In BIG-IQ Security, all firewall policy changes occur in a central location (the BIG-IQ Security database) not on individual BIG-IP Advanced Firewall Manager (AFM) devices.
BIG-IQ Security records every firewall policy change (every configuration change to a working-configuration object) in the firewall audit log. A change is defined as: object created, object deleted, object modified. Thus, the audit log is an important tool for debugging and tracking changes to firewall devices.
All BIG-IQ system roles have read-only access to the log and can view entries. Only users with the role of Administrator or Security_Manager can delete entries.
Changes to the following working-configuration objects generate log entries:
The following actions also generate log entries:
|Customize the columns displayed||Hover in any column header and right-click to display the column customizer. Select or clear the check boxes to display or hide columns.|
|Customize the order of columns displayed||Click any column header and drag-and-drop the column to the preferred location.|
|Sort by column||Click the column you want to sort by.|
All BIG-IQ system roles have read-only access to the audit log and can view entries. Security users with a role of either Administrator or Security_Manager can also delete entries in the audit log viewer.
There are no limits to the number of entries displayed. You can prune to constrain the list to relevant data and a manageable size. Use the scroll bar to the right to scroll through entries. Exercise caution when deleting entries because once a deletion occurs, you cannot get the entry back.
Automatic deleting of entries is not supported.
|A single entry||Select the check box for the entry you want to delete and then click Remove. You will not receive a confirmation dialog box.|
|All entries||Scroll slowly until you reach the end of the list of entries. If you see a message indicating that buffering is occurring, you are scrolling too fast. When you reach the bottom of the list, click Remove. In the confirmation dialog box, click Yes to confirm that you want to delete all entries.|
|Multiple entries||Combine selecting with the Ctrl key or the Shift key, and then click Remove. You will not receive a confirmation dialog box.|
|A batch of entries||Type a text string in the filter field at the top of the page and
click Apply. The result is a batched set of
entries that match the search criteria. Select the check box at the top
of the table and click Remove. The batch of
entries is removed.
If there are additional entries that meet the search criteria, another batch is presented. Select the check box at the top of the table and click Remove to remove that batch.
Repeat this process until all entries matching the filter criteria are removed.You will not receive a confirmation dialog box after deleting each batch.
The firewall audit log viewer displays the following properties for each entry.
|Client IP||IP address for the BIG-IQ system.|
|Time||User-friendly timeline of all changes, as well as tasks that were started and canceled. Time is preserved in UTC, but the GUI displays the time in the user's local time zone.|
|Node||FQDN for the BIG-IQ system that recorded the event.|
|User||User who initiated the action.|
|Object Name||Object identified by a user-friendly name; for example: newRule1, deploy-test, or Common/global. This entry is also a link; when activated, it shows the JSON for the object.|
|Type||Class or group of the object modified.|
|Action||Type of modification (New, Delete, or Update).|
|Version||Generation of the object; number of times the system generated the object.|
The BIG-IQ Security system records all API traffic. It logs every REST service command for all licensed modules in a central audit log (restjavad-audit.n.log) located on the system. This log exists to assist in debugging problems and tracking changes.
Any user who can access the BIG-IQ Security console (shell) has access to this file.