Manual Chapter : Reports Logs and Statistics

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter

Reports, Logs, and Statistics

About SWG data for threat monitoring

After Secure Web Gateway (SWG) starts proxying web access, it provides information that you can use to monitor threats and to fine-tune URL filters.

On a BIG-IP® system with Access Policy Manager®, SWG can provide logs and reports.

On a BIG-IP system with an SWG subscription, SWG can provide overview statistics in addition to logs and reports.

Note: If you configure high-speed remote event logging, you have data on a remote system from which you can create your own reports.

Overview: Monitoring Internet traffic for threats

You can view Secure Web Gateway (SWG) statistics on the BIG-IP® system and adjust URL filters to handle new threats based on the information that you gather from logs and reports.

Before you begin, event logging should be configured. SWG reports and charts depend on event logging for URL filters. For event logging to occur, log settings must be configured and then specified in the access profile, and a Category Lookup item must be run in the per-request policy.

Task summary

About the Secure Web Gateway Overview

The Secure Web Gateway (SWG) overview provides multiple reports and charts that summarize the top requests, such as top URLs, top categories by blocked request count, top users by permitted request count or by blocked request count, and so on. The overview can be customized to show the specific type of data that you are interested in.

Note: SWG overview is available only on a BIG-IP® system with an SWG subscription.

In addition to the reports and charts on the overview, SWG provides the All Requests and Blocked Requests reports and charts. The reports can be filtered to show the information that you want to see.

Configuring statistics collection for SWG reports

Configure report settings to specify whether to gather statistics for Secure Web Gateway (SWG) reports and whether to use data sampling.
  1. On the Main tab, click Access Policy > Secure Web Gateway > Reports > Settings .
    The Report Settings screen displays.
  2. To enable statistics gathering, select the Collect Data check box.
    If you clear the check box, data collection stops.
  3. To enable dynamic data sampling, select the Sample Data check box.
    In exchange for a performance gain, data sampling might provide slightly inaccurate statistics. If statistics must be more accurate, then disable data sampling.

Examining statistics on the SWG Overview

Note: Newer browsers (Internet Explorer 9 or later, Firefox 3.6 or later, or Chrome 14 or later) support viewing charts with no additional plug-in. If using older browsers (Internet Explorer 8 or earlier), Adobe® Flash® Player (version 8 or later) must be installed on the computer where you plan to view charts.
You can review charts that show statistical information about traffic from your enterprise to the Internet. The charts provide visibility into the top requests for URL categories, blocked URL categories, top users, and so on.
Note: The system updates the statistics every five minutes; you can refresh the charts periodically to see the updates.
  1. On the Main tab, click Access Policy > Secure Web Gateway > Overview .
    Note: The Overview is available only on a BIG-IP® system with an SWG subscription.
    The Overview screen displays.
  2. From the Override time range to list, select a new time frame to apply to all of the widgets in the overview.
    Tip: Within each widget you can override the default time range, as needed.
  3. For each widget, select the data format and the time range to display, as needed.
  4. To focus on the specific details you want more information about, click the chart or the View Details link.
    The system refreshes the charts and displays information about the item.
  5. From the View By list, select the specific network object type for which you want to display statistics.
    You can also click Expand Advanced Filters to filter the information that displays.
  6. On the screen, the system displays the path you followed to reach the current display, including the items you clicked. For example, to review details for the top categories, follow these steps:
    1. In the Top categories by Request Count chart, click the category that interests you.
      Assume that your URL filters allow access to some news and media sites and that News and Media is among the top categories. Click News and Media.
      Charts display the request count per action over time and the request count per action. A details table lists the request count for allowed actions.
    2. In the View By list, select URLs.
      Charts update and a list of URLs displays in the details table. These are the top news and media URLs.
    3. To see which filter allowed this URL, from here you can continue to drill down successively by clicking a link in each details table that displays. As an alternative to drilling down, you can select any of the statistics displayed on the View By list; for example you can select URL Filter directly.
    The Overview charts display summarized data. You might notice as you drill down that details display on the Reports screen.
You can review the access policy to ensure that you use the optimal strategy for processing traffic. You can update URL filters to block, confirm, or allow particular URL categories. You can update URL categories to include new URLs that you have seen in statistics details, or to recategorize existing URLs to fit your policies. You can continue to review the collected metrics and troubleshoot the system as needed.

