You use audit logs to review changes in the BIG-IQ® system. All BIG-IQ system roles have read-only access to the audit log, and can view and filter entries. Any user with the appropriate privileges can initiate an action.
You view audit logs by selecting Audit Logging from the BIG-IQ menu, and then selecting the appropriate service option from the list on the left.
To view or change the audit log archive settings, click the Archive Settings button on the Audit Logging screen. Archived audit log files are stored in the archive-audit.n.txt file in the appropriate subdirectory of the /var/config/rest/auditArchive directory on the BIG-IQ system:
All API traffic on the BIG-IQ system, and every REST service command for all licensed modules, is logged in a separate, central audit log (restjavad-audit.n.log) which is located in /var/log on the BIG-IQ system.
When using the audit log, consider the following:
BIG-IQ® records in the audit log all user-initiated changes that occur on the BIG-IQ system. A change is defined as when certain objects are modified, when certain tasks change state, or when certain user actions are performed. For example, when the admin account is used to log in to the BIG-IQ system, the audit log records the time, the user (admin), the action (New) and the object type (Login). The log does not include changes that occurred on BIG-IP® devices that were imported.
Changes to working-configuration objects generate audit log entries. In addition, these actions generate log entries:
The audit log displays the following properties for each log entry.
|Source||IP address of the client machine that made the change.
This property is blank for actions that were initiated by an internal process. For example, when a user invokes a deployment action, the deployment action then invokes a difference task to find the differences between the current configuration and the one to be deployed. The difference task has no Source IP address.
|Service||Indicates whether the change was made by the internal object synchronization
service. This service synchronizes shared objects, such as virtual servers, from the
Local Traffic & Network service to the Network Security or Web Application
|Time||Time that the event occurred. The time is the BIG-IQ system local time and is expressed in the format: mmm dd, yyyy hh:mm:ss (time zone); for example: Apr 19, 2016 13:09:03(EDT).|
|Node||Fully qualified domain name for the BIG-IQ system that recorded the event. This appears as the Hostname at the top of the BIG-IQ user interface.|
|User||Name of the account that initiated the action, such as an account named Admin for an administrative account.|
|Action||Type of modification. For operation changes, the action types include New, Delete, and Modify. For task changes, the action types include Start, Finish, Failed, and Cancelled.|
|Object Name||Object identified by a user-friendly name; for example: newRule1, deploy-test, or Common/global. When the name RootNode is listed, that indicates that the object is associated with a BIG-IP device. RootNode is typically seen when creating, deleting or updating log profiles, service policies, or firewall policies.|
|Changes||Indicates whether there was a change in the object. If View occurs in this column, there is a change to the object. To view the detailed differences of the change, click View.|
|Object Type||Classification for this action. When the type Root Node is listed, that indicates that the object is associated with a BIG-IP device. Root Node is typically seen when creating, deleting or updating log profiles, service policies, or firewall policies.|
|Parent||The administrative partition and name of the parent object. This property is displayed for firewall rules, logging profiles, and DoS profiles. For firewall rules, the parent shows the rule list, firewall, or policy that contains the rule. A change in a firewall rule often also affects the rule's parent object.|
|Parent Type||Class or group of the parent object.|
|Version||Version of the configuration object. Typically, when a configuration object changes, the version is increased by 1. However, other audit entries, such as those for finishing snapshot creation or finishing deployment, may increase the version by more than 1.|
|All||Specifies that all objects should be filtered using the filter text. When this option is used, both the user-visible and the underlying data are searched for a match, so you may see matches to your filter text which do not appear to match it.|
|Source||Type the source IP address in the filter. When this option is used, both the user-visible and the underlying data are searched for a match, so you may see matches to your filter text which do not appear to match it. Using this option is equivalent to using the All option.|
|Time|| Type both a date and a time. Displayed times are given in the local
time of the BIG-IQ system. Supported time formats are highly Web
browser-dependent. Time formats other than those listed might appear to
filter successfully but are not supported. Entering a single date and
time results in a filter displaying all entries from the specified date
and time to the current date and time.
