Configuring F5 BIG-IP Telemetry
You can send F5 BIG-IP telemetry data to a sensor using API calls:
- Install an API client.
- Install the AS3 and telemetry packages.
- Create a telemetry entry.
- Authorize the telemetry.
- Configure the sensor to receive the telemetry.
- Subscribe the Sensor to the Telemetry Service.
You can also configure an F5 BIG-IP connector.
Install an API Client
You must use an API client to send the calls to the F5 BIG-IP firewall. We used Postman for this procedure, but other clients should also work.
Install the AS3 and Telemetry Packages
To install the AS3 and telemetry packages in your BIG-IP firewall:
- 
                                                    Download the AS3 script file from the F5 GitHub repository: https://github.com/F5Networks/f5-appsvcs-extension/releases/tag/v3.27.0 . 
- 
                                                    Download the telemetry script file from the F5 GitHub repository: https://github.com/F5Networks/f5-telemetry-streaming/releases . 
- 
                                                    Log in to your BIG-IP firewall. 
- 
                                                    Select iApps. 
- 
                                                    Select Package Management LX. 
- 
                                                    Select Import. 
- 
                                                    Import the two scripts that you downloaded earlier. 
Creating a Telemetry Entry
To create a telemetry entry in your BIG-IP firewall:
- 
                                                    Log in to Postman. 
- 
                                                    Make a POST to https://<IP address of firewall>:<port>/mgmt/shared/appsvcs/declare. 
- 
                                                    Enter this for the body: Copy{
 "class": "ADC",
 "schemaVersion": "3.10.0",
 "remark": "Example depicting creation of BIG-IP module log profiles",
 "Common": {
 "class": "Tenant",
 "Shared": {
 "class": "Application",
 "template": "shared",
 "telemetry_local_rule": {
 "remark": "Only required when TS is a local listener",
 "class": "iRule",
 "iRule": "when CLIENT_ACCEPTED {\n node 127.0.0.1 6514\n}"
 },
 "telemetry_local": {
 "remark": "Only required when TS is a local listener",
 "class": "Service_TCP",
 "virtualAddresses": [
 "255.255.255.254"
 ],
 "virtualPort": 6514,
 "iRules": [
 "telemetry_local_rule"
 ]
 },
 "telemetry": {
 "class": "Pool",
 "members": [
 {
 "enable": true,
 "serverAddresses": [
 "255.255.255.254"
 ],
 "servicePort": 6514
 }
 ],
 "monitors": [
 {
 "bigip": "/Common/tcp"
 }
 ]
 },
 "telemetry_hsl": {
 "class": "Log_Destination",
 "type": "remote-high-speed-log",
 "protocol": "tcp",
 "pool": {
 "use": "telemetry"
 }
 },
 "telemetry_formatted": {
 "class": "Log_Destination",
 "type": "splunk",
 "forwardTo": {
 "use": "telemetry_hsl"
 }
 },
 "telemetry_publisher": {
 "class": "Log_Publisher",
 "destinations": [
 {
 "use": "telemetry_formatted"
 }
 ]
 },
 "telemetry_traffic_log_profile": {
 "class": "Traffic_Log_Profile",
 "requestSettings": {
 "requestEnabled": true,
 "requestProtocol": "mds-tcp",
 "requestPool": {
 "use": "telemetry"
 },
 "requestTemplate": "event_source=\"request_logging\",hostname=\"$BIGIP_HOSTNAME\",client_ip=\"$CLIENT_IP\",server_ip=\"$SERVER_IP\",http_method=\"$HTTP_METHOD\",http_uri=\"$HTTP_URI\",virtual_name=\"$VIRTUAL_NAME\",event_timestamp=\"$DATE_HTTP\"
 }
 },
 "telemetry_afm_security_log_profile": {
 "class": "Security_Log_Profile",
 "application": {
 "localStorage": false,
 "remoteStorage": "splunk",
 "protocol": "tcp",
 "servers": [
 {
 "address": "255.255.255.254",
 "port": "6514"
 }
 ],
 "storageFilter": {
 "requestType": "illegal-including-staged-signatures"
 }
 },
 "network": {
 "publisher": {
 "use": "telemetry_publisher"
 },
 "logRuleMatchAccepts": false,
 "logRuleMatchRejects": true,
 "logRuleMatchDrops": true,
 "logIpErrors": true,
 "logTcpErrors": true,
 "logTcpEvents": true
 }
 },
 "telemetry_asm_security_log_profile": {
 "class": "Security_Log_Profile",
 "application": {
 "localStorage": false,
 "remoteStorage": "splunk",
 "servers": [
 {
 "address": "255.255.255.254",
 "port": "6514"
 }
 ],
 "storageFilter": {
 "requestType": "all"
 }
 }
 }
 }
 }
 }
- 
                                                    Select Send. 