Focusing the Overview on security threats

You can display attempted access to sites that pose a security risk by adding the security category widget to the Secure Web Gateway (SWG) Overview screen and by filtering a Blocked Request report using the security categories filter.
  1. On the Main tab, click Access Policy > Secure Web Gateway > Overview .
    Note: The Overview is available only on a BIG-IP® system with an SWG subscription.
    The Overview screen displays.
  2. Click the Add Widget link near the bottom of the screen.
    The Add New Widget screen displays.
  3. From the Modules list, select Secure Web Gateway (Blocked).
    The security categories widget includes data requests that were blocked.
  4. From the View by list, select Security Categories.
    Requests that were blocked for URLs because they are included in the Security category or any of its subcategories are included in the data.
  5. Move a measurement from Available measurements to the Select up to 6 measurements to display list.
  6. For Data visualization, select one of the options.
    Details Table is the default option.
  7. Click Done.
    The Add New Widget screen closes.
The Overview screen displays the Security Categories chart.
You can also filter a Blocked Requests report to view this data by selecting Security Categories from the View by list.

Exporting or emailing SWG statistics

You can export or email charts that show Secure Web Gateway (SWG) statistics.
  1. On the Main tab, click Access Policy > Secure Web Gateway > Overview .
    Note: The Overview is available only on a BIG-IP® system with an SWG subscription.
    The Overview screen displays.
  2. Display the charts that show the information you want, clicking any of the options and adjusting the content as needed.
  3. On the upper right of the charts screen, click Export.
    Tip: You can also export any single report widget from the Overview screen. Click the widget configuration icon for the report and select Export.
    The Choose Export Options popup screen opens.
  4. Choose the appropriate option.
    • To save the report as a PDF on your computer, select Save the report file on your computer.
    • To send this report to someone, select Send the report file via E-Mail as an attachment, select the SMTP Server, and Target E-Mail Address(es).
  5. Click Export.
    The system saves the report to a file, or emails the file to the specified recipients. If SMTP is not configured (when sending reports by email), you receive a message that SMTP must be set up before you can send the reports.

Creating an SMTP server configuration

You specify the SMTP server configuration so that you can send emails through an SMTP server.
  1. On the Main tab, click System > Configuration > Device > SMTP .
  2. Click the Create button.
    The New SMTP Configuration screen opens.
  3. In the Name field, type a name for the SMTP server that you are creating.
  4. In the SMTP Server Host Name field, type the fully qualified domain name for the SMTP server host.
  5. In the SMTP Server Port Number field, type a port number.
    For no encryption or TLS encryption, the default is 25. For SSL encryption, the default is 465.
  6. In the Local Host Name field, type the host name used in the SMTP headers in the form of a fully qualified domain name.
    This host name is not the same as the BIG-IP® system's host name.
  7. In the From Address field, type the email address that you want displayed as the reply-to address for the email.
  8. From the Encrypted Connection list, select the encryption level required for the SMTP server.
  9. To require that the SMTP server validates users before allowing them to send email, select the Use Authentication check box, and type the user name and password required to validate the user.
  10. Click the Finish button.
You can now configure the system to use this SMTP server to send emails. For the SMTP mailer to work, you must make sure the SMTP server is on the DNS lookup server list, and configure the DNS server on the BIG-IP system.

Implementation result

Secure Web Gateway (SWG) is configured to produce reports and charts.

About the reporting interval for charts and reports

The system updates the statistics for charts and reports at five minute intervals: at five minutes after the hour, ten minutes after the hour, and so on.

Charts and data that you export from charts reflect the publishing interval of five minutes. For example, if you request data for the time period 12:40-13:40, the data in the chart or in the file that you export is for the time period 12:35-13:35. By default, the BIG-IP® system displays one hour of data.

About statistics aggregation for weekly and longer time ranges

Secure Web Gateway (SWG) reports and charts for weekly, monthly, and yearly time ranges include statistics up through the previously completed hour. The system performs hourly updates to the aggregated statistics.

