BIG-IQ®Network Security records all user-initiated firewall policy changes that occur on the BIG-IQ system in the firewall audit log. It does not include changes that occurred on BIG-IP® devices that were imported. A firewall policy change occurs in the working configuration when certain objects change, when certain tasks change state, or when certain user actions are performed.
Each change logged in the audit log can be viewed using the firewall audit log viewer. You access the audit log viewer by selecting. You can also view or change the firewall audit archive settings from the audit log viewer. The Network Security archived audit log files are stored in the /var/config/rest/auditArchive/networkSecurity directory on the BIG-IQ system.
All API traffic on the BIG-IQ system and every REST service command for all licensed modules, is logged in a separate, central audit log (restjavad-audit.n.log).
Web Application Security audit information is viewed by selecting.
The following firewall policy changes generate firewall audit log entries:
In high-availability (HA) configurations, each node maintains its own audit log. Audit log entries are not synchronized after the HA configuration is established from the primary to the standby system.
Archives are configured separately on each node.
You can view or change the firewall audit archive settings from the audit log viewer. The Network Security archived audit log files are stored in the /var/config/rest/auditArchive/networkSecurity directory on the BIG-IQ system.
Audit entries are appended to the archive-audit.0.txt file. When the archive-audit.0.txt file reaches approximately 800 MB, the contents are copied to archive-audit.1.txt, compressed into the archive-audit.1.txt.gz file, and a new empty archive-audit.0.txt is created, which then has new audit entries appended to it.
Up to 5 compressed archived audit files can be created before those files begin to be overwritten to conserve space. The compressed audit log archive is named archive-audit.n.txt.gz, where n is a number from 1 to 5. As the audit log archives are created and updated, the content of the archives are rotated so that the newest archive is always archive-audit.1.txt.gz and the oldest is always the highest numbered archive, typically, archive-audit.5.txt.gz.
The file content rotation occurs whenever archive-audit.0.txt is full. At that time, the content of each archive-audit.n.txt.gz file is copied into the file with the next higher number, and the content of archive-audit.0.txt is copied into archive-audit.1.txt and then compressed to create archive-audit.1.txt.gz. If all 5 archive-audit.n.txt.gz files exist, during the rotation the contents of archive-audit.5.txt.gz is overwritten and is no longer available.
The firewall audit log viewer displays the following properties for each log entry.
|Client IP||IP address of the client machine that made the change.
This is blank for actions that were initiated by an internal process. For example, when a user invokes a deployment action, the deployment action then invokes a difference task to find the differences between the current configuration and the one to be deployed. The difference task has no Client IP.
|Time||Time that the event occurred. The time is the BIG-IQ system local time and is expressed in the format: ddd mmm yyyy hh:mm:ss; for example: Fri Jan 17 2014 23:50:00 .|
|Node||FQDN for the BIG-IQ system that recorded the event. This appears as the Hostname at the top of the BIG-IQ user interface.|
|User||User who initiated the action. This is the name of the account with the Administrator or Security_Manager role that was used to log in. Users with other roles can view the audit log.|
|Action||Type of modification. For working-config (WC) changes, the action types include New, Delete, and Update. For task-type operations, the action types include Start, Finish, Fail, Cancel, and Cancel Request.|
|Object Name||Object identified by a user-friendly name; for example: newRule1, deploy-test, or Common/global. This entry is also a link; click the link to show the JSON structure for the object.|
|Object Type||Classification for this action. WC stands for a change in the working configuration, or working-config. Task is an operation performed by the BIG-IQ system, such as a snapshot or deployment operation.|
|Parent||Displayed for rules, logging profiles, and DoS profiles. For rules, the parent shows the rule list, firewall, or policy that contains the rule. This is the administrative partition and name of the parent object. A change in any rule often also affects the rule's parent object.|
|Parent Type||Class or group of the parent object. WC in this column indicates that the parent object is in the working configuration, or working-config.|
|Version||Version of the configuration object. Typically, when a configuration object changes, the version is increased by 1. However, other audit entries, such as those for finishing snapshot creation or finishing deployment, may increase the version by more than 1.|
The firewall audit log viewer retrieves entries from the audit log for display in the BIG-IQ® Network Security system interface.
