Applies To:

Show Versions Show Versions

Archived Manual Chapter: Logging and Reporting
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

This article has been archived, and is no longer maintained.

11 
Viewing and maintaining log messages is an important part of maintaining the Secure Access Manager. Log messages inform you on a regular basis of the events that are happening on the system. Some of these events pertain to general events happening within the system, while other events are specific to the Secure Access Manager, such as stopping and starting Secure Access Manager system services.
The Secure Access Manager uses syslog-ng to log events. The syslog-ng utility is an enhanced version of the standard logging utility syslog.
Access Control events
Access Control event messages pertain specifically to events such as client authentication, status of authentication, and access control lists. To view Access Control events, on the navigation pane, expand System, and click Logs
Secure Connectivity events
Secure Connectivity event messages pertain specifically to events such as network access. To view Secure Connectivity events, on the navigation pane, expand System, and click Logs.
Audit Logging
Audit events messages are those that the Secure Access Manager system logs as a result of changes made to its configuration.
For more information on other log events, refer to the BIG-IP® Network and System Management Guide on the AskF5SM web site, https://support.F5.com.
The logging mechanism on a Secure Access Manager system includes several features designed to keep you informed of system events in the most effective way possible.
One of the primary features of logging is its ability to log different types of events, ranging from system events, to access control events, to Secure Connectivity events. Through the Secure Access Manager system auditing feature, you can even track and report changes that administrator makes to the BIG-IP® system configuration, such as adding a virtual server or changing an access policy. For more information, see Understanding log content, and Understanding log types.
When setting up logging on the Secure Access Manager, you can customize the logs by designating the minimum severity level, or log level, that you want the system to report when a type of event occurs. The minimum log level indicates the minimum severity level at which the system logs that type of event.
You can also use the Configuration utility to search for a string within a log event, that is, you can filter the display of the log messages according to the string you provide. For more information, see Setting log levels.
Tip: You can also configure the system to send email or to activate pager notification based on the priority of the logged event.
The logs that the system generates include several types of information. For example, all logs except the audit log show a timestamp, host name, and service for each event. Some logs show a status code, while the audit log shows a user name and a transaction ID corresponding to each configuration change. All logs contain a one-line description of each event.
Table 11-1, following, displays the categories of information contained in the logs, and the specific logs in which the information is displayed
System
Secure Connectivity
Access Control
Audit
The host name of the system that logged the event message. Because this is typically the host name of the local machine, the appearance of a remote host name could be of interest.
The status code associated with the event. Note that only events logged by BIG-IP system components, and not operating system services, have status codes.
Remote Connetivity
Access Control
Secure Connectivity
Access Control
Note: For standalone clients, once a user has logged out and then logged back in, the sessions ID will be displayed as invalid and will remain as such in the Notice logs. The user is then assigned a new session ID. This is expected behavior of the system.
The Secure Access Manager automatically logs three main event types: access control, secure connectivity, and configuration changes (audit). Each type of event is stored in a log file, and the information stored in each log file varies depending on the event type.
Access control and secure connectivity events. Messages are logged in the /var/log/firepass file.
Audit events. Messages are logged in the var/log/audit file.
Many events that occur on Secure Access Manager are operating system-related events, and do not specifically apply to the Secure Access Manager. The Secure Access Manager logs the messages for these events in the file /var/log/messages.
Using the Configuration utility, you can display these system messages. On the navigation pane, expand System, click Logs, and choose System. Table 11.2 shows some sample system log entries.
syslog-ng[1336]
Audit logging is an optional feature that logs messages whenever there are changes made by the system. Such changes include the following items:
Using the Configuration utility, you can display audit log messages. Table 11.3 shows some sample audit log entries. In this example, the first entry shows that user Janet enabled the audit logging feature, while the second and third entries show that user Matt designated the BIG-IP system to be a redundant system with a unit ID of 1.
DB_VARIABLE modified:
name="config.auditing"
DB_VARIABLE modified:
name="failover.isredundant"
value="true"
DB_VARIABLE modified:
name="failover.unitid"
value="1"
Using the Configuration utility, you can set log levels on auditing events and other types of events. The minimum log level indicates the minimum severity level at which the system logs that type of event. For more information, see To set a minimum log level for local traffic events, following.
For auditing events, you can set a log level that indicates the type of event that the system logs, such as the user-initiated loading of the Secure Access Manager system configurations, or system-initiated configuration changes. For more information, see Setting log levels for auditing events.
1.
On the navigation pane, expand System, and click Logs.
The Logs screen opens.
2.
On the menu bar, click Options.
The Logs screen changes to display the various logging options available.
3.