About Secure Web Gateway statistics

Secure Web Gateway (SWG) reports display statistical information about web traffic on your system. These details are available:

Actions
Action (allowed, blocked, or confirmed) taken on the URL request.
Client IP address
IP address from which the request for the URL originated.
Host Name
When available, host name from which the request for the URL originated.
Categories
Name of the preconfigured or custom URL category into which a requested URL falls.
URLs
Requested URL.
URL filters
Name of the URL filter SWG applied to the request based on the schedule in the scheme.
Security categories
The security category of the URL if it was blocked, because it matched a security category.
Note: Security categories are available on a BIG-IP® system with an SWG subscription.
Users
Name of the user that made the request, if available.
Note: Configuring your system to identify users is optional.
SSL bypass
Whether the request was bypassed (yes or no).
Note: Configuring your system to omit certain SSL traffic from inspection is optional.

Overview: Configuring remote high-speed APM and SWG event logging

You can configure the BIG-IP® system to log information about Access Policy Manager® (APM® ) and Secure Web Gateway events and send the log messages to remote high-speed log servers.

When configuring remote high-speed logging of events, it is helpful to understand the objects you need to create and why, as described here:

Object Reason
Pool of remote log servers Create a pool of remote log servers to which the BIG-IP system can send log messages.
Destination (unformatted) Create a log destination of Remote High-Speed Log type that specifies a pool of remote log servers.
Destination (formatted) If your remote log servers are the ArcSight, Splunk, or Remote Syslog type, create an additional log destination to format the logs in the required format and forward the logs to a remote high-speed log destination.
Publisher Create a log publisher to send logs to a set of specified log destinations.
Log Setting Add event logging for the APM system and configure log levels for it or add logging for URL filter events, or both. Settings include the specification of up to two log publishers: one for access system logging and one for URL request logging.
Access profile Add log settings to the access profile. The log settings for the access profile control logging for the traffic that comes through the virtual server to which the access profile is assigned.
Associations between remote high-speed logging configuration objects

Association of remote high-speed logging configuration objects

Task summary

Perform these tasks to configure remote high-speed APM and SWG event logging on the BIG-IP system.
Note: Enabling remote high-speed logging impacts BIG-IP system performance.

Task list

About the default-log-setting

Access Policy Manager® (APM®) provides a default-log-setting. When you create an access profile, the default-log-setting is automatically assigned to it. The default-log-setting can be retained, removed, or replaced for the access profile. The default-log-setting is applied to user sessions only when it is assigned to an access profile.

Regardless of whether it is assigned to an access profile, the default-log-setting applies to APM processes that run outside of a user session. Specifically, on a BIG-IP® system with an SWG subscription, the default-log-setting applies to URL database updates.

Creating a pool of remote logging servers

Before creating a pool of log servers, gather the IP addresses of the servers that you want to include in the pool. Ensure that the remote log servers are configured to listen to and receive log messages from the BIG-IP® system.
Create a pool of remote log servers to which the BIG-IP system can send log messages.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. Using the New Members setting, add the IP address for each remote logging server that you want to include in the pool:
    1. Type an IP address in the Address field, or select a node address from the Node List.
    2. Type a service number in the Service Port field, or select a service name from the list.
      Note: Typical remote logging servers require port 514.
    3. Click Add.
  5. Click Finished.

Creating a remote high-speed log destination

Before creating a remote high-speed log destination, ensure that at least one pool of remote log servers exists on the BIG-IP® system.

Create a log destination of the Remote High-Speed Log type to specify that log messages are sent to a pool of remote log servers.

  1. On the Main tab, click System > Logs > Configuration > Log Destinations .
    The Log Destinations screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this destination.
  4. From the Type list, select Remote High-Speed Log.
    Important: If you use log servers such as Remote Syslog, Splunk, or ArcSight, which require data be sent to the servers in a specific format, you must create an additional log destination of the required type, and associate it with a log destination of the Remote High-Speed Log type. With this configuration, the BIG-IP system can send data to the servers in the required format.
    The BIG-IP system is configured to send an unformatted string of text to the log servers.
  5. From the Pool Name list, select the pool of remote log servers to which you want the BIG-IP system to send log messages.
  6. From the Protocol list, select the protocol used by the high-speed logging pool members.
  7. Click Finished.

