Applies To:

Show Versions Show Versions

Manual Chapter: Managing Audit Logs in BIG-IQ Web Application Security
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About the application security audit log

In large customer environments, multiple users make changes to application security policies. These policy changes occur in a central location, such as the BIG-IQ™ Web Application Security database, and not on individual BIG-IP® ASM™ devices. To address possible concerns, the BIG-IQ system provides an audit log that records all traffic (users, times, events, and so on).

The BIG-IQ system records every change (every configuration change to a working-configuration object) in the audit log. A change is defined as: any object created, object deleted, or object modified. Thus, the audit log is an important tool for debugging and tracking changes to devices.

Note: The audit log viewer retrieves entries from this database to display in the GUI.

In high-availability (HA) configurations, each node maintains its own audit log. Audit log entries are not synchronized after the HA configuration is established from the primary to the standby system. Archives are configured separately on each node.

About archived web application security audit logs

The Web Application Security archived audit log files are stored in the /var/config/rest/auditArchive/webAppSecurity directory on the BIG-IQ system.

Audit entries are appended to the archive-audit.0.txt file. When the archive-audit.0.txt file reaches approximately 800 MB, the contents are copied to archive-audit.1.txt, compressed into the archive-audit.1.txt.gz file, and a new empty archive-audit.0.txt is created, which then has new audit entries appended to it.

Up to 5 compressed archived audit files can be created before those files begin to be overwritten to conserve space. The compressed audit log archive is named archive-audit.n.txt.gz, where n is a number from 1 to 5. As the audit log archives are created and updated, the content of the archives are rotated so that the newest archive is always archive-audit.1.txt.gz and the oldest is always the highest numbered archive, typically, archive-audit.5.txt.gz.

The file content rotation occurs whenever archive-audit.0.txt is full. At that time, the content of each archive-audit.n.txt.gz file is copied into the file with the next higher number, and the content of archive-audit.0.txt is copied into archive-audit.1.txt and then compressed to create archive-audit.1.txt.gz. If all 5 archive-audit.n.txt.gz files exist, during the rotation the contents of archive-audit.5.txt.gz is overwritten and is no longer available.