Depending on the type of log messages you want to control, select either Access Control Logging or Secure Connectivity Logging.
The log levels that you can set on certain types of events, are sequenced from highest severity to lowest severity, like this:
1.
On the navigation pane, expand System, and click Logs.
The Logs screen opens.
2.
On the menu bar, click Access Control.
The screen for setting minimum log levels displays.
4.
Click Update.
1.
On the navigation pane, expand System, and click Logs.
The Logs screen opens.
2.
On the menu bar, click Access Control.
This displays log levels for both access control and secure connectivity log messages.
3.
If you want to advance to another screen of messages, first locate the page list at the lower-right corner of the screen. You can either:
1.
On the navigation pane, expand System, and click Logs.
The Logs screen opens.
2.
On the menu bar, click Access Control.
3.
In the Search box (directly above the Timestamp column), type a string, optionally using the asterisk as a wildcard character.
4.
Click Search.
The screen refreshes and displays only those messages containing the string you specified.
An optional type of logging that you can enable is audit logging. Audit logging records messages that pertain to configuration changes that users or services make to the Secure Access Manager system configuration. (For more information, see Auditing configuration changes.)
You can choose one of four log levels for audit logging. In this case, the log levels do not affect the severity of the log messages; instead, they affect the initiator of the audit event.
Disable
This turns audit logging off. This is the default value.
Enable
This causes the system to log messages for user-initiated configuration changes only.
Verbose
This causes the system to log messages for user-initiated configuration changes and any loading of configuration data.
Debug
This causes the system to log messages for all user-initiated and system-initiated configuration changes.
1.
On the navigation pane, expand System, and click Logs.
This Logs screen opens.
2.
On the menu bar, click Options.
This displays the screen for setting minimum log levels on local traffic events.
4.
Click Update.
You can find additional information about logging in Logging BIG-IP Systems Events of the BIG-IP® Network and System Management Guide, on the AskF5SM web site, https://support.f5.com.
You can review reports about the sessions created on the system. With Secure Access Manager, you can view either Current Sessions or All Sessions. Under Current Sessions, you can configure your sessions to display according to your settings. Table 11.4 displays the information type of the report and its descriptions.
You can display all current active sessions that are running on the system. Additionally, you can set options to update session information every few seconds, and refresh the session table at any given time.
1.
On the navigation pane, expand Overview, and click Reports.
2.
On the menu bar, click Current Sessions.
3.
From the Auto Refresh list, select the time interval (in seconds) to refresh the session table. It is disabled by default.
4.
You can display detailed information for all active and previously terminated sessions running on the system. Each session contains a session ID that you can click to navigate to a screen which provides more detailed information for each session.
1.
On the navigation pane, expand Overview, and click Reports.
The Report screen opens.
2.
On the menu bar, click All Sessions.
A more detailed screen opens for all sessions running on the system.
5.
Click Expand Tree to view all session variables at once.
The following information is displayed for all sessions:
In addition to viewing the reports through the navigation pane, you can also use the command line interface and script, called adminreport.pl to view additional reports, such as acllogs, logonlogs, acllogsforsession, and saforsession.
1.
2.
Depending on the type of logs you want to view, type the following in the command line:
adminreports.pl -aclogs
adminreports.pl -logonlogs
adminreports.pl-aclogsforsession session_id
adminreports.pl -saforsession session_id
adminreports.pl -count
adminreports.pl -start <index>
adminreports.pl -end <index>
Table 11.5 lists the available command line utility commands and their descriptions.
This displays one logon per user session and provides details such as client IP address, virtual server name, and so on.
This displays session activity information such as client IP address, SSL ciphers, and session start/finish time for the given session.
This specifies the starting index for the given log type. For example, to view the aclog messages starting from the 500th entry, type -start 500 -aclog.
Note that this command should be typed before the log type, for example: option: option -aclog/-logonlogs
This specifies the ending index for the given log type. For example, to view the aclog messages ending from the 500th entry, type --start 500 -aclog.
Note that this command should be typed before the log type, for example: option: option -aclog/-logonlogs
You can use the Secure Access Manager to view statistics for both Access Profile and Secure Connectivity. You can view the stats for any given access profile or for all access profiles (cumulative).
The following table display the type of statistics supported by Secure Access Manager. The table also includes information on whether statistic objects are accessible by command line, Configuration utility, or by SNMP.
Table 11.6 Session statistics
Agent type statistics are based on the APD agent types such as anti-virus check, file check, registry check, windows info, client cert check, and RADIUS/LDAP/AD/RSA authentication checks.
The total sessions terminated by internal errors/conditions in the system
PPP global statistics provide cumulative statistics for all the PPP connections, such as the total number of PPP connections created, or number of bytes received/transmitted.
Session statistics provide session level information for all active sessions in the system. The information includes things like display session ID, client IP, start/expiration time, byte/packet count, logon details, and session status.
Status of the sessions (established, pending, unspecified)
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)