Creating a formatted remote high-speed log destination

Ensure that at least one remote high-speed log destination exists on the BIG-IP® system.

Create a formatted logging destination to specify that log messages are sent to a pool of remote log servers, such as Remote Syslog, Splunk, or ArcSight servers.

  1. On the Main tab, click System > Logs > Configuration > Log Destinations .
    The Log Destinations screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this destination.
  4. From the Type list, select a formatted logging destination, such as Remote Syslog, Splunk, or ArcSight.
    The Splunk format is a predefined format of key value pairs.
    The BIG-IP system is configured to send a formatted string of text to the log servers.
  5. If you selected Remote Syslog, from the Syslog Format list, select a format for the logs, and then from the High-Speed Log Destination list, select the destination that points to a pool of remote Syslog servers to which you want the BIG-IP system to send log messages.
    Important: For logs coming from Access Policy Manager® (APM®), only the BSD Syslog format is supported.
  6. If you selected Splunk from the Forward To list, select the destination that points to a pool of high-speed log servers to which you want the BIG-IP system to send log messages.
    The Splunk format is a predefined format of key value pairs.
  7. Click Finished.

Creating a publisher

Ensure that at least one destination associated with a pool of remote log servers exists on the BIG-IP® system.
Create a publisher to specify where the BIG-IP system sends log messages for specific resources.
  1. On the Main tab, click System > Logs > Configuration > Log Publishers .
    The Log Publishers screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this publisher.
  4. For the Destinations setting, select a destination from the Available list, and click << to move the destination to the Selected list.
    Note: If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or ArcSight.
  5. Click Finished.

Configuring log settings for access system and URL request events

Create log settings to enable event logging for access system events or URL filtering events or both. Log settings specify how to process event logs for the traffic that passes through a virtual server with a particular access profile.
  1. On the Main tab, click Access Policy > Event Logs > Log Settings .
    A log settings table displays.
  2. Select a log setting and click Edit or click Create for a new APM® log setting.
    A popup screen opens with General Information selected in the left pane.
  3. For a new log setting, in the Name field, type a name.
  4. To specify logging, select one or both of these check box options:
    • Enable access system logs - This setting is generally applicable. It applies to access policies, per-request policies, Secure Web Gateway processes, and so on. When you select this check box, Access System Logs becomes available in the left pane.
    • Enable URL request logs - This setting is applicable for logging URL requests when you have set up a BIG-IP® system configuration to categorize and filter URLs. When you select this check box, URL Request Logs becomes available in the left pane.
    Important: When you clear either of these check boxes and save your change, you are not only disabling that type of logging, but any changes you made to the settings are also removed.
  5. To configure settings for access system logging, select Access System Logs from the left pane.
    Access System Logs settings display in the right panel.
  6. For access system logging, from the Log Publisher list select the log publisher of your choice.
    A log publisher specifies one or more logging destinations.
    Important: The BIG-IP® system is not a logging server and has limited capacity for storing, archiving, and analyzing logs. For this reason a dedicated logging server is recommended.
  7. For access system logging, retain the default minimum log level, Notice, for each option.
    You can change the minimum log level, but Notice is recommended.
    Option Description
    Access Policy Events that occur while an access policy runs.
    Per-Request Policy Events that occur while a per-request policy runs.
    ACL Events that occur while applying APM access control lists.
    SSO Events that occur during single-sign on.
    Secure Web Gateway Events that occur during URL categorization on a BIG-IP® system with an SWG subscription.
    ECA Events that occur during NTLM authentication for Microsoft Exchange clients.
  8. To configure settings for URL request logging, select URl Request Logs from the left pane.
    URL Request Settings settings display in the right panel.
  9. For URL request logging, from the Log Publisher list, select the log publisher of your choice.
    A log publisher specifies one or more logging destinations.
    Important: The BIG-IP® system is not a logging server and has limited capacity for storing, archiving, and analyzing logs. For this reason a dedicated logging server is recommended.
  10. To log URL requests, you must select at least one check box option:
    • Log Allowed Events - When selected, user requests for allowed URLs are logged.

