Enable Usage Logging

On the F5 BIG-IP with AFM device, you are able to enable logging. Please note that:

  • Policies must have logging enabled per rule to track usage.
  • Each virtual server must have logging enabled to track usage.
  • Implicit rules do not trigger logging events (On the device, go to Security > Options > Firewall Options).
  • Create explicit default rules if tracking is desired.
  • Staged policies create logging that looks exactly like enforced policies.

To enable logging on your F5 BIG-IP with AFM device, complete the following steps.

  1. Log in to the F5 Configuration Utility.
  2. Add a LTM pool.
    1. Navigate to Local Traffic > Pools > Create.
    2. In the Name box, type FM_dc.
    3. In the New Members box:
      • Enter the IP Address of the data collector.
      • In the Service Port box, type 514.
      • Click Add.
  3. Create a high-speed log destination using LTM pool.
    1. Click System > Logs > Configuration > Log Destination > Create.
    2. In the Type box, select Remote High-Speed Log.
    3. In the Pool Name box, type FM_dc.
    4. In the Protocol box, select UDP.
    5. Click Finished.
  4. Create a remote syslog destination.

    1. Click System > Logs > Configuration > Log Destinations > Create.

    2. In the Name box, type FM_syslog.

    3. In the Type box, select Remote Syslog.

    4. In the Syslog Format box, select Syslog.

    5. In the Forward To box, select FM_HSL.

    6. Click Finished.

  5. Create a log publisher.

    1. Click System > Logs > Configuration > Log Publishers > Create.

    2. In the Name box, type FM_publisher.

    3. In the Log Destinations section, move FM_syslog from Available to Selected.

    4. Click Finished.

  6. Create an event logging profile.

    1. Click Security > Event Logs > Logging Profiles > Create.

    2. In the Profile Name box, type FM_publisher.

    3. Select the Network Firewall Enabled check box.

    4. In the Log Rule Matches section, select the Accept, Drop and Reject check boxes.

    5. In the Storage Format section, select None.

    6. Click Finished.

  7. Assign the event logging profile to any virtual servers that require it.

    1. Click Local Traffic > Virtual Servers > name of VS.

    2. Click Security Tab > Policies.

    3. In the Log Profile box, move FM_usage from Available to Selected.

    4. Click Update.

    5. Repeat for all VS that require this.