Viewing audit log entries

You can view audit log entries through the audit log viewer.
  1. To examine audit log entries using the viewer, log in to the BIG-IQ™ system with Administrator, Security_Manager, or Web_App_Security_Manager credentials.
  2. Click Web Application Security > Audit Log
  3. To view audit log entries for signature files, click Signature file.
    Option Description
    Time Date and time of the audit log signature file entry.
    Task status Task status: Passed or Failed.
    Step status Count for how many steps passed and how many failed. For example: 10 passed / 0 failed.
    Details Click Details to open a popup screen where you can view:
    • Time. Date and time for a specific action.
    • Sub task. Name of the worker task.
    • Action. Specific action performed; for example: Task started, Running push task, Process ended.
    • Status. Task status: Passed or Failed.
    • Error/Message. Error messages, if any, for that action.
    • Device IP. IP address for the device that made the change.
  4. To view audit log entries for device discovery, click Device discovery.
    Option Description
    Client IP IP address of the client machine that made the change. This is blank for actions that were initiated by an internal process. For example, when a user invokes a deployment action, the deployment action then invokes a difference task to find the differences between the current configuration and the one to be deployed. The difference task has no Client IP.
    Time Time that the event occurred. The time in the field is the BIG-IQ system local time and is expressed in the format: ddd mmm yyyy hh:mm:ss. Example: Mon Oct 12 2015 02:50:00.
    Node FQDN for the BIG-IQ system that recorded the event. This appears as the Hostname at the top of the BIG-IQ user interface.
    User User who initiated the action. This is the name of the account with the Administrator, Security_Manager, or Web_App_Security_Manager role that was used to log in. Users with other roles can view the audit log.
    Action Type of modification. For working-config (WC) changes, the action types include New, Delete, and Update. For task-type operations, the action types include Start, Finish, Fail, Cancel, and Cancel Request.
    Object Name Object identified by a user-friendly name; for example: import-device.
    Object Type Classification for this action; for example: Shared Security: Declare-Mgmt-Authority.
    Parent Displayed for rules, logging profiles, and DoS profiles. Otherwise, displayed as ---.
    Parent Type Class or group of the parent object. WC in this column stands for a change in the working configuration, or working-config. Otherwise, displayed as ---.
    Version Every time a configuration object changes, its version increases by 1. This field shows the version number of the object after this action is complete.
    Details Click Details to open a popup screen where you can view a comparison of the JSON of the current version of the configuration object versus the previous version.
  5. To view audit log entries for tasks, click Tasks.
    Option Description
    Client IP IP address of the client machine that made the change. This is blank for actions that were initiated by an internal process. For example, when a user invokes a deployment action, the deployment action then invokes a difference task to find the differences between the current configuration and the one to be deployed. The difference task has no Client IP.
    Time Time that the event occurred. The time in the field is the BIG-IQ system local time and is expressed in the format: ddd mmm yyyy hh:mm:ss. Example: Mon Oct 12 2015 02:50:00.
    Node FQDN for the BIG-IQ system that recorded the event. This appears as the Hostname at the top of the BIG-IQ user interface.
    User User who initiated the action. This is the name of the account with the Administrator, Security_Manager, or Web_App_Security_Manager role that was used to log in. Users with other roles can view the audit log.
    Action Type of modification. For working-config (WC) changes, the action types include New, Delete, and Update. For task-type operations, the action types include Start, Finish, Fail, Cancel, and Cancel Request.
    Object Name Object identified by a user-friendly name; for example: import-10.100.100.1.
    Object Type Classification for this action; for example: Shared Security: Snapshot-Config.
    Parent Displayed for rules, logging profiles, and DoS profiles. Otherwise, displayed as ---.
    Parent Type Class or group of the parent object. WC in this column stands for a change in the working configuration, or working-config. Otherwise, displayed as ---.
    Version Every time a configuration object changes, its version increases by 1. This field shows the version number of the object after this action is complete.
    Details Click Details to open a popup screen where you can view a comparison of the JSON of the current version of the configuration object versus the previous version.
  6. To view audit log entries for resources, click Resources.
    Option Description
    Client IP IP address of the client machine that made the change. This is blank for actions that were initiated by an internal process. For example, when a user invokes a deployment action, the deployment action then invokes a difference task to find the differences between the current configuration and the one to be deployed. The difference task has no Client IP.
    Time Time that the event occurred. The time in the field is the BIG-IQ system local time and is expressed in the format: ddd mmm yyyy hh:mm:ss. Example: Mon Oct 12 2015 02:50:00.
    Node FQDN for the BIG-IQ system that recorded the event. This appears as the Hostname at the top of the BIG-IQ user interface.
    User User who initiated the action. This is the name of the account with the Administrator, Security_Manager, or Web_App_Security_Manager role that was used to log in. Users with other roles can view the audit log.
    Action Type of modification. For working-config (WC) changes, the action types include New, Delete, and Update. For task-type operations, the action types include Start, Finish, Fail, Cancel, and Cancel Request.
    Object Name Object identified by a user-friendly name; for example: import-10.100.100.1.
    Object Type Classification for this action; for example: Shared Security: Snapshot-Config.
    Parent Displayed for rules, logging profiles, and DoS profiles. Otherwise, displayed as ---.
    Parent Type Class or group of the parent object. WC in this column stands for a change in the working configuration, or working-config. Otherwise, displayed as ---.
    Version Every time a configuration object changes, its version increases by 1. This field shows the version number of the object after this action is complete.
    Details Click Details to open a popup screen where you can view a comparison of the JSON of the current version of the configuration object versus the previous version.
  7. To view audit log entries for system, click System.
    Option Description
    Client IP IP address of the client machine that made the change. This is blank for actions that were initiated by an internal process. For example, when a user invokes a deployment action, the deployment action then invokes a difference task to find the differences between the current configuration and the one to be deployed. The difference task has no Client IP.
    Time Time that the event occurred. The time in the field is the BIG-IQ system local time and is expressed in the format: ddd mmm yyyy hh:mm:ss. Example: Mon Oct 12 2015 02:50:00.
    Node FQDN for the BIG-IQ system that recorded the event. This appears as the Hostname at the top of the BIG-IQ user interface.
    User User who initiated the action. This is the name of the account with the Administrator, Security_Manager, or Web_App_Security_Manager role that was used to log in. Users with other roles can view the audit log.
    Action Type of modification. For working-config (WC) changes, the action types include New, Delete, and Update. For task-type operations, the action types include Start, Finish, Fail, Cancel, and Cancel Request.
    Object Name Object identified by a user-friendly name; for example: import-10.100.100.1.
    Object Type Classification for this action; for example: Tokens.
    Parent Displayed for rules, logging profiles, and DoS profiles. Otherwise, displayed as ---.
    Parent Type Class or group of the parent object. WC in this column stands for a change in the working configuration, or working-config. Otherwise, displayed as ---.
    Version Every time a configuration object changes, its version increases by 1. This field shows the version number of the object after this action is complete.
    Details Click Details to open a popup screen where you can view a comparison of the JSON of the current version of the configuration object versus the previous version.

