Configuring F5 BIG-IP Telemetry
You can send F5 BIG-IP telemetry data to a sensor using API calls:
- Install an API client.
- Install the AS3 and telemetry packages.
- Create a telemetry entry.
- Authorize the telemetry.
- Configure the sensor to receive the telemetry.
- Subscribe the Sensor to the Telemetry Service.
You can also configure an F5 BIG-IP connector.
Install an API Client
You must use an API client to send the calls to the F5 BIG-IP firewall. We used Postman for this procedure, but other clients should also work.
Install the AS3 and Telemetry Packages
To install the AS3 and telemetry packages in your BIG-IP firewall:
-
Download the AS3 script file from the F5 GitHub repository: https://github.com/F5Networks/f5-appsvcs-extension/releases/tag/v3.27.0 .
-
Download the telemetry script file from the F5 GitHub repository: https://github.com/F5Networks/f5-telemetry-streaming/releases .
-
Log in to your BIG-IP firewall.
-
Select iApps.
-
Select Package Management LX.
-
Select Import.
-
Import the two scripts that you downloaded earlier.
Creating a Telemetry Entry
To create a telemetry entry in your BIG-IP firewall:
-
Log in to Postman.
-
Make a POST to https://<IP address of firewall>:<port>/mgmt/shared/appsvcs/declare.
-
Enter this for the body:
Copy{
"class": "ADC",
"schemaVersion": "3.10.0",
"remark": "Example depicting creation of BIG-IP module log profiles",
"Common": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"telemetry_local_rule": {
"remark": "Only required when TS is a local listener",
"class": "iRule",
"iRule": "when CLIENT_ACCEPTED {\n node 127.0.0.1 6514\n}"
},
"telemetry_local": {
"remark": "Only required when TS is a local listener",
"class": "Service_TCP",
"virtualAddresses": [
"255.255.255.254"
],
"virtualPort": 6514,
"iRules": [
"telemetry_local_rule"
]
},
"telemetry": {
"class": "Pool",
"members": [
{
"enable": true,
"serverAddresses": [
"255.255.255.254"
],
"servicePort": 6514
}
],
"monitors": [
{
"bigip": "/Common/tcp"
}
]
},
"telemetry_hsl": {
"class": "Log_Destination",
"type": "remote-high-speed-log",
"protocol": "tcp",
"pool": {
"use": "telemetry"
}
},
"telemetry_formatted": {
"class": "Log_Destination",
"type": "splunk",
"forwardTo": {
"use": "telemetry_hsl"
}
},
"telemetry_publisher": {
"class": "Log_Publisher",
"destinations": [
{
"use": "telemetry_formatted"
}
]
},
"telemetry_traffic_log_profile": {
"class": "Traffic_Log_Profile",
"requestSettings": {
"requestEnabled": true,
"requestProtocol": "mds-tcp",
"requestPool": {
"use": "telemetry"
},
"requestTemplate": "event_source=\"request_logging\",hostname=\"$BIGIP_HOSTNAME\",client_ip=\"$CLIENT_IP\",server_ip=\"$SERVER_IP\",http_method=\"$HTTP_METHOD\",http_uri=\"$HTTP_URI\",virtual_name=\"$VIRTUAL_NAME\",event_timestamp=\"$DATE_HTTP\"
}
},
"telemetry_afm_security_log_profile": {
"class": "Security_Log_Profile",
"application": {
"localStorage": false,
"remoteStorage": "splunk",
"protocol": "tcp",
"servers": [
{
"address": "255.255.255.254",
"port": "6514"
}
],
"storageFilter": {
"requestType": "illegal-including-staged-signatures"
}
},
"network": {
"publisher": {
"use": "telemetry_publisher"
},
"logRuleMatchAccepts": false,
"logRuleMatchRejects": true,
"logRuleMatchDrops": true,
"logIpErrors": true,
"logTcpErrors": true,
"logTcpEvents": true
}
},
"telemetry_asm_security_log_profile": {
"class": "Security_Log_Profile",
"application": {
"localStorage": false,
"remoteStorage": "splunk",
"servers": [
{
"address": "255.255.255.254",
"port": "6514"
}
],
"storageFilter": {
"requestType": "all"
}
}
}
}
}
} -
Select Send.
Authorize Telemetry
To authorize the BIG-IP firewall to send telemetry:
-
Log in to your BIG-IP firewall as the admin user.
-
Select Collections.
-
Select Big IP to expand the list of requests.
-
Select the request you just sent.
-
Select Send.
Configure the Modular Sensor to Receive Telemetry
To configure the Modular Sensor to receive telemetry:
-
Log in to Stellar Cyber and then navigate to System | DATA SOURCE MANAGEMENT | Sensors | Sensor Profiles.
-
Select for the Modular Sensor that you want to receive telemetry.
The Edit Sensor Profile screen appears.
-
Expand Log Forwarder to view the options.
-
Enable HTTP JSON Parser.
-
Select Submit.
Subscribe the Sensor to the Telemetry Service
To subscribe the sensor IP address to the telemetry service:
-
Log in to Postman.
-
Make a POST to
https://<IP address of firewall>:<Port>/mgmt/shared/telemetry/declare. -
Enter this for the body (using the IP address of your sensor):
Copy{
"class": "Telemetry",
"My_System": {
"class": "Telemetry_System",
"systemPoller": {
"interval": 60
}
},
"My_Listener": {
"class": "Telemetry_Listener",
"port": 6514
},
"My_Consumer": {
"class": "Telemetry_Consumer",
"type": "Generic_HTTP",
"host": "<IP address of sensor>",
"protocol": "http",
"port": 5200,
"path": "/httpjson",
"method": "POST",
"headers": [
{
"name": "content-type",
"value": "application/json"
}
]
}
} -
Make a GET to
https://<IP address of firewall>:<Port>/mgmt/shared/telemetry/declareto confirm that the data is saved in the firewall. -
You should see a result similar to the following:
Copy
"message": "success",
"declaration": {
"class": "Telemetry",
"My_System": {
"class": "Telemetry_System",
"systemPoller": {
"interval": 60,
"enable": true,
"actions": [
{
"setTag": {
"tenant": "`T`",
"application": "`A`"
},
"enable": true
}
]
},
"enable": true,
"host": "localhost",
"port": 8100,
"protocol": "http",
"allowSelfSignedCert": false
},
"My_Listener": {
"class": "Telemetry_Listener",
"port": 6514,
"enable": true,
"trace": false,
"match": "",
"actions": [
{
"setTag": {
"tenant": "`T`",
"application": "`A`"
},
"enable": true
}
]
},
"My_Consumer": {
"class": "Telemetry_Consumer",
"type": "Generic_HTTP",
"host": "192.168.200.10",
"protocol": "http",
"port": 5200,
"path": "/httpjson",
"method": "POST",
"headers": [
{
"name": "content-type",
"value": "application/json"
}
],
"enable": true,
"trace": false,
"allowSelfSignedCert": false
},
"My_Consumer2": {
"class": "Telemetry_Consumer",
"type": "Generic_HTTP",
"host": "192.168.1.192",
"protocol": "http",
"port": 5200,
"path": "/httpjson",
"method": "POST",
"headers": [
{
"name": "content-type",
"value": "application/json"
}
],
"enable": true,
"trace": false,
"allowSelfSignedCert": false
},
"schemaVersion": "1.17.0"
}
} -
To delete telemetry, issue this POST to
https://<IP address of firewall>:<Port>/mgmt/shared/telemetry/declare:body
{
"class": "Telemetry"
}
