AskF5 Knowledge Base
- Home
- Supported Products
- BIG-IP APM / VE
- Configuration Guide for BIG-IP Access Policy Manager
- Logging and Reporting
Applies To:
Show Versions
Manual Chapter: Logging and Reporting
Viewing and maintaining log messages is an important part of maintaining the Access Policy Manager. Log messages inform you on a regular basis of the events that are happening on the system. Some of these events pertain to general events happening within the system, while other events are specific to the Access Policy Manager, such as stopping and starting Access Policy Manager system services.
The Access Policy Manager uses syslog-ng to log events. The syslog-ng utility is an enhanced version of the standard logging utility syslog.
| Access Policy events Access Policy event messages include logs pertinent to access policy, sso, network access, and web applications. To view access policy events, on the navigation pane, expand System, and click Logs |
| Audit Logging Audit event messages are those that the Access Policy Manager system logs as a result of changes made to its configuration. |
For more information on other log events, refer to the BIG-IP® Configuration Guide for Local Traffic Manager, on the Ask F5SM web site, https://support.f5.com.
The logging mechanism on an Access Policy Manager system includes several features designed to keep you informed of system events in the most effective way possible.
One of the primary features of logging is its ability to log different types of events, ranging from system events to access control events. Through the Access Policy Manager system auditing feature, you can even track and report changes that administrator makes to the BIG-IP® system configuration, such as adding a virtual server or changing an access policy. For more information, see Understanding log content, and Understanding log types.
When setting up logging on the Access Policy Manager, you can customize the logs by designating the minimum severity level, or log level, that you want the system to report when a type of event occurs. The minimum log level indicates the minimum severity level at which the system logs that type of event.
You can also use the Configuration utility to search for a string within a log event, that is, you can filter the display of the log messages according to the string you provide. For more information, see Setting log levels.
Tip: You can also configure the system to send email or to activate pager notification based on the priority of the logged event.
Note: Files are rotated daily if their size exceeds 10MB. Additionally, weekly rotations are enforced if the rotated log file is a week old, regardless whether or not the file exceed the 10MB threshold.
The logs that the system generates include several types of information. For example, all logs show a timestamp, host name, and service for each event. Some logs show a status code, while the audit log shows a user name and a transaction ID corresponding to each configuration change. All logs can contain up to two-line descriptions of each event.
Table 11-1, following, displays the categories of information contained in the logs, and the specific logs in which the information is displayed
| The host name of the system that logged the event message. Because this is typically the host name of the local machine, the appearance of a remote host name could be of interest. | ||
| The status code associated with the event. Note that only events logged by BIG-IP system components, and not operating system services, have status codes. | ||
| Provides the description of the event so that it can be applicable to both Audit and Access policy logging. | Audit Access Policy |
Note: For standalone clients, once a user has logged out and then logged back in, the sessions ID will be displayed as invalid and will remain as such in the Notice logs. The user is then assigned a new session ID. This is expected behavior of the system.
| Access policy: Includes messages created during access policy validation, sso, network access, and web applications. |
| Audit: Includes configuration changes. |
Each type of event is stored in a log file, and the information stored in each log file varies depending on the event type.
| Access policy events. Messages are logged in the var/log/apm file. |
| Audit events. Messages are logged in the var/log/audit file. |
Many events that occur on Access Policy Manager are operating system-related events, and do not specifically apply to the Access Policy Manager. The Access Policy Manager logs the messages for these events in the file /var/log/messages.
Using the Configuration utility, you can display these system messages. On the navigation pane, expand System, click Logs, and choose System. Table 17.2 shows some sample system log entries.
Table 17.2 Sample system log entries
Audit logging is an optional feature that logs messages whenever there are changes made by the system. Such changes include the following items:
The Access Policy Manager logs the messages for these auditing events in the /var/log/audit file.
Using the Configuration utility, you can display audit log messages. Table 17.3 shows some sample audit log entries. In this example, the first entry shows that user Janet enabled the audit logging feature, while the second and third entries show that user Matt designated the BIG-IP system to be a redundant system with a unit ID of 1.
| DB_VARIABLE modified: name="config.auditing" | |||
By default, audit logging is disabled. For information on enabling this feature, see Setting log levels, following.
Using the Configuration utility, you can set log levels on auditing events and other types of events. The minimum log level indicates the minimum severity level at which the system logs that type of event. For more information, see To set a minimum log level for local traffic events, following.