For time formats that use letters and numbers, enter the date time in one of the following formats:
For time formats that use only numbers, enter the date time in one of the following formats:
|Node||Type the node name in the filter.|
|User||Type the user account name in the filter.|
|Action: Operation||Type the operation action name in the filter. Operation actions include: New, Delete, and Modify.|
|Action: Task Status||Type the task status action name in the filter. Task status actions include: Start, Finish, Cancelled, and Failed.|
|Object Name||Type the full or partial name of the object in the filter. If a partition name is displayed, do not include it in the filter. For example, Common/AddressList_4 would be entered as AddressList_4. Because the device-specific object name includes the BIG-IP® host name, you can enter a full or partial device name to get all objects for a specific BIG-IP device.|
|Object Type||Type the object type in the filter.|
|Parent||Type the parent name in the filter. Only appears for rules to show the rule list, firewall, or policy that contains the rule.|
|Parent Type||Type the Parent Type name in the filter. Only appears when the Parent field contains a value.|
|Contains||Specifies that the filter text is contained within the object
specified. When you select Contains:
|Exact||Specifies that the filter text is exactly contained within the
object specified. When Exact is selected:
You can customize the audit log display to assist you in locating information faster.
|Retain Entries||Specifies the number of days to keep audit log entries. The field must contain an integer between 1 and 366. The default is 30.|
|Weekly Update||Specifies which days of the week to update the audit log. Select the check box to the left of each day that you want the audit log to be updated. The default is every day.|
|Start Time||Specifies when the audit archiving should begin. The default is 12:00 am.|
|Items Expired||Displays the read-only number of entries that have expired.|
|Last Error||If an error has occurred, displays the read-only error text for any errors found.|
|Last Error Time||If an error has occurred, displays a read-only value that contains the time the last error was found. The time in the field is the BIG-IQ system local time and is expressed in the format: ddd mmm dd yyyy hh:mm:ss, for example, Fri Jan 17 2014 23:50:00.|
You can view or change how audit logs are archived by clicking the Archive Settings button on the Audit Logging screen.
Archived audit log files are stored in the archive-audit.n.txt file in the appropriate subdirectory of the /var/config/rest/auditArchive directory on the BIG-IQ® Centralized Management system:
Audit entries are appended to the archive-audit.0.txt file. When the archive-audit.0.txt file reaches approximately 800 MB, the contents are copied to archive-audit.1.txt, compressed into the archive-audit.1.txt.gz file, and a new empty archive-audit.0.txt file is created, which then has new audit entries appended to it.
Up to five compressed archived audit files can be created before those files begin to be overwritten to conserve space. The compressed audit log archive is named archive-audit.n.txt.gz, where n is a number from 1 to 5. As the audit log archives are created and updated, the content of the archives is rotated so that the newest archive is always archive-audit.1.txt.gz and the oldest is always the highest numbered archive, typically, archive-audit.5.txt.gz.
The file content rotation occurs whenever archive-audit.0.txt is full. At that time, the content of each rchive-audit.n.txt.gz file is copied into the file with the next higher number, and the content of archive-audit.0.txt is copied into archive-audit.1.txt and then compressed to create archive-audit.1.txt.gz. If all five archive-audit.n.txt.gzfiles exist, during the rotation the contents of archive-audit.5.txt.gz are overwritten, and are no longer available.
In high-availability (HA) configurations, there is a primary and secondary BIG-IQ® system. During failover, the audit log entries and the audit archive settings are copied from the primary to the secondary system before the secondary system becomes the new primary system.
However, archived audit logs are not copied from the primary to the secondary BIG-IQ system.
The REST API audit log records all API traffic on the BIG-IQ® system. It logs every REST service command for all licensed modules in a central audit log (restjavad-audit.n.log) located on the system.
Any user who can access the BIG-IQ system console (shell) has access to this file.