    • Log Blocked Events - When selected, user requests for blocked URLs are logged.
    • Log Confirmed Events - When selected, user requests for confirmed URLs are logged.
    Whether a URL is allowed, blocked, or confirmed depends on both the URL category into which it falls, and the URL filter that is applied to the request in the per-request policy.
  11. Optional: To assign this log setting to multiple access profiles now, perform these substeps:
    Note: Up to three log settings for access system logs can be assigned to an access profile. If you assign multiple log settings to an access profile, and this results in duplicate log destinations, logs are also duplicated.
    1. Select Access Profiles from the left pane.
    2. Move access profiles between the Available and the Selected lists.
    Note: You can delete (and add) log settings for an access profile on the Logs page for the access profile.
    Note: You can configure the log destinations for a log publisher from the Logs page in the System area of the product.
  12. Click OK.
    The popup screen closes. The table displays.
To put a log setting into effect, you must assign it to an access profile. Additionally, the access profile must be assigned to a virtual server.

Disabling logging

Disable event logging when you need to suspend logging for a period of time or you no longer want the BIG-IP® system to log specific events.
Note: Logging is enabled by adding log settings to the access profile.
  1. To clear log settings from access profiles, on the Main tab, click Access Policy > Access Profiles .
  2. Click the name of the access profile.
    Access profile properties display.
  3. On the menu bar, click Logs.
  4. Move log settings from the Selected list to the Available list.
  5. Click Update.
Logging is disabled for the access profile.

About event log levels

Event log levels are incremental, ranging from most severe (Emergency) to least severe (Debug). Setting an event log level to Warning for example, causes logging to occur for warning events, in addition to events for more severe log levels. The possible log levels, in order from highest to lowest severity are:

  • Emergency
  • Alert
  • Critical
  • Error
  • Warning
  • Notice (the default log level)
  • Informational
  • Debug
Note: Logging at the Debug level can increase the load on the BIG-IP® system.

APM log example

The table breaks a typical Access Policy Manager® (APM®) log entry into its component parts.

An example APM log entry

Feb  2 12:37:05 site1 notice tmm[26843]: 01490500:5: /Common/for_reports:Common: bab0ff52: New session from 
client IP 10.0.0.1 (ST=/CC=/C=) at VIP 20.0.0.1 Listener /Common/site1_http (Reputation=Unknown)
Information Type Example Value Description
Timestamp Feb 2 12:37:05 The time and date that the system logged the event message.
Host name site1 The host name of the system that logged the event message. Because this is typically the host name of the local machine, the appearance of a remote host name could be of interest.
Log level notice

The text value of the log level for the message.

Service tmm

The process that generated the event.

PID [26843] The process ID.
Log ID 01490500 A code that signifies the product, a subset of the product, and a message number.
Level 5 The numeric value of the log level for the message.
Partition /Common/for_reports:Common The partition.to which configuration objects belong.
Session ID bab0ff52 The ID associated with the user session.
Log message New session from client IP 10.0.0.1 (ST=/CC=/C=) at VIP 20.0.0.1 Listener /Common/site1_http (Reputation=Unknown) The generated message text.

About local log destinations and publishers

The BIG-IP® system provides two local logging destinations:

local-db
Causes the system to store log messages in the local MySQL database. Log messages published to this destination can be displayed in the BIG-IP Configuration utility.
local-syslog
Causes the system to store log messages in the local Syslog database. Log messages published to this destination are not available for display in the BIG-IP Configuration utility.
Note: Users cannot define additional local logging destinations.

The BIG-IP system provides a default log publisher for local logging, sys-db-access-publisher; initially, it is configured to publish to the local-db destination and the local-syslog destination. Users can create other log publishers for local logging.

Configuring a log publisher to support local reports

APM® provides preconfigured reports that are based on log data. To view the reports and to display log data from the BIG-IP® Configuration utility, configure a publisher to log to the local-db destination.
Important: The BIG-IP® system is not a logging server and has limited capacity for storing, archiving, and analyzing logs. For this reason a dedicated logging server is recommended.
  1. On the Main tab, click System > Logs > Configuration > Log Publishers .
    The Log Publishers screen opens.
  2. Select the log publisher you want to update and click Edit.
  3. For the Destinations setting, select local-db from the Available list, and move the destination to the Selected list.
  4. Click Finished.
To use a log publisher, specify it in an access policy log setting, ensure that the access profile selects the log setting, and assign the access profile to a virtual server.
Note: Log settings are configured in the Access Policy > Event Logs area of the product.

