Applies To:

Show Versions Show Versions

Manual Chapter: Working with the Reporting Tools
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

16 
You can use the reporting tools to analyze incoming requests, track trends in violations, generate security reports, and evaluate possible attacks. The statistics and monitoring reporting tools are:
Requests screen
The Requests screen summarizes the requested URLs for a web application. See Working with the Requests screen, for more information.
Security Alerts report
The Security Alerts report summarizes all of the events that occur as a result of a security policy violation. See Working with the Security Alerts report, for more information.
Security reports
The Security reports summarize security policy violations by violation type and by IP address of the offending client. See Working with the Security reports, for more information.
Attacks reports
The Attacks reports track the IP addresses that are generating security policy violations, and the most frequent violation types. See Working with the Attacks reports, for more information.
Executive reports
The Executive reports display printable charts of attack data and trends. See Working with the Executive reports, for more information.
DoS Attacks reports
The DoS Attacks reports display DoS attack events, listed by the web application targeted, and the attack start and end times. See Working with the DoS Attacks reports, more information.
Brute Force Attacks reports
The Brute Force Attacks display brute-force attack events, including the web application attacked, login URL, and attack start and end times. See Working with Brute Force Attacks reports, for more information.
For each web application, the Application Security Manager logs requests according to the logging profile. If you use local logging, then you can review those requests on the Requests screen. For more information on configuring logging profiles, refer to Configuring a logging profile for a reporting server.
The Requests screen provides the following information about a request: the request category, the time of the request, the request protocol, the requested URL itself, severity, the server response code, and the source IP address of the request.
On the Main tab of the Application Security navigation pane, click Reporting.
The Requests screen opens, where you can review the requests information for all of the configured web applications.
You can use the Filter option to view only those requests and events that are of interest to you. The Filter option has several built-in, time-based options that you can use to display requests that occurred within a certain time range. Alternately, you can create a custom filter that refines the Requests list by criteria such as web application name, support ID, or specific violation type.
2.
From the Filter list, select the time range for which you want to view the requests information.
3.
Click Go.
The screen refreshes, and the Requests list displays only those events that match the specified time criteria.
2.
To the left of the Filter list, click the Show/Hide Filter button.
The Filter option expands to display the custom filter options.
3.
Specify the criteria by which you want the Filter option to filter the Requests List.
4.
Click the Save Filter button.
A popup screen opens, where you provide a name for the custom filter.
5.
Type a name for the custom filter, and click OK.
The screen refreshes, and you see the custom filter in the Filter list.
6.
From the Filter list, select the custom filter that you just created, and then click Go.
The screen refreshes, and the Requests List displays only those events that match the specified criteria.
You can use the Security Alerts report to review all of the events that occur as a result of a security policy violation. The Security Alerts report displays the following information about each event: severity level (log level), web application name, last time (most recent occurrence), counter (number of occurrences), and violation types. You can use the Filter option to filter the Monitoring list to display only those events in which you are interested. You can also export the events data, or import saved events data.
2.
On the menu bar, click Security Alerts.
The Security Alerts screen opens, where you can review the events that have triggered security policy violations.
In many instances, the Security Alerts list may be quite long. You can use the Filter option to view only those events which are of interest to you. The Filter option has several built-in, time-based options. In addition, you can create a custom filter.
1.
On the Security Alerts screen, from the Filter list, select the time range for which you want to view the monitoring events.
2.
Click Go.
The screen refreshes, and the Security Alerts list displays only those events that match the specified time criteria.
1.
On the Security Alerts screen, to the left of the Filter list, click the Show/Hide Filter button ( ).
The Filter option expands to display the custom filter options.
2.
Specify the criteria by which you want the Filter option to filter the Monitoring list.
3.
Click the Save Filter button.
A popup screen opens, where you provide a name for the custom filter.
4.
Type a name for the custom filter, and click OK.
The screen refreshes, and you see the custom filter in the Filter list.
5.
From the Filter list, select the custom filter that you just created, and then click Go.
The screen refreshes, and the Security Alerts list displays only those events that match the specified criteria.