For auditing events, you can set a log level that indicates the type of event that the system logs, such as the user-initiated loading of the Access Policy Manager system configurations, or system-initiated configuration changes. For more information, see Setting log levels for auditing events.
| 1. |
| 2. | On the menu bar, click Options. The Logs screen changes to display the various logging options available. |
| 3. | Depending on the type of log messages you want to control, select either Access Policy Logging or Audit Logging. |
The log levels that you can set on certain types of events, are sequenced from highest severity to lowest severity, like this:
| 1. |
| 2. |
| 4. | Click Update. |
| 1. |
| 2. | On the menu bar, click Access Policy. This displays log levels specific to access policy manager modules. |
| 3. | If you want to advance to another screen of messages, first locate the page list at the lower-right corner of the screen. You can either: |
| 1. |
| 2. | On the menu bar, click Access Policy. |
| 3. | In the Search box (directly above the Timestamp column), type a string, optionally using the asterisk as a wildcard character. |
| 4. | Click Search. The screen refreshes and displays only those messages containing the string you specified. |
An optional type of logging that you can enable is audit logging. Audit logging provides options to control audit logging at the MCP level and at the BIGIP level. This logs audit messages for administrators who perform operations at the user interface level and also through command line interface.
For detailed information about auditing events, refer to the BIG-IP® Configuration Guide for Local Traffic Manager, on the Ask F5SM web site, https://support.f5.com.
You can choose one of four log levels for audit logging. In this case, the log levels do not affect the severity of the log messages; instead, they affect the initiator of the audit event.
| Disable This turns audit logging off. This is the default value. |
| Enable This causes the system to log messages for user-initiated configuration changes only. |
| Verbose This causes the system to log messages for user-initiated configuration changes and any loading of configuration data. |
| Debug This causes the system to log messages for all user-initiated and system-initiated configuration changes. |
| 1. |
| 2. | On the menu bar, click Options. This displays the screen for setting minimum log levels on local traffic events. |
| 3. | In the Audit Logging area near the bottom of the screen, select a log level from the Audit list, which includes MCP and bigpipe. |
| 4. | Click Update. |
You can find additional information about logging in Logging BIG-IP Systems Events of the BIG-IP® Configuration Guide for Local Traffic Manager, on the Ask F5SM web site, https://support.f5.com.
You can review reports about the sessions created on the system. With Access Policy Manager, you can view either Current Sessions or All Sessions. Under Current Sessions, you can configure your settings to display according to your sessions Table 17.4 displays the information type of the report and its descriptions.
You can display all current active sessions that are running on the system. Additionally, you can set options to update session information every few seconds, and refresh the session table at any given time.
| 1. |
| 2. | On the menu bar, click Current Sessions. |
| 3. | From the Auto Refresh list, select the time interval (in seconds) to refresh the session table. It is disabled by default. |
| 4. | To manually refresh the table, click Refresh Session Table. |
| 1. |
| 2. | On the menu bar, click Current Sessions. |
| 4. | Click Expand Tree to view all session variables at once. The following information is displayed for all sessions: |
You can terminate selected user sessions that are running on the system for troubleshooting and security purposes. For example, you may find that you need to perform certain troubleshooting tasks on one or multiple user sessions. Or, you notice that there are security issues and need to terminate user sessions immediately for further investigation. Access Policy Manager provides you with the ability to terminate user sessions immediately.
| 1. | On the navigation pane, expand Access Policy, and click Reports. This navigates to the current session page. |
| 2. | Select one or more user sessions, and click Kill Selected Sessions. The active sessions no longer appear in the active session list. |
You can display detailed information for all active and previously terminated sessions running on the system. Each session contains a session ID that you can click to navigate to a screen which provides more detailed information for each session.
| 1. |
| 2. | On the menu bar, click All Sessions. A more detailed screen opens for all sessions running on the system. |
| 3. |
In addition to viewing the reports through the navigation pane, you can also use the command line interface and script, called adminreport.pl to view additional reports, such as acllogs, logonlogs, acllogsforsession, and saforsession.
| 1. |
| 2. | Depending on the type of logs you want to view, type the following in the command line: adminreports.pl -aclogs adminreports.pl -logonlogs adminreports.pl -aclogsforsession session_id adminreports.pl -saforsession session_id adminreports.pl -count adminreports.pl -start <index> adminreports.pl -end <index> |
| -aclogsforsession session_id | |
| This returns entries starting from the given <index>. The default is the first entry <index is 1>/ | |
You can use the Access Policy Manager to view statistics for both Access Profile and Secure Connectivity. You can view the stats for any given access profile or for all access profiles (cumulative).