Viewing an APM report

If Access Policy Manager® (APM®) events are written to the local database on the BIG-IP® system, they can be viewed in APM reports.
Create a report to view event log data.
  1. On the Main tab, click Access Policy > Event Logs > Access System Logs .
    The Reports Browser displays in the right pane. The Report Parameters popup screen opens and displays a description of the current default report and default time settings.
  2. Optional: Select the appropriate Restrict by Time settings.
  3. Click Run Report.
    The popup screen closes. The report displays in the Reports Browser.
You can select and run various system-provided reports, change the default report, and create custom reports.

Viewing URL request logs

To view URL request logs from the user interface, your access profile log setting must enable URL request logs. The log setting must also specify a log publisher that publishes to the local-db log destination.
You can display, search, and export URL request logs.
  1. On the Main tab, click Access Policy > Event Logs > URL Request Logs .
    Any logs for the last hour are displayed.
    Note: APM® writes logs for blocked requests, confirmed requests, allowed requests, or all three, depending on selections in the access profile log setting.
  2. To view logs for another time period, select it from the list.
  3. To search the logs, type into the field and click Search or click Custom Search to open a screen where you can specify multiple search criteria.
  4. To export the logs for the time period and filters, click Export to CSV.

Configuring a log publisher to supply local syslogs

If you must have syslog files available on the local device, configure a publisher to log to the local-syslog destination.
Important: The BIG-IP® system is not a logging server and has limited capacity for storing, archiving, and analyzing logs. For this reason a dedicated logging server is recommended.
  1. On the Main tab, click System > Logs > Configuration > Log Publishers .
    The Log Publishers screen opens.
  2. Select the log publisher you want to update and click Edit.
  3. For the Destinations setting, select local-syslog from the Available list, and move the destination to the Selected list.
  4. Click Finished.
To use a log publisher, specify it in an access policy log setting, ensure that the access profile selects the log setting, and assign the access profile to a virtual server.
Note: Log settings are configured in the Access Policy > Event Logs area of the product.

Preventing logging to the /var/log/apm file

To stop logs from being written to the /var/log/apm file, remove the local-syslog destination from log publishers that are specified for access system logging in APM® log settings.
Important: The BIG-IP® system is not a logging server and has limited capacity for storing, archiving, and analyzing logs. For this reason a dedicated logging server is recommended.
  1. On the Main tab, click System > Logs > Configuration > Log Publishers .
    The Log Publishers screen opens.
  2. Select the log publisher you want to update and click Edit.
  3. For the Destinations setting, if the Selected list contains local-syslog, move it to the Available list.
  4. Click Finished.
To use a log publisher, specify it in an APM log setting, ensure that the log setting is assigned to an access profile, and assign the access profile to a virtual server.
Note: Log settings are configured in the Event Logs area of the product.

About local log storage locations

The BIG-IP® system publishes logs for portal access traffic and for connections to virtual desktops (VDI) to the /var/log/rewrite* files. APM® cannot publish these logs to remote destinations.

APM can publish URL request logs to remote or local destinations. Logs published to the local-db destination are stored in the local database and are available for display from the Configuration utility. Logs published to the local-syslog destination are stored in the /var/log/urlfilter.log file.

APM can publish access system logs to remote or local destinations. Logs published to the local-db destination are stored in the local database. Logs in the local database are available for display in APM reports. Logs published to the local-syslog destination are stored in the /var/log/apm file.

Code expansion in Syslog log messages

The BIG-IP® system log messages contain codes that provide information about the system. You can run the Linux command cat log |bigcodes |less at the command prompt to expand the codes in log messages to provide more information. For example:

   Jun 14 14:28:03 sccp bcm56xxd [ 226 ] : 012c0012 : (Product=BIGIP Subset=BCM565XXD) : 6: 4.1 rx [ OK 171009 Bad 0 ] tx [ OK 171014 Bad 0 ]
  

About configurations that produce duplicate log messages

two publishers write logs to the same destination

Event log duplication

The figure illustrates a configuration that writes duplicate logs. Two log publishers specify the same log destination, local-db. Each log publisher is specified in one of the log settings that are assigned to an access profile. Logs are written to the local-db destination twice.

