Viewing the event logs with BIG-IQ Web Application Security makes browsing of system event logs easier, and provides a way to obtain useful insights regarding the activity on applications and/or servers. It also enables the viewing of logs from multiple BIG-IP devices.
You can also view logs through the BIG-IP system interface. However, the BIG-IP system interface shows logs for one BIG-IP device only, and the current presentation has many nested views and complex filters. Thus, it is difficult to obtain a complete picture. The presentation on Web Application Security provides a single view of all the filters, log entries, and details for each entry. This provides a more intuitive navigation path through the log items.
To determine which events are logged, you must set up a logging profile on the BIG-IP system. The logging profile directs the security events to a BIG-IQ Logging Node, and the BIG-IQ system retrieves them from that node.
A BIG-IQ Logging Node (also known as an ASM Logging Node) is a specially-provisioned BIG-IQ system, running the same software build as the BIG-IQ device where you manage your security policies. One or more BIG-IP systems send their logging events to a Logging Node, and the BIG-IQ system can retrieve logging events from one or more Logging Nodes.
To install a BIG-IQ Logging Node, you provision a standard BIG-IQ system as a Logging Node (by allowing a particular service on a self IP port and expanding the size of the file system that holds log files), and then upgrade the Logging Node Software to the same build that is running on its BIG-IQ partner.
This product ships with a software build that was current at the time of the software release. Typically, a later build is available. The build on the Logging Node must be the same as the build on its partner BIG-IQ system. If you need to upgrade the Logging Node, follow the instructions in Upgrading BIG-IQ Systems.
The Event Logs system interface consists of two filtering fields and three main panes:
|Request type||From the list, select All requests or Illegal requests (log responses for illegal requests only).|
|Support ID||Type the last 4 digits of the support ID (unique ID given for a transaction).|
|Violation||This selects the policy violation that detects attacks, such as Attack Signature Detection or Illegal Cookie Length. From the list, select nothing (indicating that any violation type matches) or a violation type.|
|Attack type||This selects the type of service attacks (such as Denial of Service or HTTP Parser Attack) that you want to see. From the list, select nothing (indicating that any attack type matches) or choose a particular attack type.|
|Time Period||In the From field, click the calendar icon and select a start date. Then, in the To field, click the calendar icon and select an end date.|
|Policies||Type a policy name.|
|Method||From the list, select GET, POST, PATCH, or DELETE.|
|Protocols||From the list, select HTTP.|
|Severity||From the list, select Informational, Critical, or Error.|
|attack_type||Name of the attack|
|date_time||Current date and time|
|dest_ip||Destination IP of this transaction (virtual server)|
|dest_port||Destination port of this transaction (virtual server) *|
|geo_location||Attacker geolocation *|
|header||List of request headers|
|http_class_name||Alias of policy name|
|ip_address_intelligence||IP Category such as proxy, phishing, and so on *|
|ip_client||Attacker IP address|
|management_ip_address||BIG-IP management IP address|
|method||HTTP method of the request (POST/GET, and so on)|
|policy_apply_date||Last apply policy operation date and time|
|policy_name||Name of the active policy|
|protocol||Transport protocol (HTTP)|
|query_string||URI query string|
|request||Full request *|
|response_code||HTTP response code|
|severity||Severity of the request (Informational/Error/Critical/Warning)|
|src_port||Source port of this transaction *|
|support_id||Unique ID given for a transaction|
|unit_hostname||BIG-IP unit host name *|
|uri||URI of the request *|
|violations||List of violations|
|le||Less than or equal to|
|ge||Greater than or equal to|