Applies To:

Show Versions Show Versions

Manual Chapter: Configuration Guide for BIG-IP® Application Security Management: 9 - Working with the Statistics and Monitoring Tools
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


9

Working with the Statistics and Monitoring Tools


Overview of the statistics and monitoring tools

You can use the statistics and monitoring tools to analyze incoming requests, track trends in violations, generate security reports, and evaluate possible attacks. The statistics and monitoring tools are:

Working with the Events Monitoring report

You can use the Events Monitoring report to review all of the events that occur as a result of a security policy violation. The Events Monitoring report displays the following information about each event: severity level (log level), web application name, last time (most recent occurrence), counter (number of occurrences), and violation types. You can use the filter option to filter the Monitoring list to display only those events in which you are interested. You can also export the events data, or import saved events data.

To view the Events report

On the Main tab of the navigation pane, expand Application Security, and then click Statistics.
The Events Monitoring screen opens, where you can review the events that have triggered policy violations.

Filtering the Monitoring list

In many instances, the Monitoring list may be quite long. You can use the filter option to view only those events which are of interest to you. The filter option has several built-in, time-based options. In addition, you can create a custom filter.

To use a built-in filter to view monitoring events

  1. On the Events Monitoring screen, from the Filter list, select the time range for which you want to view the monitoring events.
  2. Click Go.
    The screen refreshes, and the Monitoring list displays only those events that match the specified time criteria.

To use a custom filter to view monitoring events

  1. On the Events Monitoring screen, to the left of the Filter list, click the Show/Hide Filter button (the little arrow).
    The filter option expands to display the custom filter options.
  2. Specify the criteria by which you want the filter option to filter the Monitoring list.
  3. Click the Save Filter button.
    A popup screen opens, where you provide a name for the custom filter.
  4. Type a name for the custom filter, and click OK.
    The screen refreshes, and you see the custom filter in the Filter list.
  5. From the Filter list, select the custom filter that you just created, and then click Go.
    The screen refreshes, and the Monitoring list displays only those events that match the specified criteria.

Saving and restoring the events data

There may be situations where you want to export the events data. You may want to archive it on a remote system, or you may want to preserve the data when you upgrade the system software. The system saves the last 100,000 events in a *.tar.gz file. When you import, or restore, the saved file, the system restores only those events that correspond to web application in the current configuration. Additionally, the import action does not restore duplicated events.

To export and archive an events data file

  1. On the Main tab of the navigation pane, expand Application Security, and then click Statistics.
    The Events Monitoring screen opens.
  2. Below the Monitoring list, click the Export button.
    A popup screen opens.
  3. Select the save option, and click OK.
    The system creates a *.tar.gz file of the events, and saves it on your work station.
  4. Note: Depending on the web browser you use, the labeling for the save option changes.

Importing (or restoring) a saved events data file

  1. On the Main tab of the navigation pane, expand Application Security, and then click Statistics.
    The Events Monitoring screen opens.
  2. Below the Monitoring list, click the Import button
    The Import Events popup screen opens.
  3. In the Choose File box, type the path to the events data file that you want to restore. Alternately you can click the Browse button, and navigate to the file.
  4. Click Import.
    The system extracts the events data, and restores the data on the system.

Working with the Security reports

The Security reports display information about the requests that generate security policy violations. There are two types of security reports: the Violation Report and the IPs Report. Note that you can use the filter option to filter the Monitoring list to display only those events in which you are interested.

  • The Violation Report
    The Violation Report displays each possible violation, the number of requests that contain the violation, and what percentage of all violations a particular violation represents.
  • The IPs Report
    The IPs Report displays the source IP addresses of the requests that contain violations, the number of requests received from the source IP address, and what percentage of all violating requests have been received from the particular IP address.

Viewing the Security reports

The security reports are available in the Statistics section of the Application Security Manager.

To view the Security reports

  1. On the Main tab of the navigation pane, expand Application Security, and then click Statistics.
    The Events Monitoring screen opens.
  2. On the menu bar, click Reports.
    The Security Reports screen opens.
  3. In the Report Type list on the right side of the screen, select the type of report that you want to review.
    The screen refreshes to display the requested data.

Filtering the Security reports

Once you have chosen a report type, you may want to filter the resulting report. You can use the filter option to view only those events which are of interest to you. The filter option has several built-in, time-based options. You can also create a custom filter.

To use a built-in filter to view a security report

  1. On the Main tab of the navigation pane, expand Application Security, and then click Statistics.
    The Events Monitoring screen opens.
  2. On the menu bar, click Reports.
    The Security Reports screen opens.
  3. On the Security reports screen, from the Filter list, select the time range for which you want to view the security events.
  4. Click Go.
    The screen refreshes, and the security report displays only those events that match the specified time criteria.

To use a custom filter to view a security report

  1. On the Main tab of the navigation pane, expand Application Security, and then click Statistics.
    The Events Monitoring screen opens.
  2. On the menu bar, click Reports.
    The Security Reports screen opens.
  3. On the Security reports screen, to the left of the Filter list, click the Show/Hide Filter button (the little arrow).
    The filter option expands to display the custom filter options.
  4. Specify the criteria by which you want the filter option to filter the security report.
  5. Click the Save Filter button.
    A popup screen opens, where you provide a name for the custom filter.
  6. Type a name for the custom filter, and click OK.
    The screen refreshes, and you see the custom filter in the Filter list.
  7. From the Filter list, select the custom filter that you just created, and then click Go.
    The screen refreshes, and the security report displays only those events that match the specified criteria.