Methods to prevent or eliminate duplicate log messages

Duplicate log messages are written when the same log destination is specified by two or more log publishers and more than one of the log publishers is specified in the log settings that are assigned to an access profile.

One way to avoid or eliminate this problem is to specify only one log setting for each access profile. Another is to ensure that the log publishers you associate with log settings for an access profile do not contain duplication log destinations.

About log level configuration

Log levels can be configured in various ways that depend on the specific functionality. Log levels for access portal traffic and for connections to virtual desktops are configured in the System area of the product. The log level for the URL database download is configured in the default-log-setting in the Access Policy Event Logs area of the product. The log level for NTLM authentication of Microsoft Exchange clients is configured using the ECA option in any log setting. Other access policy (and Secure Web Gateway) log levels are configured in any log setting.

Updating the log level for NTLM for Exchange clients

Before you follow these steps, you should have a working configuration of NTLM authentication for Microsoft Exchange clients. The configuration should include a log setting that enables logging for Access Policy Manager® and is assigned to the access profile.
You can change the level of logging for NTLM authentication for Microsoft Exchange clients.
Note: Logging at the default level, Notice, is recommended.
  1. On the Main tab, click Access Policy > Event Logs > Log Settings .
    A log settings table displays.
  2. Select the check box for the log setting that you want to update and click Edit.
    A popup screen displays.
  3. To configure settings for access system logging, select Access System Logs from the left pane.
    Access System Logs settings display in the right panel.
  4. For the ECA setting, select a log level.
    Note: Setting the log level to Debug can adversely impact system performance.
  5. Click OK.
    The popup screen closes.

Configuring logging for the URL database

Configure logging for the URL database so that log messages are published to the destinations, and at the minimum log level, that you specify. (Logging for the URL database occurs at the system level, not the session level, and is controlled using the default-log-setting log setting.)
Note: A URL database is available only on a BIG-IP® system with an SWG subscription.
  1. On the Main tab, click Access Policy > Event Logs > Log Settings .
    A log settings table displays.
  2. From the table, select default-log-setting and click Edit.
    A log settings popup screen displays.
  3. Verify that the Enable access system logs check box is selected.
  4. To configure settings for access system logging, select Access System Logs from the left pane.
    Access System Logs settings display in the right panel.
  5. From the Log Publisher list, select the log publisher of your choice.
    A log publisher specifies one or more logging destinations.
    Important: The BIG-IP® system is not a logging server and has limited capacity for storing, archiving, and analyzing logs. For this reason a dedicated logging server is recommended.
  6. To change the minimum log level, from the Secure Web Gateway list, select a log level.
    Note: Setting the log level to Debug can adversely impact system performance.
    The default log level is Notice. At this level, logging occurs for messages of severity Notice and for messages at all incrementally greater levels of severity.
  7. Click OK.
    The popup screen closes. The table displays.

Setting log levels for Portal Access and VDI events

Change the logging level for access policy events when you need to increase or decrease the minimum severity level at which Access Policy Manager® (APM®) logs that type of event. Follow these steps to change the log level for events that are related to portal access traffic or related to connections to virtual desktops (VDI).

Note: You can configure log levels for additional APM options in the Event Logs area.
  1. On the Main tab, click System > Logs > Configuration > Options .
  2. Scroll down to the Access Policy Logging area.
    The options Portal Access and VDI display; each displays a selected logging level.
    Note: The log settings that you change on this page impact only the access policy events that are logged locally on the BIG-IP® system.
  3. For each option that you want to change, select a logging level from the list.
    Note: Setting the log level to Debug affects the performance of the BIG-IP® system.
    Warning: F5® recommends that you do not set the log level for Portal Access to Debug. Portal Access can stop working. The BIG-IP system can become slow and unresponsive.
  4. Click Update.
APM starts to log events at the new minimum severity level.