There may be situations where you want to export the security alerts data. You may want to archive it on a remote system, or you may want to preserve the data when you upgrade the system software. The system saves the last 100,000 events in a *.tar.gz file. When you import, or restore, the saved file, the system restores only those events that correspond to web applications in the current configuration. Additionally, the import action does not restore duplicated events.
2.
On the menu bar, click Security Alerts.
The Security Alerts screen opens.
3.
Below the Security Alerts list, click the Export button.
A popup screen opens.
4.
Select the save option, and click OK.
The system creates a *.tar.gz file of the events, and saves it on your work station.
Note: Depending on the web browser you use, the labeling for the save option changes.
2.
On the menu bar, click Security Alerts.
The Security Alerts screen opens.
3.
Below the Security Alerts list, click the Import button
The Import Events popup screen opens.
4.
In the Choose File box, type the path to the events data file that you want to restore. Alternately you can click the Browse button, and navigate to the file.
5.
Click Import.
The system extracts the security alerts data, and restores the data on the system.
The Security reports display information about the requests that generate security policy violations. There are two types of Security reports: the Violation Report and the IPs Report. Note that you can use the Filter option to filter the report to display only those events in which you are interested.
The Violation Report
The Violation Report displays each possible violation, the number of requests that contain the violation, and what percentage of all violations a particular violation represents.
The IPs Report
The IPs Report displays the source IP addresses of the requests that contain violations, the number of requests received from the source IP address, and what percentage of all violating requests have been received from the particular IP address.
The security reports are available in the Reporting section of the Application Security Manager.
2.
From the Reports menu, choose Security.
The Security Report screen opens.
3.
In the Report Type list on the right side of the screen, select the type of report that you want to review.
The screen refreshes to display the requested data.
Once you have chosen a report type, you may want to filter the resulting report. You can use the Filter option to view only those events which are of interest to you. The Filter option has several built-in, time-based options. You can also create a custom filter.
2.
From the Reports menu, choose Security.
The Security Report screen opens.
3.
On the Security Report screen, from the Filter list, select the time range for which you want to view the security events.
4.
Click Go.
The screen refreshes, and the security report displays only those events that match the specified time criteria.
2.
From the Reports menu, choose Security.
The Security Report screen opens.
3.
To the left of the Filter list, click the Show/Hide Filter button.
The Filter option expands to display the custom filter options.
4.
Specify the criteria by which you want the Filter option to filter the security report.
5.
Click the Save Filter button.
A popup screen opens, where you provide a name for the custom filter.
6.
Type a name for the custom filter, and click OK.
The screen refreshes, and you see the custom filter in the Filter list.
7.
From the Filter list, select the custom filter that you just created, and then click Go.
The screen refreshes, and displays only those events that match the specified criteria.
The Attacks reports display information and trends based on illegal requests to a web application. There are two types of Attacks reports: the IPs Report and the Attack Types Report.
IPs Report
The IPs Report displays the source IP address, attack type, number of occurrences, start time, and last time for each attack type. You can use the data in the IPs Report to look for trends in the origination of an attack. If a certain IP address is generating a high volume of a particular attack, it is likely that someone is trying to take a malicious action against the protected web application.
Attack Types Report
The Attack Types Report displays the attack type, the number of requests containing the attack, and percentage of the overall attacks that the particular attack represents.
The Attacks reports are available in the Reporting section of the Application Security Manager.
2.
From the Reports menu, choose Attacks.
The Attacks Report screen opens.
3.
In the Report Type list, on the right side of the screen, select the type of report that you want to review.
The screen refreshes to display the requested data.
Once you have chosen a report type, you may want to filter the resulting report. You can use the Filter option to view only those events which are of interest to you. The Filter option has several built-in, time-based options. You can also create a custom filter.
2.
From the Reports menu, choose Attacks.
The Attacks Report screen opens.
3.
From the Filter list, select the time range for which you want to view the attacks information.
4.
Click Go.
The screen refreshes, and the Attacks report displays only those events that match the specified time criteria.
