F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Security
  4. BIG-IQ Network Security Administration
  5. Managing Audit Logs
Manual Chapter : Managing Audit Logs

Applies To:

Show Versions Show Versions

BIG-IQ Security

  • 4.3.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

About the audit logs and the viewer

In large customer environments, multiple users make changes to security policies. These policy changes occur in a central location (the BIG-IQ Network Security database) not on individual BIG-IP Advanced Firewall Manager (AFM) devices.

BIG-IQ Network Security records every policy change (every configuration change to a working-configuration object) in the firewall audit log. A change is defined as: object created, object deleted, object modified. Thus, the audit log is an important tool for debugging and tracking changes to firewall devices.

To address these concerns, BIG-IQ Network Security provides an audit log that records all security traffic (users, times, events, and so on). Users who can access the BIG-IQ Network Security console (shell) have access to this file.

The audit log viewer retrieves entries from this database for display in the GUI.

In addition, all API traffic on the BIG-IQ system, every REST service command for all licensed modules, is logged in a central audit log (restjavad-audit.n.log).

Managing the audit log

You can review audit log contents periodically and archive contents locally for off-device processing, troubleshooting, and future reference.

In high-availability (HA) configurations, each node maintains its own audit log. Entries are synced after the HA configuration is set. If you have entries on the primary node and then configure HA, the previously-generated entries on the primary will not be replicated to the standby node; new entries will be replicated.

All deletions, whether performed manually through the Audit Log viewer or performed as part of a delete and archive operation, are not deleted on the standby node.

Also, archives are configured separately on each node.

Changes to the following working-configuration objects generate log entries:

  • Firewalls
  • Policies
  • Rule lists
  • Address lists
  • Port lists
  • Schedules
  • Snapshots

The following actions also generate log entries:

  • Add/edit BIG-IQ Network Security system roles. Tracking role modification provides auditing for the assignment of users to roles.
  • Create/cancel device discovery and reimport.
  • Delete previously-discovered device.
  • Create/delete deployment task.
  • Create difference task.
  • Create/delete snapshot.
  • Edit of system information (such as host name and internal self IP).
  1. To examine audit logs using SSH, log in to the BIG-IQ Network Security device with Administrator or Security_Manager credentials.
  2. Navigate to the audit log location: /var/log/audit.
  3. Examine files with the naming convention: audit.n.txt. where n is the log number.
  4. Once located, you can view or save the log locally through a method of your choice.

About the firewall audit log viewer

The Audit Log viewer retrieves entries from the audit log for display in the BIG-IQ Network Security GUI.

Note: The Audit Log viewer is not updated dynamically. You must refresh the page to get new entries.

All BIG-IQ system roles have read-only access and can view entries. Only users with the role of Administrator or Security_Manager can delete entries or modify configuration settings.

Viewing differences in the audit log viewer

Use the built-in firewall audit log viewer provided in BIG-IQ Network Security to examine differences between entries listed in the viewer. If differences are not found, a message is displayed.
  1. Log in to the BIG-IQ Network Security system with Administrator or Security_Manager credentials.
  2. To display the viewer, click the Audit Logs link in the black banner.
  3. To display differences between object generations, click an object in the Object Name column. The Difference Viewer appears. Areas of differences are highlighted in gold. Additions to a generation are highlighted in green. Textual JSON appears for each difference found.
  4. When finished, click Close.

Filtering entries in the audit log viewer

The Filter field at the top of the Audit Logs page enables you to rapidly narrow the scope displayed in the viewer and more easily locate an entry in the audit log. Filtering is text-based. Filtering is not case-sensitive. To clear the filter, click the X at the end of the search string under the Filter field. All BIG-IQ system roles have read-only access to the audit log and can filter entries.
  1. Log in to BIG-IQ Network Security.
  2. Click the Audit Logs link in the black banner under Firewall.
  3. Note that you can use wild cards in all filtering operations. To filter on the:
    Option Description
    Client IP Enter the client IP address in the filter.

    Note that when a task is not initiated by a user, the entry in the Client IP column is blank.
    Time (mix of letters and numbers) Enter a date/time in any of the following formats:
    • mmm dd yyyy hh:mm:ss. Example: Jan 7 2014 8:30:00
    • ddd mmm dd yyyy hh:mm. Example: Thu Jan 16 2014 11:01
    • ddd mmm dd yyyy hh:mm:ss. Example: Thu Jan 16 2014 11:13:50

    Formats are highly browser-dependent. Other formats might appear to filter successfully but are not supported.

    You must enter both a date and a time.

    Entering a single date/time results in a filter displaying all entries from the specified date/time to the current date/time.

    To filter on a range of times, enter the dates/times in one of the supported formats, separated by a hyphen. Example: jan 21 2014 11:04-jan 21 2014 11:05.
    Time (numbers only) Enter a date/time in any of the following formats:
    • m/d hh:mm:ss. Example: 1/1 12:14:15
    • mm/dd hh:mm:ss. Example: 01/01 12:14:15
    • m/d hh:mm. Example: 1/1 12:14
    • m/d h:mm. Example: 1/1 2:14
    • mm/dd hh:mm. Example: 01/01 12:14
    • mm/dd/yy hh:mm:ss. Example: 01/01 12:14:15
    • m/d/yy hh:mm:ss. Example: 1/1/14 12:14:15
    • mm/dd/yy hh:mm. Example: 01/01/14 12:14
    • m/d/yy hh:mm. Example: 1/1/14 12:14
    • mm/dd/yyyy hh:mm:ss. Example: 1/1/2014 12:14:15

    You must enter both a date and a time.