You access the audit log viewer by selecting.
The audit log viewer is not updated dynamically. To update the display and see new entries, click Refresh in the upper right. All BIG-IQ Firewall Security roles have read-only access, and can view and filter entries. Only users with the role of Administrator or Security_Manager can modify audit log configuration settings.
The firewall audit log viewer allows you to customize the display so you can locate entries faster.
Customized displays persist for a single session. The display is reset to the default when you log out.
|Client IP||Type the client IP address in the filter.
Note that when a task is not initiated by a user, the entry in the Client IP column is blank.
|Time|| Type both a date and a time. Displayed times are given in the local
time of the BIG-IQ system. Supported time formats are highly Web
browser-dependent. Time formats other than those listed might appear to
filter successfully but are not supported. Entering a single date and
time results in a filter displaying all entries from the specified date
and time to the current date and time.
For time formats that use letters and numbers, enter the date time in one of the following formats:
You can filter on a date/time range by entering beginning and ending dates/times in one of the supported formats, separated by a hyphen. Example: jan 21 2014 11:04-jan 21 2014 11:05.
For time formats that use only numbers, enter the date time in one of the following formats:
You can filter on a date/time range by entering beginning and ending dates/times in one of the supported formats, separated by a hyphen. Example: 1/1 12:14:15-1/1 12:14:18.
|Node||Type the node name in the filter.|
|User||Type the user name in the filter.|
|Action||Type the action in the filter.|
|Object Name||Type the full or partial name of the object in the filter. If a
partition name is displayed, do not include it in the filter. For
example, Common/AddressList_4 would be entered as
AddressList_4. Because the device-specific
object name includes the BIG-IP® hostname, you can
enter a full or partial device name to get all objects for a specific
Note that entries in the Object Name column are links to the JSON representing the object. If the object does not have a name, the system places a dash in the column. The dash is also a link to the JSON.
|Object Type||Type the object type in the filter. Note that WC stands for working configuration.|
|Parent||Type the parent name in the filter. Only appears for rules to show the rule list, firewall, or policy that contains the rule.|
|Parent Type||Type the Parent Type name in the filter. Only appears when the Parent field contains a value.|
|Version||Type the version number in the filter.|
|Days to keep entries||Used to specify the number of days to keep audit log entries. The field must contain an integer between 1 and 366. The default is 30.|
|Check expiration at this time||Used to specify the hour and minute on the BIG-IQ system when the expiration of audit entries will be checked. Click in the field to view and edit the time using the Choose Time dialog box. Adjust the Hour and Minute sliders to reflect the desired hour and minute, and then click Done.|
|Next run time||Displays a read-only value that indicates the next time entries will be archived. The time is in the BIG-IQ system local time and is expressed in the format: ddd mmm dd yyyy hh:mm:ss. Example: Tue Jan 28 2014 02:50:00.|
|Last run time||Displays a read-only value that indicates the last time entries were archived. The time is in the BIG-IQ system local time and is expressed in the format: ddd mmm yyyy hh:mm:ss. Example: Tue Jan 28 2014 02:50:00.|
|Entries expired at last run time||Displays the number of entries that expired.|
|Last Error||Displays a read-only value that contains either the message No error or the error text for any errors found.|
|Last Error Time||Displays a read-only value that contains the time the last error was
found. The time in the field is the BIG-IQ system local time and is
expressed in the format: ddd mmm dd yyyy hh:mm:ss
Example: Fri Jan 17 2014 23:50:00.
The REST API audit log records all API traffic on the BIG-IQ® system. It logs every REST service command for all licensed modules in a central audit log (restjavad-audit.n.log) located on the system.
Any user who can access the BIG-IQ Network Security console (shell) has access to this file.