Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Download

Behavioral DDOS Grafana Dashboard using BIG-IP API's

F5 L7 Behavioral DDOS feature provides with API's to monitor and debug the detection and mitigation process in real time. To provide an example on how to use the API we developed Grafana plugin that utilizes the API and shows real time data on the Dos attacks.

Image Text

How to install the Dashboard on Grafana:

  1. Install Grafana 4.1
  2. Install the following panels:

  3. Install admdb plugin

    • copy data\plugins\grafana-admdb-datasource
    • copy public\dashboards*.json
    • enable dashboards
  4. Configure the dashboard(see example defaults.ini attached)

    • edit conf/defaults.ini
    • modify these lines:
    • [dashboards.json]

    • enabled = true

    • path = public/dashboards
  5. Enable admdb on big IP: tmsh modify sys db adm.cloud.host value local

  6. Add data source to Grafana using web interface as in the following screenshot:

Image Text

Download
Versions

00.01.00

Released 00.01.00 on 15-03-2017

Download 00.01.00
Comments on this Download
Comment made 28-Mar-2017 by Smuggla 0

This is so cool! We tried to implement this on our LTMs but get the following in Grafana using default Database

Error DataBase not found in DataSource

Update ****

We do not use ASM on our LTM... Is there a way to get other F5 metrics?

0
Comment made 5 months ago by TDannhausen 1

Is it possible to get the Data to an Elasticsearch Cluster? And then plug that to Grafana? Many Thanks in advance.

0
Comment made 1 month ago by George Vasiliu 0

Very interesting article, I was following your guide and I do have a few question:

  1. Would this work on 12.1.3 ?
  2. "tmsh modify sys db admdb.debug.traffic.sample value enable" returns not found

Thank you

0
Comment made 1 month ago by g-ram 121

Looks like we have hit a wall & grafana datasource configuration & do a "save and test" we are getting "Datasource not responding" on grafana - Any help is appreciated..

Update - we got past that error - but grafana is not populating the virtual servers. Not sure where to look further

0
Comment made 1 month ago by g-ram 121

more updates - reverse engineered grafana datasource.js file & sent a REST call to F5 management interface to get the response on SOAP UI - passed in the correct headers & json request - Got an [] back for /mgmt/tm/util/admdb "utilCmdArgs": "list-metrics /shared/admdb/default/vs -

{ "kind": "tm:util:admdb:runstate", "command": "run", "utilCmdArgs": "list-metrics /shared/admdb/default/vs *", "commandResult": "[]\n" }

but if I use other API's for listing the virtual servers & stuff - i am able to get back expected results.

0
Comment made 1 month ago by FrostBurn 0

@g-ram how did you go past the DataBase not found in DataSource error? I'm using default as Db value.

0
Comment made 1 month ago by g-ram 121

@FrostBurn - I have inserted the config screenshot for your reference - On the URL it should be https://mgmt-ip-of-f5

Image Text

0
Comment made 4 weeks ago by FrostBurn 0

Thanks for screenshot! Everything looks good, still have the same error though :(

DataBase not found in DataSource

I Think I'm missing something not quite sure what could be on the F5 side.

0
Comment made 4 weeks ago by TDannhausen 1

FrostBurn is your Grafana on the same subnet as the management IP of the BigIP. I had the same issue when it wasn't on the same subnet. If it's not on the same subnet do you have a chance to test if it is working when it is on the same subnet?

0
Comment made 4 weeks ago by g-ram 121

Thanks TDannhausen - We have Grafana & F5 internal mgmt self IP on the same subnet -

0
Comment made 4 weeks ago by FrostBurn 0

One of our F5's is on the same subnet as the grafana server (virtual instance). But it gives the same message: DataBase not found in DataSource Do I need to install something on the F5 itself? (I'm not a network or F5 tech)

0
Comment made 4 weeks ago by TDannhausen 1

I think the Version of the F5 has to be at least v13. And you have to enable ADMDB on the F5 via CLI with: tmsh modify sys db adm.cloud.host value local Also you need to have assigned a BaDOS Profile to Virtual Server. Have you checked via CLI if the folder /shared/admdb/default exists and if the is content in there?