Audit log archive settings

The audit log viewer in BIG-IQ™ Web Application Security displays these settings for the audit log archive.

Setting Description
Days to keep entries Number of days to keep audit log entries. The field must contain an integer between 1 and 366. The default is 30.
Check expiration at this time Hour and minute on the BIG-IQ system when the expiration of audit entries are checked. Click in the field to view and edit the time using the Choose Time dialog box. Adjust the Hour and Minute sliders to reflect the desired hour and minute, and then click Done.
Next run time Read-only value that indicates the next time entries will be archived. The time is in the BIG-IQ system local time and is expressed in the format: ddd mmm yyyy hh:mm:ss. Example: Mon Oct 12 2015 02:50:00.
Last run time Read-only value that indicates the last time entries were archived. The time is in the BIG-IQ system local time and is expressed in the format: ddd mmm yyyy hh:mm:ss. Example: Mon Oct 12 2015 02:50:00.
Entries expired at last run time Number of entries that expired.
Last Error Read-only value that contains either the message No error or the error text for any errors found.
Last Error Time Read-only value that contains the time the last error was found. The time in the field is the BIG-IQ system local time and is expressed in the format: ddd mmm yyyy hh:mm:ss. Example: Mon Oct 12 2015 23:50:00.

Filtering the audit log display

You can filter entries to rapidly narrow the scope displayed in the viewer and more easily locate an entry in the audit log. All BIG-IQ Security roles can filter audit log entries.

Filtering is text-based. Filtering is not case-sensitive.

  1. To filter audit log entries using the viewer, log in to the BIG-IQ™ system with Administrator, Security_Manager, or Web_App_Security_Manager credentials.
  2. Click Web Application Security > Audit Log
  3. On the left, under Audit Log, click a header.
    The filter appears at the top right of the screen.
  4. Enter a text string and press Enter.
    You can use wild cards or partial text in a filter.
  5. To clear the filter, click the red X to the left of the Filter field.

Customizing the audit log display

You can customize the way the viewer displays entries so you can locate entries faster.
  1. To customize the display, log in to the BIG-IQ™ system with Administrator, Security_Manager, or Web_App_Security_Manager credentials.
  2. Click Web Application Security > Audit Log
  3. Select from among the following customizations:
    • To customize the order of columns displayed, click any column header and drag-and-drop the column to the desired location.
    • To sort by column, click on the column you want to sort by. The default sorting order is by time, newest to oldest.
    • To sort within a column, resize the column until the arrow is visible. Click to change the sorting order.
    • To resize columns, hover in the table header until the controls are visible and use them to resize the columns.
    Customized displays persist for a single session. The display is reset to the default when you log out.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)