.

BIG-IP LTM: SNMP agent configured - This category based report provides information related to

configuration of SNMP agent.

BIG-IP LTM: System shutdown - This category based report provides information related to system

shutdown.

BIG-IP LTM: User account deleted - This category based report provides information related to

deletion of user account.

BIG-IP LTM: User account modified - This category based report provides information related to

modification of user account.

BIG-IP LTM: Virtual server created - This category based report provides information related to

creation of virtual server.

Alerts

BIG-IP LTM: ARP entry deleted - This alert is generated when an ARP entry is deleted.

BIG-IP LTM: Authentication failed - This alert is generated when an authentication fails.

BIG-IP LTM: Authentication success - This alert is generated when an authentication succeeds.

BIG-IP LTM: Connection error - This alert is generated when a connection has error.

7


BIG-IP LTM: Monitor removed - This alert is generated when a monitor is removed from local traffic

management.

BIG-IP LTM: Packet filtering disabled - This alert is generated when packet filtering is disabled.

BIG-IP LTM: Packet filtering rule modified - This alert is generated when packet filtering rule is

modified.

BIG-IP LTM: Pool member status down - This alert is generated when pool member’s status changes

to down.

BIG-IP LTM: Root login failure - This alert is generated when root has authentication failure.

BIG-IP LTM: User account deleted - This alert is generated when user account is deleted.

Reports

F5 BIG-IP LTM User Logon Failure Details – This report provides information related to user logon failure which includes User Name, Host Address, Console Type, Logon Attempts, Session Start Time and Session End Time fields.

F5 BIG-IP LTM-User Logon Success Details– This report provides information related to user logon success which includes User Name, Host Address, Console Type, Logon Attempts, Session Start Time and Session End Time fields.

F5 BIG-IP LTM-Port Status Changed– This report provides information related to port status change from 0(off) to 1(on) or vice-versa which includes Administrator User Name, Interface Name, Interface Status and Status fields.

F5 BIG-IP LTM-System Configuration Changed – This report provides information related to object configuration change which includes Administrator User Name, Action, Object Name, Object Parameters and Status fields.

F5 BIG-IP LTM-User Account Management Details – This report provides information related user creation or deletion which includes User Name, Action, Added User Name, Console Type and Status fields.

Import F5 BIG-IP LTM knowledge pack into EventTracker

1. Launch EventTracker Control Panel.

8


2. Double click Export Import Utility, and then click Import tab.

Figure 1

Import Category/Alert/Tokens/ Flex Reports as given below.

9


Import Categories

1. Click Category option, and then click the browse button.

Figure 2

2. Locate All F5 BIG-IP group of Categories.iscat file, and then click the Open button.

3. To import categories, click the Import button.

EventTracker displays success message.

Figure 3

4. Click OK, and then click the Close button.

10


Import Alerts

1. Click Alerts option, and then click the browse button.

Figure 4

2. Locate All F5 BIG-IP group of Alerts.isalt file, and then click the Open button.

3. To import alerts, click the Import button.


Figure 5


NOTE: You can select alert notification such as Beep, Email, and Message etc. For this, select the respective

checkbox in the Alert management page, and then click the Activate Now button.

11


Import Parsing Rules

1. Click Token Value option, and then click the browse button.

2. Locate All F5 BIG-IP group of Tokens.istoken file, and then click the Open button.

Figure 6

3. To import token value, click the Import button.


Figure 7


12


Import Flex Reports

1. Click Reports option, and then click the browse button.

2. Locate All F5 BIG-IP group of Scheduled Reports.issch file, and then click the Open button.

Figure 8

3. To import scheduled reports, click the Import button.


Figure 9


13


Verify F5 BIG-IP LTM knowledge pack in EventTracker

Verify Categories 1. Logon to EventTracker Enterprise.

2. Click the Admin menu, and then click Category.

3. In Category Tree to view imported categories, scroll down and expand F5 BIG-IP group folder to view

the imported categories.

Figure 10

Verify Alerts 1. Logon to EventTracker Enterprise.

2. Click the Admin menu, and then click Alerts.

3. In Search field, type ‘F5 BIG-IP’, and then click the Go button.

Alert Management page will display all the imported F5 BIG-IP LTM alerts.

14


Figure 11

4. To activate the imported alerts, select the respective checkbox in the Active column.

EventTracker displays message box.

Figure 12

5. Click OK, and then click the Activate Now button.

NOTE: Please specify appropriate systems in alert configuration for better performance.

15


Verify Parsing Rules 1. Logon to EventTracker Enterprise.

2. Click the Admin menu, and then click Parsing Rules.

3. In Token Value Group Tree to view imported token values, scroll down and click F5 BIG IP LTM group

folder.

Token values are displayed in the token value pane.

Figure 13

Verify Flex Reports 1. Logon to EventTracker Enterprise.

2. Click the Reports menu, and then Configuration.

3. Select Defined in report type.

4. In Report Groups Tree to view imported Scheduled Reports, scroll down and click F5 BIG-IP LTM

group folder.

16


Scheduled Reports are displayed in the Reports configuration pane.

Figure 14

Create Dashboards in EventTracker

Schedule Reports 1. Open EventTracker in browser and logon.

Figure 15

17


2. Navigate to Reports>Configuration.

Figure 16

3. Select F5 BIG-IP LTM in report groups. Check defined dialog box.

4. Click on ‘schedule’ to plan a report for later execution.

18


Figure 17

5. Choose appropriate time for report execution and in Step 8 check Persist data in Eventvault explorer

box.

Figure 18

19


6. Check column names to persist using PERSIST checkboxes beside them. Choose suitable Retention

period.

7. Proceed to next step and click Schedule button.

8. Wait for scheduled time or generate report manually.

Create Dashlets 1. EventTracker 8 is required to configure flex dashboard.

2. Open EventTracker in browser and logon.

Figure 19

3. Navigate to Dashboard>Flex.

Flex Dashboard pane is shown.

Figure 20

4. Click to add a new dashboard.

Flex Dashboard configuration pane is shown.

20


Figure 21

5. Fill fitting title and description and click Save button.

6. Click to configure a new flex dashlet.

Widget configuration pane is shown.

Figure 22

21


7. Locate earlier scheduled report in Data Source dropdown.

8. Select Chart Type from dropdown.

9. Select extent of data to be displayed in Duration dropdown.

10. Select computation type in Value Field Setting dropdown.

11. Select evaluation duration in As Of dropdown.

12. Select comparable values in X Axis with suitable label.

13. Select numeric values in Y Axis with suitable label.

14. Select comparable sequence in Legend.

15. Click Test button to evaluate.

Evaluated chart is shown.

Figure 23

22


16. If satisfied, click Configure button.

Figure 24

17. Click ‘customize’ to locate and choose created dashlet.

18. Click to add dashlet to earlier created dashboard.

Sample Dashboards F5 BIG-IP LTM Logon Failures Today

Figure 25

23


F5 BIG-IP LTM Configuration Changes Today

Figure 26

24


Sample Reports F5 BIG-IP LTM User Logon Failure Details

Figure 27

25


F5 BIG-IP LTM-System Configuration Changed

Figure 28

Documents

Integrate F5 BIG-IP LTM - eventtracker.com · 3 Integrate F5 BIG-IP LTM Overview F5 BIG-IP Local Traffic Manager (LTM) turns your network into an agile infrastructure for application