2.
From the Reports menu, choose Attacks.
The Attacks Report screen opens.
3.
To the left of the Filter list, click the Show/Hide Filter button ( ).
The Filter option expands to display the custom filter options.
4.
Specify the criteria by which you want the Filter option to filter the attacks report.
5.
Click the Save Filter button.
A popup screen opens, where you provide a name for the custom filter.
6.
Type a name for the custom filter, and click OK.
The screen refreshes, and you see the custom filter in the Filter list.
7.
From the Filter list, select the custom filter that you just created, and then click Go.
The screen refreshes, and the attacks report displays only those events that match the specified criteria.
The Executive reports display data similar to that which is available in the Attacks reports. The Executive reports present, in charts, the top five attacks, the top five attackers, and the attacks distribution. You can view charts based on data collected in the previous 24 hours or collected in the previous seven days. You can also easily print the charts, which is an efficient way to monitor the attack trends over time.
Note: If, on the Blocking Policy screen, only Learn flags are enabled, the Executive reports screen displays no data because the system does not issue any alerts. See Working with the blocking configuration, for more information.
The Executive reports are available in the Reporting section of the Application Security Manager.
2.
From the Reports menu, choose Executive.
The Executive Reports screen opens.
The DoS Attacks reports display information about denial of service (DoS) attacks, including the web application, and start and end times of an attack. You can use the Filter option to filter the report to display all DoS events or only those events in which you are interested (custom).
The DoS Attacks reports are available in the Reporting section of the Application Security Manager.
2.
On the menu bar, click DoS Attacks.
The DoS Attacks screen opens.
3.
From the Filter list, select Show All.
4.
Click Go.
The screen refreshes, and the DoS Attacks report displays all DoS Attack events
Once you have chosen a report type, you may want to filter the resulting report. You can use the Filter option to view only those events that are of interest to you.
2.
On the menu bar, click DoS Attacks.
The DoS Attacks screen opens.
3.
To the left of the Filter list, click the Show/Hide Filter button.
The Filter option expands to display the custom filter options.
4.
Specify the criteria by which you want the Filter option to filter the security report.
5.
Click Go.
The screen refreshes and displays only those events that match the specified criteria.
The Brute Force Attacks reports display information about brute force attacks, including the web application, logon URL, and start and end times of an attack. You can use the Filter option to filter the report to display all Brute Force Attack events or only those events in which you are interested (custom).
The Brute Force Attacks reports are available in the Reporting section of the Application Security Manager.
2.
On the menu bar, click Brute Force Attacks.
The Brute Force Attacks screen opens.
3.
From the Filter list, select Show All.
4.
Click Go.
The screen refreshes, and the Brute Force Attacks report displays all Brute Force Attack events
Once you have chosen a report type, you may want to filter the resulting report. You can use the Filter option to view only those events that are of interest to you.
2.
On the menu bar, click Brute Force Attacks.
The Brute Force Attacks screen opens.
3.
To the left of the Filter list, click the Show/Hide Filter button.
The Filter option expands to display the custom filter options.
4.
Specify the criteria by which you want the Filter option to filter the security report.
5.
Click Go.
The screen refreshes and displays only those events that match the specified criteria.
The BIG-IP system has several processes running that compete for the same common resources. To determine how much of the available CPU resources the Application Security Manager uses, you can monitor the CPU Utilization graph in the Configuration utility.
You can view the resource usage by other system processes in the BIG-IP Configuration utility. For more information, refer to the TMOS Management Guide for BIG-IP® Systems, which is available on the AskF5SM web site, https://support.f5.com.
The CPU usage reports are available in the Overview section of the Application Security navigation pane.
1.
On the Main tab of the Application Security navigation pane, in the Overview section, click CPU Utilization.
The CPU Utilization screen opens.
Note: If you are running Application Security Manager on the VIPRION® chassis, the CPU Utilization graph displays CPU usage for each member of the cluster. For more information about Application Security Manager on VIPRION, see Appendix F, Running Application Security Manager on the VIPRION Chassis.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)