The following table display the type of statistics supported by Access Policy Manager. The table also includes information on whether statistic objects are accessible by command line or by SNMP.
| Total number of active sessions (Pending+Validated, Validated alone) | ||||
Access policy result statistics are based on the results of access policy validation, and timeout/error conditions.
| Total number of user sessions terminated due to other reasons (Cache Cleaner, etc) |
Agent type statistics are based on the APD agent types such as anti-virus check, file check, registry check, windows info, client certificate check, and RADIUS/LDAP/AD/RSA authentication checks.
| EPSWindowsbrowsercachecleaner | ||||
| EPSWindowscmachinecertcheck | ||||
| The total user sessions going through access policy evaluation in the system | ||||
| The total user sessions that have completed access policy evaluation in the system | ||||
| The total aggregated sessions terminated due to timeout or error (any kind). | ||||
| The total packets transmitted by the network tunnel in the system | ||||
| The total sessions timed out in the access policy evaluation phase and network access connection phase in the system. | ||||
| The total sessions that resulted in redirect ending with sessions in the system |
PPP global statistics provide cumulative statistics for all the PPP connections, such as the total number of PPP connections created, or number of bytes received/transmitted.
Session statistics provide session level information for all active sessions in the system. The information includes things like display session ID, client IP, start/expiration time, byte/packet count, logon details, and session status.
You can monitor overall system performance and Access Policy Manager session information. The BIG-IP® system provides a dashboard that displays system statistics graphically, showing gauges and graphs, and you can view the same statistics in a table view. You can also view user session information specific to Access Policy Manager.
You can display the BIG-IP® system main dashboard from the navigation pane. Expand Overview, and click Dashboard tab. For more information on how to monitor overall system performance for the BIG-IP® system, refer to Getting Started Guide: BIG-IP®systems.
The dashboard also includes online help for information about how to interpret statistics on each of the panels that appear on the screens. Click the question mark (?) in the upper right corner of any window to display the online help.
In addition to the BIG-IP® system main dashboard, you can use the Access Policy Manager dashboard to view specific Access Policy Manager users session-based statistics, as well as throughput data.
With the Access Policy Manager dashboard, you can view the following information in four distinct panels:
Tip: By clicking the grid icon 
in the upper left corner of each window, you can display the same information in a table format.
in the upper left corner of each window, you can display the same information in a table format.The top left panel of the Access Policy Manager dashboard displays the total and established connections for all current active and new sessions. This panel is called Access Sessions.
| Active Sessions: Displays the number of active sessions. |
| New Sessions: Displays the number of new sessions |
You can view them in either real-time, or historical time ranges. You may want to view active sessions at various times of the day to determine the peak and select the best time to perform system maintenance, for example. If you notice that the total number of sessions peaked while the total number of established sessions remain low, this may be an indication that a possible malicious attack is occurring in your network environment.
The bottom left panel of the Access Policy Dashboard displays cache effectiveness by comparing the three available metrics. This panel is called Web Applications. There are currently no tabs available for this panel, but the metrics include:
| Client Requests: Displays the total cache requests from the client. |
| Request Served from RamCache: Displays the total number of cache hits. |
| Requests Missed from RamCache: Displays the total number of cache misses. |
Hits and misses are derived by substracting the server responses from the client responses. A server response indicates that the requested information was not in cache.
The right top panel of the Access Policy dashboard displays throughput data for the amount of traffic through the network access tunnels, as well as displays open and new connections. This panel is called Network Access.
You can view throughput numbers to and from the client, as well as the overall throughput for network access traffic.
Use this panel to determine how much traffic is going through the tunnels, and how many people are generating that traffic. For example, if there are two tunnels, and those particular users are generating gigabytes of traffic, you may want to further investigate the activities on those tunnels.
This panel is also useful as a good indicator for peaked traffic to determine the best time to perform system maintenance
| Throughput: Displays the amount of throughput for data transfers through the network access tunnels. |
| Open Connections: Displays the number of open connections through the network access tunnels. |
| New Connections: Displays the number of new connections through the network access tunnels. |
| Compression: Displays the compression level through the network access tunnel. The Compression tab provides a gauge as well as a chart. |
ACL Actions: Displays the action that the access control list takes when an access control entry is encountered.
Search AskF5
- Supported Products
- BIG-IP LTM / VE
- BIG-IP AFM / VE
- BIG-IP Analytics / VE
- BIG-IP APM / VE
- BIG-IP ASM / VE
- BIG-IP Edge Gateway / VE
- BIG-IP GTM / VE
- BIG-IP Link Controller
- BIG-IP PEM / VE
- BIG-IP PSM / VE
- BIG-IP WebAccelerator / VE
- BIG-IP WOM / VE
- ARX / VE
- ARX Cloud Extender
- Data Manager
- Enterprise Manager / VE
- F5 Monitoring Pack
- FirePass / VE
- BIG-IQ Cloud
- BIG-IQ Security
- BIG-IP Edge Apps
- End-of-Life Products
- Recent Additions
- About AskF5