    Entering a single date/time results in a filter displaying all entries from the specified date/time to the current date/time.

    To filter on a range of times, enter the dates/times in one of the supported formats, separated by a hyphen. Example: 1/1 12:14:15-1/1 12:14:18.
    Node Enter the node name in the filter.
    User Enter the user in the filter.
    Object Name Enter the name of the object in the filter. If a partition name is displayed, do not include it in the filter. For example, Common/AddressList_4 would be entered as AddressList_4.

    Note that entries in the Object Name column are links to the JSON representing the object. If the object does not have a name, the system places a dash in the column. The dash is also a link to the JSON.
    Type Enter the type in the filter. Note that WC stands for working configuration.
    Action Enter the action in the filter.
    Version Enter the version number in the filter.
  4. Click Apply.
The result of a filter (or search) operation is a set of entries that match the filter criteria, sorted by time.

Deleting entries in the audit log viewer

All BIG-IQ system roles have read-only access to the audit log and can view entries. Security users with a role of either Administrator or Security_Manager can also delete entries.

There is no set limit on the number of entries that the viewer can display although the viewer will not display archived entries. You can prune entries to constrain the list to relevant data and a manageable size. Use the scroll bar to the right to scroll through entries.

Note: Exercise care when deleting entries. Once deleted, entries cannot be retrieved.
  1. Log in to BIG-IQ Network Security with Administrator or Security_Manager credentials.
  2. To view the audit log, click the Audit Logs link in the black banner under Firewall.
  3. To delete:
    Option Description
    A single entry Select the check box for the entry you want to delete and then click Remove. You will not receive a confirmation dialog box.
    All entries stored on this BIG-IQ system Select the check box in the header row and then click Remove. In the confirmation dialog box, click Yes to confirm that you want to delete all entries. Note that this action removes all entries, not just those visible in the viewer page.
    Multiple entries Combine selecting with the Shift key, and then click Remove. You will not receive a confirmation dialog box.
    A filtered batch of entries Type a text string in the Filter field at the top of the page and click Apply. The result after applying the filter is a batched set of entries that match the criteria.

    Select the check box at the top of the table in the header row and click Remove.

    The batch of entries is removed. Note that if you delete a large batch of entries the operation may take some time if the system has a lot of entries. Also, you must keep the Audit Logs viewer open the entire time.

Firewall audit log entry properties

The firewall audit log viewer displays the following properties for each entry.

Event Description
Client IP IP address for the BIG-IQ system.
Time User-friendly timeline of all changes, as well as tasks that were started and canceled. Time is preserved in UTC, but the GUI displays the time in the user's local time zone.
Node FQDN for the BIG-IQ system that recorded the event.
User User who initiated the action.
Object Name Object identified by a user-friendly name; for example: newRule1, deploy-test, or Common/global. This entry is also a link; when activated, it shows the JSON for the object.
Type Class or group of the object modified.
Action Type of modification (New, Delete, or Update).
Version Number of times the system generated the object.

Firewall audit log archival settings

The firewall Audit Logs viewer enables the following configuring settings to enable archiving audit log entries. In a high-availability (HA) configuration, audit log archives are replicated between BIG-IQ Network Security HA nodes. However, you can configure the archival settings separately on each node.

Setting Description
Days to keep entries Default is 30 days. The field must contain an integer between 1 and 366.
Check expiration at this time Contains the hour and minute when expirations on entries will be checked. You can enter the hour and the minute manually (in the format hh:mm). Or, you can click in the field to view and edit in the Choose Time dialog box. Adjust the Hour and Minute sliders to reflect the desired hour and minute and the click Done.
When entries expire Controls whether entries are deleted from the audit log when they expire or deleted from the audit log but archived to the audit log archive. Select Delete to delete the entry. (This action is permanent; you cannot get a deleted entry back.) Select Delete and Archive to delete the entry but archive it for future reference.

Expired entries are saved to a predefined file at /var/log/firewall/archive-audit.0.txt.
Next run time Informational, read-only setting, indicating the next time entries will be archived. Run time is expressed in the format: ddd mmm yyyy hh:mm:ss. Example: Tue Jan 28 2014 02:50:00.
Last run time Informational, read-only setting, indicating the last time entries were archived. Run time is expressed in the format: ddd mmm yyyy hh:mm:ss. Example: Tue Jan 28 2014 02:50:00.
Last Error Informational, read-only setting. The field contains the text No error or the error text for any errors found.
Last Error Time Informational, read-only setting. Time in the field is expressed in the format: ddd mmm yyyy hh:mm:ss

Example: Fri Jan 17 2014 23:50:00.

About the REST API audit log

The REST API audit log records all API traffic on the BIG-IQ system. It logs every REST service command for all licensed modules in a central audit log (restjavad-audit.n.log) located on the system.

Note: The current iteration of the log is named restjavad-audit.0.log. When the log reaches a certain user-configured size, a new log is created and the number is incremented. You can configure and edit settings in /etc/restjavad.log.conf.

Any user who can access the BIG-IQ Network Security console (shell) has access to this file.

Managing the REST API audit log

The REST API audit log contains an entry for every REST API command processed by the BIG-IQ system and is an essential source of information about the modules licensed under your BIG-IQ Network Security system. It can provide assistance in compliance, troubleshooting, and record-keeping. Use it to review log contents periodically, and to save contents locally for off-device processing and archiving.
  1. Using SSH, log in to the BIG-IQ Network Security device with administrator credentials.
  2. Navigate to the restjavad log location: /var/log.
  3. Examine files with the naming convention: restjavad-audit.n.log. where n is the log number.
  4. Once located, you can view or save the log locally through a method of your choice.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information