F5 Networks BIG-IP Local Traffic Manager

The BIG-IP Local Traffic Manager (LTM) by F5 Networks allows you to control and track user activity on applications and devices in your network. You can configure BIG-IP LTM as an IDS event source in InsightIDR in order to parse IDS and ingress authentication events.

You can read more about BIG-IP LTM on this F5 Networks product page:

Before You Begin

Verify that you have administrator privileges on your BIG-IP platform. This event source requires some initial configuration in BIG-IP to ensure that LTM logs are sent to the right place.

Configure F5 BIG IP

In order for InsightIDR to ingest the logs as an IDS event source, you must configure BIG-IP to send its logs to a remote syslog server. You can read about how to complete this process in detail in this F5 support article: https://support.f5.com/csp/article/K13080

To configure syslog forwarding in BIG-IP:

  1. Sign in to your F5 BIG-IP interface.
  2. On the left menu, expand the System page near the bottom of the list and select Logs.
  3. Expand the Configuration dropdown menu on the right side of the page and click Remote Logging.
  4. In the “Remote IP” field, enter the IP address for your Collector and the unique port you want to use.
  5. Enter the unique port you want to use for the syslog server.
  6. Click Add. The IP address and port will appear in the “Remote Syslog Server List” field below.
  7. Click Update to confirm the changes.

Configure F5 Networks in InsightIDR

With your BIG-IP environment properly configured to send its logs, you can now add the F5 Local Traffic Manager IDS event source in InsightIDR.

To add a new F5 Local Traffic Manager event source:

  1. From your dashboard in InsightIDR, click the Data Collection tab from the left menu.
  2. On the “Data Collection Management” page, expand the Setup Event Source dropdown and click Add Event Source.
  3. From the “Security Data” section, click the IDS icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unparsed logs.
  7. Select a data collection method and specify a port and a protocol.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  8. Click Save when finished.