Working with the Attacks reports

The Attacks reports display information and trends based on illegal requests to a web application. There are two types of Attacks reports: the IPs Report and the Attack Types Report.

  • IPs Report
    The IPs Report displays the source IP address, attack type, number of occurrences, start time, and last time for each attack type. You can use the data in the IPs Report to look for trends in the origination of an attack. If a certain IP address is generating a high volume of a particular attack, it is likely that someone is trying to take a malicious action against the protected web application.
  • Attack Types Report
    The Attack Types Report displays the attack type, the number of requests containing the attack, and percentage of the overall attacks that the particular attack represents.

Viewing the Attacks reports

The attacks reports are available in the Statistics section of the Application Security Manager.

To view the Attacks reports

  1. On the Main tab of the navigation pane, expand Application Security, and then click Statistics.
    The Events Monitoring screen opens.
  2. On the menu bar, click Attacks.
    The Attacks Report screen opens.
  3. In the Report Type list, on the right side of the screen, select the type of report that you want to review.
    The screen refreshes to display the requested data.

Filtering the Attacks reports

Once you have chosen a report type, you may want to filter the resulting report. You can use the filter option to view only those events which are of interest to you. The filter option has several built-in, time-based options. You can also create a custom filter.

To use a built-in filter to view an attacks report

  1. On the Main tab of the navigation pane, expand Application Security, and then click Statistics.
    The Events Monitoring screen opens.
  2. On the menu bar, click Attacks.
    The Attacks Report screen opens.
  3. On the Attacks Report screen, from the Filter list, select the time range for which you want to view the attacks information.
  4. Click Go.
    The screen refreshes, and the attacks report displays only those events that match the specified time criteria.

To use a custom filter to view an attacks report

  1. On the Main tab of the navigation pane, expand Application Security, and then click Statistics.
    The Events Monitoring screen opens.
  2. On the menu bar, click Attacks.
    The Attacks Report screen opens.
  3. To the left of the Filter list, click the Show/Hide Filter button (the little arrow).
    The filter option expands to display the custom filter options.
  4. Specify the criteria by which you want the filter option to filter the attacks report.
  5. Click the Save Filter button.
    A popup screen opens, where you provide a name for the custom filter.
  6. Type a name for the custom filter, and click OK.
    The screen refreshes, and you see the custom filter in the Filter list.
  7. From the Filter list, select the custom filter that you just created, and then click Go.
    The screen refreshes, and the attacks report displays only those events that match the specified criteria.

Working with the Executive reports

The Executive reports display data similar to that which is available in the Attacks reports. The Executive reports present, in charts, the top five attacks, the top five attackers, and the attacks volume. You can view charts based on data collected in the previous 24 hours, or collected in the previous seven days. You can also easily print the charts, which is an efficient way to monitor the attack trends over time.

Note

If, on the Blocking Policy screen, only Learn flags are enabled, the Executive reports screen displays no data because the system does not issue any alerts. See Working with the Blocking Policy settings for more information.

Viewing the Executive reports

The Executive reports are available in the Statistics section of the Application Security Manager.

To view the Executive reports

  1. On the Main tab of the navigation pane, expand Application Security, and then click Statistics.
    The Events Monitoring screen opens.
  2. On the menu bar, click Executive.
    The Executive Reports screen opens.

Working with the Forensics screen

For each web application, the Application Security Manager records the requested objects in the Forensics information. The Forensics screen provides the following information about a request: the request category, the time of the request, the request protocol, the requested object itself, the server response code, and the source IP address of the request.

You can view forensics information for all web applications, or you can view forensics information in the context of a specific web application.

To view the Forensics list for all web applications

  1. On the Main tab of the navigation pane, expand Application Security, and then click Statistics.
    The Events screen opens.
  2. On the menu bar, click Forensics.
    The Forensics screen opens, where you can review the forensics information for all of the configured web applications.

To view the Forensics list for a specific web application

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click the name of a web application.
    The Web Application Properties screen opens.
  3. On the menu bar, click Forensics.
    The Forensics screen opens, where you can review the forensics information for the specific web application.

Filtering the Forensics list

You can use the filter option to view only those events which are of interest to you. The filter option has several built-in, time-based options that you can use to display requests that occurred within a certain time range. Alternately, you can create a custom filter that refines the Forensics list by criteria such as web application name, support ID, or specific violation type.

To use a built-in filter to view forensics events

  1. On the Main tab of the navigation pane, expand Application Security, and then click Statistics.
    The Events screen opens.
  2. On the menu bar, click Forensics.
    The Forensics screen opens.
  3. From the Filter list, select the time range for which you want to view the forensics.
  4. Click Go.
    The screen refreshes, and the Forensics list displays only those events that match the specified time criteria.

To use a custom filter to view monitoring events

  1. On the Main tab of the navigation pane, expand Application Security, and then click Statistics.
    The Events screen opens.
  2. On the menu bar, click Forensics.
    The Forensics screen opens.
  3. On the Forensics screen, to the left of the Filter list, click the Show/Hide Filter button (the little arrow).
    The filter option expands to display the custom filter options.
  4. Specify the criteria by which you want the filter option to filter the Forensics List.
  5. Click the Save Filter button.
    A popup screen opens, where you provide a name for the custom filter.
  6. Type a name for the custom filter, and click OK.
    The screen refreshes, and you see the custom filter in the Filter list.
  7. From the Filter list, select the custom filter that you just created, and then click Go.
    The screen refreshes, and the Forensics List displays only those events that match the specified criteria.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)