Applies To:

Show Versions Show Versions

Manual Chapter: Configuration Guide for the BIG-IP® Application Security Module: Working with the Statistics and Monitoring Tools
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


6

Working with the Statistics and Monitoring Tools


Overview of the statistics and monitoring tools

You can use the statistics and monitoring tools to analyze incoming requests, track trends in violations, generate security reports, and evaluate possible attacks. The statistics and monitoring tools are described in the remaining sections of this chapter.

Working with the Events report

You can use the Events report to review all of the events that occur as a result of a security policy violation. The Events report displays the following information about each event: severity level (log level), start time, last time (most recent occurrence), counter (number of occurrences), and violation type. You can use the filter option to filter the Monitoring list to display only those events in which you are interested. You can also export the events data, or import saved events data.

To view the Events report

On the Main tab in the navigation pane, expand Application Security, and then click Statistics.
The Events Monitoring screen opens, where you can review the events that have triggered policy violations.

Filtering the Monitoring list

In many instances, the Monitoring list may be quite long. You can use the filter option to view only those events which are of interest to you. The filter option has several built-in, time-based options. In addition, you can create a custom filter.

To use a built-in filter to view monitoring events

  1. On the Events Monitoring screen, from the Filter list, select the time range for which you want to view the monitoring events.
  2. Click Go.
    The screen refreshes, and the Monitoring list displays only those events that match the specified time criteria.

To use a custom filter to view monitoring events

  1. On the Events Monitoring screen, to the left of the Filter list, click the Show/Hide Filter button (the little arrow).
    The filter option expands to display the custom filter options.
  2. Specify the criteria by which you want the filter option to filter the Monitoring list.
  3. Click the Save Filter button to save any changes you may have made.
  4. From the Filter list, select Custom, and then click Go.
    The screen refreshes, and the Monitoring list displays only those events that match the specified criteria.

Saving and restoring the events data

There may be situations where you want to export the events data. You may want to archive it on a remote system, or you may want to preserve the data when you upgrade the system software. The system saves the events in a *.tar.gz file. When you import, or restore, the saved file, the system restores only those events that correspond to web application in the current configuration. Additionally, the import action does not restore duplicated events.

To export and archive an events data file

  1. Above the Monitoring list, click the Export button.
    A popup screen opens.
  2. Select the save option, and click OK.
    The system creates a *.tar.gz file of the events, and saves it on your work station.
  3. Note: Depending on the web browser you use, the labeling for the save option changes.

Importing (or restoring) a saved events data file

  1. Above the Monitoring list, click the Import button
    The Import Events popup screen opens.
  2. In the Choose File box, type the path to the events data file that you want to restore. Alternately you can click the Browse button, and navigate to the file.
  3. Click Import.
    The system extracts the events data, and restores the data on the system.

Working with the Security reports

The Security reports display information about the requests that generate security policy violations. There are two types of security reports: the Violation Report and the IPs Report. Note that you can use the filter option to filter the Monitoring list to display only those events in which you are interested.

  • The Violation Report
    The Violation Report displays each possible violation, the number of requests that contain the violation, and what percentage of all violations a particular violation represents.
  • The IPs Report
    The IPs Report displays the source IP addresses of the requests that contain violations, the number of requests received from the source IP address, and what percentage of all violating requests have been received from the particular IP address.

Viewing the Security reports

The security reports are available in the Statistics section of the Application Security Module.

To view the Security reports

  1. On the Main tab in the navigation pane, expand Application Security, and then click Statistics.
    The Events Monitoring screen opens.
  2. On the menu bar, click Reports.
    The Security Reports screen opens.
  3. In the Report Type list on the right side of the screen, select the type of report that you want to review.
    The screen refreshes to display the requested data.

Filtering the Security reports

Once you have chosen a report type, you may want to filter the resulting report. You can use the filter option to view only those events which are of interest to you. The filter option has several built-in, time-based options. You can also create a custom filter.

To use a built-in filter to view a security report

  1. On the Security reports screen, from the Filter list, select the time range for which you want to view the security events.
  2. Click Go.
    The screen refreshes, and the security report displays only those events that match the specified time criteria.

To use a custom filter to view a security report

  1. On the Security reports screen, to the left of the Filter list, click the Show/Hide Filter button (the little arrow).
    The filter option expands to display the custom filter options.
  2. Specify the criteria by which you want the filter option to filter the security report.
  3. Click the Save Filter button to save any changes you may have made.
  4. From the Filter list, select Custom, and then click Go.
    The screen refreshes, and the security report displays only those events that match the specified criteria.

Working with the Attacks reports

The Attacks reports display information and trends based on illegal requests. There are two types of Attacks reports: the IPs Report and the Attack Types Report.

  • IPs Report
    The IPs Report displays the source IP address, attack type, number of occurrences, start time, and last time for each attack type. You can use the data in the IPs Report to look for trends in the origination of an attack. If a certain IP address is generating a high volume of a particular attack, it is likely that someone is trying to take a malicious action against the protected web application.
  • Attack Types Report
    The Attack Types Report displays the attack type, the number of requests containing the attack, and percentage of the overall attacks that the particular attack represents.

Viewing the Attacks reports

The attacks reports are available in the Statistics section of the Application Security Module.

To view the Attacks reports

  1. On the Main tab in the navigation pane, expand Application Security, and then click Statistics.
    The Events Monitoring screen opens.
  2. On the menu bar, click Attacks.
    The Attacks Report screen opens.
  3. In the Report Type list, on the right side of the screen, select the type of report that you want to review.
    The screen refreshes to display the requested data.

Filtering the Attacks reports

Once you have chosen a report type, you may want to filter the resulting report. You can use the filter option to view only those events which are of interest to you. The filter option has several built-in, time-based options. You can also create a custom filter.

To use a built-in filter to view an attacks report

  1. On the Attacks Report screen, from the Filter list, select the time range for which you want to view the attacks information.
  2. Click Go.
    The screen refreshes, and the attacks report displays only those events that match the specified time criteria.

To use a custom filter to view an attacks report

  1. To the left of the Filter list, click the Show/Hide Filter button (the little arrow).
    The filter option expands to display the custom filter options.
  2. Specify the criteria by which you want the filter option to filter the attacks report.
  3. Click the Save Filter button to save any changes you may have made.
  4. From the Filter list, select Custom, and then click Go.
    The screen refreshes, and the attacks report displays only those events that match the specified criteria.

Working with the Executive reports

The Executive reports display data similar to that which is available in the Attacks reports. The Executive reports present, in charts, the top five attacks, the top five attackers, and the attacks volume. You can view charts based on data collected in the previous 24 hours, or collected in the previous seven days. You can also easily print the charts, which is an efficient way to monitor the attack trends over time.

Viewing the Executive reports

The Executive reports are available in the Statistics section of the Application Security Module.

To view the Executive reports

  1. On the Main tab in the navigation pane, expand Application Security, and then click Statistics.
    The Events Monitoring screen opens.
  2. On the menu bar, click Executive.
    The Executive Reports screen opens.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)