Manual Chapter : Viewing Event Logs in Web Application Security

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.3.0
Manual Chapter

About event log viewing

You can view Web Application Security event logs to obtain useful insights regarding activity on applications and servers. The BIG-IQ® Centralized Management platform enables a single view of all filters and log entries (and details for each entry) from multiple BIG-IP® devices.

The event log interface consists of two filter fields and three screens:

  • Filter fields:
    • Selected devices filter. This filter appears below the Event Logs header. You can use it to select one or more devices for event viewing.
    • Filter field. Appears to the right of the selected devices field. You can use it to type text to rapidly narrow the search scope. You can also save filters that you use often.
  • Screens:
    • Devices. At the far left, use this to select a group of requests, policies, saved filters, or pre-configured tags. The object you select determines the set of items that appears in the next screen.
    • Log items. Use this to browse log items, or select one and view log item details.
    • Details. Displays details of the item selected in the Log items screen.

Viewing event log details

You can view request and response details for a single log item.
  1. Click Monitoring > EVENTS > Web Application Security > Events .
  2. Click a single event log.
    The Details screen displays a variety of information about the event.
  3. On the Details screen, click Request to view request details.
    Details include:
    • Raw HTTP[S] request
    • General request details
    • Geolocation
    • Policy details
    • List of related tags
  4. Click Response to view response details.

Using common filters

You can update common filters for requests and security policies.
  1. Click Monitoring > EVENTS > Web Application Security > Events .
  2. To update log items according to a selected filter (such as Requests or Policies), click any item under Requests or Policies.
The system updates log items according to the selected filter.

Filtering (basic)

You can use the filter to refine your searches through the event logs, including searches through logs from multiple BIG-IP® devices.
  1. Click Monitoring > EVENTS > Web Application Security > Events .
  2. In the Filter field, click the triangle to the right of the field.
    The Search filter popup screen opens to the basic view, which is the default.
  3. Complete the fields.
    Setting Description
    Request type Type a request type or select from the list All requests or Illegal requests (log responses for illegal requests only).
    Support ID Type the complete support ID (unique ID given for a transaction), or select the Last 4 digits check box and type the last 4 digits of the support ID.
    Violation Use this list to select the policy violation that detects attacks, such as Attack Signature Detection or Illegal Cookie Length. You can select a violation type from the list or you can select none of the violations (indicating that any violation type matches).
    Attack type Use this list to select the type of service attacks (such as Denial of Service or HTTP Parser Attack) that you want to see. Select nothing (indicating that any attack type matches), or select a specific attack type.
    Time Period In the From and To fields, type a date and time in the format: 2015-12-01T15:15:29-05:00. Or click the calendar icon and select dates.
    Policies In the field, type a policy name, or click in the field and, from the list, select a policy.
  4. Click the Search bar.
    The results of the filtering process appear in the Log Items list.
  5. When you have configured a search that you will use repeatedly or frequently, click Save the current filter, type a filter name, and click Save.
    The saved filter appears in the left panel under Saved filter.

Filtering (advanced)

You can use the filter's advanced setting to refine your searches.

You can type a query in the filter box in the format method:'value' protocol:'value' severity:'value'. For example: method:'GET' protocol:'HTTPS' severity:'error'.

Or, you can open the filter and use the method described in the following section.

  1. Click Monitoring > EVENTS > Web Application Security > Events .
  2. Open the Filter field.
    The Search filter popup screen opens to the basic view, which is the default.
  3. Click Advanced.
  4. Complete the fields.
    Setting Description
    Method From the list, select a method.
    Protocols From the list, select HTTP or HTTPS, depending on the security requirements.
    Severity From the list, select Informational, Critical, or Error.
  5. Click the search bar.
    The results of the filtering process appear in the Log Items list.
  6. When you have configured a search that you will use repeatedly or frequently, click Save the current filter, type a filter name, and click Save.
    The saved filter appears in the left panel under Saved filter.

Filtering by entering query parameters

You can use the Filter field to enter a query in ODATA format:

key1:'value' key2:'value' (key3:'value' OR key4:'value').

For example:

policy_name:'/Common/policy1'

The BIG-IQ® Centralized Management system supports both AND and OR constructs.

  • OR. Use this operator to log the data that meets one or more of the criteria.
  • AND. Use this operator to log the data that meets all of the criteria.
  1. Click Monitoring > EVENTS > Web Application Security > Events .
  2. In the Filter field, type a query in ODATA format.
  3. Type a key from the following list:
    Key Description
    attack_type Name of identified attack (string). For example: Non-browser client.
    date_time Current date and time. For example: 2016-09-19 13:52:29
    dest_ip Requested service IP address, generally, the virtual server IP address. For example: 192.168.5.11.
    dest_port Destination port of this transaction (non-negative integer). For example: 80.
    geo_location Country/city location information, based on the source IP address. For example: USA/NY.
    headers List of request headers found in request logs. For example: Host: myhost.com; Connection: close.
    http_class_name Alias of policy name. For example: /Common/topaz4-web4.
    ip_address_intelligence List of IP intelligence categories found for an IP category such as proxy, phishing and so on. For example: Scanners.
    ip_client Client source (attacker) IP address. For example: 192.168.5.10.
    management_ip_address BIG-IP® management IP address.
    method HTTP method requested by the client. For example: GET.
    policy_apply_date Last apply policy operation date and time.
    policy_name Name of the active security policy. For example: ACME security policy.
    protocol Transport protocol (string). For example: HTTP.
    query_string URI query string. For example: /.
    request Request string sent by the client. For example: GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n.
    request_status Action applied to the client request. For example: Blocked.
    response_code The HTTP response code returned by the back-end server (application). This information is relevant only for requests that are not blocked. For example: 200.
    route_domain Route domain number (non-negative integer). For example: 0.
    session_id ID number (hexadeicmal number) assigned to the request to allow the system administrator to track requests by session. For example: a9141b68ac7b4958.
    severity Severity category to which the event belongs. For example: Error.
    sig_ids Signature ID number (positive non-zero integer). For example: 200021069.
    sig_names Signature name(s). For example: Automated client access %22wget%22.
    src_port Client protocol source port of this transaction (non-negative integer). For example: 52974.
    sub_violations Comma-separated list of sub-violation strings. for example: Bad HTTP version, Null in request.
    support_id Internally-generated integer to assist with client access support. For example: 18205860747014045721.
    unit_hostname BIG-IP system FQDN (unit host name).
    uri URI requested by the client (string). For example: /.
    username User name for the client session. For example: admin.
    violations Comma-separated list of the violations that occurred during enforcement of the request or response. For example: Attack signature detected.
    virus_name Virus name (string). For example: Melissa.
    x_forwarded_for_header_value Value of the XFF HTTP header (string). For example: 192.168.5.10
  4. Type an operator from the following list:
    Operator Description
    eq Equal
    ne Not equal
    lt Less than
    le Less than or equal to
    gt Greater than
    ge Greater than or equal to
  5. Type a value in any of the following formats:
    • 'value'. For example: policy_name:'/Common/policy1'
    • '*alue'. For example: policy_name:'*Common/policy1'
    • 'alu*'. For example: policy_name:'Common/policy*'
    • '*ue*'. For example: policy_name:'policy*'
  6. Press Enter or click the search icon to start the search.
The system updates log items according to the typed query, and results appear in the Log Items list.