0
Comment made 3 weeks ago by g-ram 121

Thanks @TDannhausen - We are @ version 13.1 & enabled ADMDB using the command. We have assigned a BaDOS profile to a virtual as well. /shared/admdb/default exists

here's a sample pcap for a positive response from F5 for the REST call & negative response

-- Negative response -- request POST /mgmt/tm/util/admdb HTTP/1.1 Host: localhost:8100 User-Agent: Mozilla/5.0 Accept: application/json, text/plain, / Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Authorization: Basic XXXXXXXXXXXXXXXXXX Content-Type: application/json Dnt: 1 Origin: http://xxxxxxxxxxx:3000 Referer: http://xxxxxxxxxxxxx:3000/d/TGx8wp-ik/events?refresh=10s&orgId=1 X-Forwarded-For: 10.10.xx.xx, 10.10.xx.xx, 10.161.xx.xx X-Grafana-Org-Id: 1 Local-Ip-From-Httpd: 127.0.0.1 X-F5-New-Authtok-Reqd: false REMOTEROLE: 0 REMOTECONSOLE: /bin/bash Tmui-Dubbuf: zLdd+6d+y0/sgnyPm9r0fznZ X-Forwarded-Proto: http X-Forwarded-Host: 10.161.1.51 X-Forwarded-Server: localhost.localdomain Connection: Keep-Alive Content-Length: 103

response {"command":"run","utilCmdArgs":"view-element \"/shared/admdb/default/vs//sig/8000/1542067200000.csv\""} HTTP/1.1 200 OK Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate Expires: -1 Content-Length: 186 Content-Type: application/json Connection: keep-alive Allow: REMOTEROLE: 0 Local-Ip-From-Httpd: 127.0.0.1 X-Grafana-Org-Id: 1 X-Forwarded-Server: localhost.localdomain X-Forwarded-Proto: http Origin: http://xxxxxxxxxxxxxxx:3000 X-Forwarded-Host: 10.161.xx.xx Accept-Language: en-US,en;q=0.9 Dnt: 1 Accept-Encoding: gzip, deflate X-F5-New-Authtok-Reqd: false REMOTECONSOLE: /bin/bash Date: 13 Nov 2018 18:24:27 UTC Server: com.f5.rest.common.RestRequestSender

{"kind":"tm:util:admdb:runstate","command":"run","utilCmdArgs":"view-element \"/shared/admdb/default/vs//sig/8000/1542067200000.csv\"","commandResult":"cat: No such file or directory\n"}

Here's the positive response - Request POST /mgmt/tm/util/admdb HTTP/1.1 Host: localhost:8100 User-Agent: Mozilla/5.0 Accept: application/json, text/plain, / Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Authorization: Basic XXXXXXXXXXXXX Content-Type: application/json Dnt: 1 Origin: http://xxxxxxxxx:3000 Referer: http://xxxxxxxxxxx:3000/d/CWb8wtamz/tls-signatures X-Forwarded-For: 10.10.xx.xx, 10.10.xx.xx, 10.161.xx.xx X-Grafana-Org-Id: 1 Local-Ip-From-Httpd: 127.0.0.1 X-F5-New-Authtok-Reqd: false REMOTEROLE: 0 REMOTECONSOLE: /bin/bash Tmui-Dubbuf: zLdd+6d+y0/sgnyPm9r0fznZ X-Forwarded-Proto: http X-Forwarded-Host: 10.161.1.51 X-Forwarded-Server: localhost.localdomain Connection: Keep-Alive Content-Length: 75

{"command":"run","utilCmdArgs":"list-element \"/shared/admdb/default/vs\""}

response HTTP/1.1 200 OK Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate Expires: -1 Content-Length: 398 Content-Type: application/json Connection: keep-alive Allow: REMOTEROLE: 0 Local-Ip-From-Httpd: 127.0.0.1 X-Grafana-Org-Id: 1 X-Forwarded-Server: localhost.localdomain X-Forwarded-Proto: http Origin: http://xxxxxxxx:3000 X-Forwarded-Host: 10.161.xx.xx Accept-Language: en-US,en;q=0.9 Dnt: 1 Accept-Encoding: gzip, deflate X-F5-New-Authtok-Reqd: false REMOTECONSOLE: /bin/bash Date: 13 Nov 2018 18:25:00 UTC Server: com.f5.rest.common.RestRequestSender

{"kind":"tm:util:admdb:runstate","command":"run","utilCmdArgs":"list-element \"/shared/admdb/default/vs\"","commandResult":"info.status,\ndosl7d_stat.susp_ent_overall,\ndosl7d_stat.collapsed_susp_ent_current_attack,\ndosl7d_stat.collapsed_susp_ent_overall,\ndosl7d_stat.susp_ent_current_attack,\nsig.health,\nvs,\ndosl7d_mitigation_info.all,\ndosl7d_max_ent_tps.all,\ndosl7d_auto_thresh_tps.all\n"}

0