Applies To:
Show VersionsBIG-IQ Security
- 4.3.0
About the audit logs and the viewer
In large customer environments, multiple users make changes to security policies. These policy changes occur in a central location (the BIG-IQ Network Security database) not on individual BIG-IP Advanced Firewall Manager (AFM) devices.
BIG-IQ Network Security records every policy change (every configuration change to a working-configuration object) in the firewall audit log. A change is defined as: object created, object deleted, object modified. Thus, the audit log is an important tool for debugging and tracking changes to firewall devices.
To address these concerns, BIG-IQ Network Security provides an audit log that records all security traffic (users, times, events, and so on). Users who can access the BIG-IQ Network Security console (shell) have access to this file.
The audit log viewer retrieves entries from this database for display in the GUI.
In addition, all API traffic on the BIG-IQ system, every REST service command for all licensed modules, is logged in a central audit log (restjavad-audit.n.log).
Managing the audit log
In high-availability (HA) configurations, each node maintains its own audit log. Entries are synced after the HA configuration is set. If you have entries on the primary node and then configure HA, the previously-generated entries on the primary will not be replicated to the standby node; new entries will be replicated.
All deletions, whether performed manually through the Audit Log viewer or performed as part of a delete and archive operation, are not deleted on the standby node.
Also, archives are configured separately on each node.
Changes to the following working-configuration objects generate log entries:
- Firewalls
- Policies
- Rule lists
- Address lists
- Port lists
- Schedules
- Snapshots
The following actions also generate log entries:
- Add/edit BIG-IQ Network Security system roles. Tracking role modification provides auditing for the assignment of users to roles.
- Create/cancel device discovery and reimport.
- Delete previously-discovered device.
- Create/delete deployment task.
- Create difference task.
- Create/delete snapshot.
- Edit of system information (such as host name and internal self IP).
About the firewall audit log viewer
The Audit Log viewer retrieves entries from the audit log for display in the BIG-IQ Network Security GUI.
All BIG-IQ system roles have read-only access and can view entries. Only users with the role of Administrator or Security_Manager can delete entries or modify configuration settings.
Viewing differences in the audit log viewer
- Log in to the BIG-IQ Network Security system with Administrator or Security_Manager credentials.
- To display the viewer, click the Audit Logs link in the black banner.
- To display differences between object generations, click an object in the Object Name column. The Difference Viewer appears. Areas of differences are highlighted in gold. Additions to a generation are highlighted in green. Textual JSON appears for each difference found.
- When finished, click Close.
Filtering entries in the audit log viewer
- Log in to BIG-IQ Network Security.
- Click the Audit Logs link in the black banner under Firewall.
-
Note that you can use wild cards in all filtering operations. To filter on
the:
Option Description Client IP Enter the client IP address in the filter. Note that when a task is not initiated by a user, the entry in the Client IP column is blank.
Time (mix of letters and numbers) Enter a date/time in any of the following formats: - mmm dd yyyy hh:mm:ss. Example: Jan 7 2014 8:30:00
- ddd mmm dd yyyy hh:mm. Example: Thu Jan 16 2014 11:01
- ddd mmm dd yyyy hh:mm:ss. Example: Thu Jan 16 2014 11:13:50
Formats are highly browser-dependent. Other formats might appear to filter successfully but are not supported.
You must enter both a date and a time.
Entering a single date/time results in a filter displaying all entries from the specified date/time to the current date/time.
To filter on a range of times, enter the dates/times in one of the supported formats, separated by a hyphen. Example: jan 21 2014 11:04-jan 21 2014 11:05.
Time (numbers only) Enter a date/time in any of the following formats: - m/d hh:mm:ss. Example: 1/1 12:14:15
- mm/dd hh:mm:ss. Example: 01/01 12:14:15
- m/d hh:mm. Example: 1/1 12:14
- m/d h:mm. Example: 1/1 2:14
- mm/dd hh:mm. Example: 01/01 12:14
- mm/dd/yy hh:mm:ss. Example: 01/01 12:14:15
- m/d/yy hh:mm:ss. Example: 1/1/14 12:14:15
- mm/dd/yy hh:mm. Example: 01/01/14 12:14
- m/d/yy hh:mm. Example: 1/1/14 12:14
- mm/dd/yyyy hh:mm:ss. Example: 1/1/2014 12:14:15
You must enter both a date and a time.
Entering a single date/time results in a filter displaying all entries from the specified date/time to the current date/time.
To filter on a range of times, enter the dates/times in one of the supported formats, separated by a hyphen. Example: 1/1 12:14:15-1/1 12:14:18.
