Logging profiles determine where events are logged, and which items (such as which parts of requests, or which type of errors) are logged. Events can be logged either locally on the system and viewed in the Event Logs screens, or remotely by the client’s server. The system forwards the log messages to the client’s server using the Syslog service.
You can use one logging profile for Application Security, Protocol Security, Advanced Firewall, and DoS Protection. By default, the system includes two logging profiles that log data locally for Application Security: one to log all requests and another to log illegal requests. You can use the system-supplied logging profiles, or you can create a custom logging profile.
The logging profile records requests to the virtual server. By default when you create a security policy using the Deployment wizard, the system associates the log illegal requests profile to the virtual server associated with the policy. You can change which logging profile is associated with the security policy by editing the virtual server.
A logging profile has two parts: the storage configuration and the storage filter. The storage configuration specifies where to store the logs, either locally and/or remotely. The storage filter determines what information gets stored. For remote logging, you can send logging files for storage on a remote system (such as a syslog server), on a reporting server (as key/value pairs), or on an ArcSight server (in CEF format). Note that configuring external logging servers is not the responsibility of F5 Networks.
|Off||Do not log responses.|
|For Illegal Requests Only||Log responses for illegal requests.|
|For All Requests||Log responses for all requests. when the Storage Filter Request Type is set to All Requests. (Otherwise, logs only illegal requests.)|
When you store the logs locally, the logging utility may compete for system resources. Using the Guarantee Logging setting ensures that the system logs the requests in this situation but may result in a performance reduction in high-volume traffic applications.
Information related to traffic controlled by the security policy is logged using the logging profile or profiles specified in the virtual server.
If you enable response logging in the logging profile, the system can log only responses that include the following content headers:
The system cannot log other responses.
If your network uses ArcSight logs, you can create a logging profile so that the log information is saved using the appropriate format. Application Security Manager stores all logs on a remote logging server using the predefined ArcSight settings for the logs. The log messages are in Common Event Format (CEF).
The basic format is:
CEF:Version|Device Vendor|Device Product|Device Version |Device Event Class ID|Name|Severity|Extension
|OR||Select this operator to log the data that meets one or more of the criteria.|
|AND||Select this operator to log the data that meets all of the criteria.|
The system logs application security data that meets the criteria specified in the storage filter.
The system displays application security data that meets the criteria specified in the logging profile.