Applies To:

Show Versions Show Versions

Manual Chapter: Managing Audit Logs
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About the firewall audit log viewer

In BIG-IQ Security, all firewall policy changes occur in a central location (the BIG-IQ Security database) not on individual BIG-IP Advanced Firewall Manager (AFM) devices.

BIG-IQ Security records every firewall policy change (every configuration change to a working-configuration object) in the firewall audit log. A change is defined as: object created, object deleted, object modified. Thus, the audit log is an important tool for debugging and tracking changes to firewall devices.

All BIG-IQ system roles have read-only access to the log and can view entries. Only users with the role of Administrator or Security_Manager can delete entries.

Changes to the following working-configuration objects generate log entries:

  • Firewalls
  • Policies
  • Rule lists
  • Address lists
  • Port lists
  • Schedules
  • Snapshots

The following actions also generate log entries:

  • Add/edit BIG-IQ Security system roles. Tracking role modification provides auditing for the assignment of users to roles.
  • Create/cancel device discovery and reimport.
  • Delete previously-discovered device.
  • Create/delete deployment task.
  • Create difference task.
  • Create/delete snapshot.
  • Edit of system information (such as host name and internal self IP).

Managing the audit log viewer

Use the built-in features provided in the BIG-IQ Security firewall audit viewer to customize the display and assist you in locating entries faster.
  1. Log in to the BIG-IQ Security system with Administrator or Security_Manager credentials.
  2. To display the viewer, click the Audit Logs link in the black banner.
  3. The table provides instructions to:
    Option Description
    Customize the columns displayed Hover in any column header and right-click to display the column customizer. Select or clear the check boxes to display or hide columns.
    Customize the order of columns displayed Click any column header and drag-and-drop the column to the preferred location.
    Sort by column Click the column you want to sort by.

Deleting audit log viewer entries

All BIG-IQ system roles have read-only access to the audit log and can view entries. Security users with a role of either Administrator or Security_Manager can also delete entries in the audit log viewer.

There are no limits to the number of entries displayed. You can prune to constrain the list to relevant data and a manageable size. Use the scroll bar to the right to scroll through entries. Exercise caution when deleting entries because once a deletion occurs, you cannot get the entry back.

Automatic deleting of entries is not supported.

Note: Exercise care when deleting entries. Once deleted, entries cannot be retrieved.
  1. Log in to the BIG-IQ Security system with Administrator or Security_Manager credentials.
  2. To display the viewer, click the Audit Logs link in the black banner.
  3. To delete:
    Option Description
    A single entry Select the check box for the entry you want to delete and then click Remove. You will not receive a confirmation dialog box.
    All entries Scroll slowly until you reach the end of the list of entries. If you see a message indicating that buffering is occurring, you are scrolling too fast. When you reach the bottom of the list, click Remove. In the confirmation dialog box, click Yes to confirm that you want to delete all entries.
    Multiple entries Combine selecting with the Ctrl key or the Shift key, and then click Remove. You will not receive a confirmation dialog box.
    A batch of entries Type a text string in the filter field at the top of the page and click Apply. The result is a batched set of entries that match the search criteria. Select the check box at the top of the table and click Remove. The batch of entries is removed.

    If there are additional entries that meet the search criteria, another batch is presented. Select the check box at the top of the table and click Remove to remove that batch.

    Repeat this process until all entries matching the filter criteria are removed.

    You will not receive a confirmation dialog box after deleting each batch.

Firewall audit log entry properties

The firewall audit log viewer displays the following properties for each entry.

Entry Description
Client IP IP address for the BIG-IQ system.
Time User-friendly timeline of all changes, as well as tasks that were started and canceled. Time is preserved in UTC, but the GUI displays the time in the user's local time zone.
Node FQDN for the BIG-IQ system that recorded the event.
User User who initiated the action.
Object Name Object identified by a user-friendly name; for example: newRule1, deploy-test, or Common/global. This entry is also a link; when activated, it shows the JSON for the object.
Type Class or group of the object modified.
Action Type of modification (New, Delete, or Update).
Version Generation of the object; number of times the system generated the object.

About the REST API audit log

The BIG-IQ Security system records all API traffic. It logs every REST service command for all licensed modules in a central audit log (restjavad-audit.n.log) located on the system. This log exists to assist in debugging problems and tracking changes.

Note: The current iteration of the log is named restjavad-audit.0.log. When the log reaches a certain user-configured size, a new log is created and the number is incremented. You can configure and edit settings in /etc/restjavad.log.conf.

Any user who can access the BIG-IQ Security console (shell) has access to this file.

Managing the REST API audit log

The REST API audit log contains an entry for every REST API command processed by the BIG-IQ system and is an essential source of information about the modules licensed under your BIG-IQ Security system. It can provide assistance in compliance, troubleshooting, and record-keeping. Use it to review log contents periodically, and to save contents locally for off-device processing and archiving.
  1. Log in to the BIG-IQ Security device with administrator credentials and using SSH.
  2. Navigate to the restjavad log location: /var/log.
  3. Examine files with the naming convention: restjavad-audit.n.log. Where n is the log number.
  4. Once located, you can view or save the log locally through a method of your choice.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Additional Comments (optional)