Node Enter the node name in the filter. User Enter the user in the filter. Object Name Enter the name of the object in the filter. If a partition name is displayed, do not include it in the filter. For example, Common/AddressList_4 would be entered as AddressList_4. Note that entries in the Object Name column are links to the JSON representing the object. If the object does not have a name, the system places a dash in the column. The dash is also a link to the JSON.
Type Enter the type in the filter. Note that WC stands for working configuration. Action Enter the action in the filter. Version Enter the version number in the filter. - Click Apply.
Deleting entries in the audit log viewer
All BIG-IQ system roles have read-only access to the audit log and can view entries. Security users with a role of either Administrator or Security_Manager can also delete entries.
There is no set limit on the number of entries that the viewer can display although the viewer will not display archived entries. You can prune entries to constrain the list to relevant data and a manageable size. Use the scroll bar to the right to scroll through entries.
- Log in to BIG-IQ Network Security with Administrator or Security_Manager credentials.
- To view the audit log, click the Audit Logs link in the black banner under Firewall.
-
To delete:
Option Description A single entry Select the check box for the entry you want to delete and then click Remove. You will not receive a confirmation dialog box. All entries stored on this BIG-IQ system Select the check box in the header row and then click Remove. In the confirmation dialog box, click Yes to confirm that you want to delete all entries. Note that this action removes all entries, not just those visible in the viewer page. Multiple entries Combine selecting with the Shift key, and then click Remove. You will not receive a confirmation dialog box. A filtered batch of entries Type a text string in the Filter field at the top of the page and click Apply. The result after applying the filter is a batched set of entries that match the criteria. Select the check box at the top of the table in the header row and click Remove.
The batch of entries is removed. Note that if you delete a large batch of entries the operation may take some time if the system has a lot of entries. Also, you must keep the Audit Logs viewer open the entire time.
Firewall audit log entry properties
The firewall audit log viewer displays the following properties for each entry.
Event | Description |
---|---|
Client IP | IP address for the BIG-IQ system. |
Time | User-friendly timeline of all changes, as well as tasks that were started and canceled. Time is preserved in UTC, but the GUI displays the time in the user's local time zone. |
Node | FQDN for the BIG-IQ system that recorded the event. |
User | User who initiated the action. |
Object Name | Object identified by a user-friendly name; for example: newRule1, deploy-test, or Common/global. This entry is also a link; when activated, it shows the JSON for the object. |
Type | Class or group of the object modified. |
Action | Type of modification (New, Delete, or Update). |
Version | Number of times the system generated the object. |
Firewall audit log archival settings
The firewall Audit Logs viewer enables the following configuring settings to enable archiving audit log entries. In a high-availability (HA) configuration, audit log archives are replicated between BIG-IQ Network Security HA nodes. However, you can configure the archival settings separately on each node.
Setting | Description |
---|---|
Days to keep entries | Default is 30 days. The field must contain an integer between 1 and 366. |
Check expiration at this time | Contains the hour and minute when expirations on entries will be checked. You can enter the hour and the minute manually (in the format hh:mm). Or, you can click in the field to view and edit in the Choose Time dialog box. Adjust the Hour and Minute sliders to reflect the desired hour and minute and the click Done. |
When entries expire | Controls whether entries are deleted from the audit log when they expire or
deleted from the audit log but archived to the audit log archive. Select
Delete to delete the entry. (This action is permanent; you
cannot get a deleted entry back.) Select Delete and Archive to
delete the entry but archive it for future reference. Expired entries are saved to a predefined file at /var/log/firewall/archive-audit.0.txt. |
Next run time | Informational, read-only setting, indicating the next time entries will be archived. Run time is expressed in the format: ddd mmm yyyy hh:mm:ss. Example: Tue Jan 28 2014 02:50:00. |
Last run time | Informational, read-only setting, indicating the last time entries were archived. Run time is expressed in the format: ddd mmm yyyy hh:mm:ss. Example: Tue Jan 28 2014 02:50:00. |
Last Error | Informational, read-only setting. The field contains the text No error or the error text for any errors found. |
Last Error Time | Informational, read-only setting. Time in the field is expressed in the format:
ddd mmm yyyy hh:mm:ss Example: Fri Jan 17 2014 23:50:00. |
About the REST API audit log
The REST API audit log records all API traffic on the BIG-IQ system. It logs every REST service command for all licensed modules in a central audit log (restjavad-audit.n.log) located on the system.
Any user who can access the BIG-IQ Network Security console (shell) has access to this file.