Authorize Telemetry
To authorize the BIG-IP firewall to send telemetry:
- 
                                                    Log in to your BIG-IP firewall as the admin user. 
- 
                                                    Select Collections. 
- 
                                                    Select Big IP to expand the list of requests. 
- 
                                                    Select the request you just sent. 
- 
                                                    Select Send. 
Configure the Modular Sensor to Receive Telemetry
To configure the Modular Sensor to receive telemetry:
- 
                                                    Log in to Stellar Cyber and then navigate to System | DATA SOURCE MANAGEMENT | Sensors | Sensor Profiles. 
- 
                                                    Select for the Modular Sensor that you want to receive telemetry. The Edit Sensor Profile screen appears. 
- 
                                                    Expand Log Forwarder to view the options. 
- 
                                                    Enable HTTP JSON Parser. 
- 
                                                    Select Submit. 
Subscribe the Sensor to the Telemetry Service
To subscribe the sensor IP address to the telemetry service:
- 
                                                    Log in to Postman. 
- 
                                                    Make a POST to https://<IP address of firewall>:<Port>/mgmt/shared/telemetry/declare.
- 
                                                    Enter this for the body (using the IP address of your sensor): Copy{
 "class": "Telemetry",
 "My_System": {
 "class": "Telemetry_System",
 "systemPoller": {
 "interval": 60
 }
 },
 "My_Listener": {
 "class": "Telemetry_Listener",
 "port": 6514
 },
 "My_Consumer": {
 "class": "Telemetry_Consumer",
 "type": "Generic_HTTP",
 "host": "<IP address of sensor>",
 "protocol": "http",
 "port": 5200,
 "path": "/httpjson",
 "method": "POST",
 "headers": [
 {
 "name": "content-type",
 "value": "application/json"
 }
 ]
 }
 }
- 
                                                    Make a GET to https://<IP address of firewall>:<Port>/mgmt/shared/telemetry/declareto confirm that the data is saved in the firewall.
- 
                                                    You should see a result similar to the following: Copy
 "message": "success",
 "declaration": {
 "class": "Telemetry",
 "My_System": {
 "class": "Telemetry_System",
 "systemPoller": {
 "interval": 60,
 "enable": true,
 "actions": [
 {
 "setTag": {
 "tenant": "`T`",
 "application": "`A`"
 },
 "enable": true
 }
 ]
 },
 "enable": true,
 "host": "localhost",
 "port": 8100,
 "protocol": "http",
 "allowSelfSignedCert": false
 },
 "My_Listener": {
 "class": "Telemetry_Listener",
 "port": 6514,
 "enable": true,
 "trace": false,
 "match": "",
 "actions": [
 {
 "setTag": {
 "tenant": "`T`",
 "application": "`A`"
 },
 "enable": true
 }
 ]
 },
 "My_Consumer": {
 "class": "Telemetry_Consumer",
 "type": "Generic_HTTP",
 "host": "192.168.200.10",
 "protocol": "http",
 "port": 5200,
 "path": "/httpjson",
 "method": "POST",
 "headers": [
 {
 "name": "content-type",
 "value": "application/json"
 }
 ],
 "enable": true,
 "trace": false,
 "allowSelfSignedCert": false
 },
 "My_Consumer2": {
 "class": "Telemetry_Consumer",
 "type": "Generic_HTTP",
 "host": "192.168.1.192",
 "protocol": "http",
 "port": 5200,
 "path": "/httpjson",
 "method": "POST",
 "headers": [
 {
 "name": "content-type",
 "value": "application/json"
 }
 ],
 "enable": true,
 "trace": false,
 "allowSelfSignedCert": false
 },
 "schemaVersion": "1.17.0"
 }
 }
- 
                                                    To delete telemetry, issue this POST to https://<IP address of firewall>:<Port>/mgmt/shared/telemetry/declare:body { "class": "Telemetry" } 

