In large customer environments, multiple users can make changes to security policies. These policy changes to working-configuration objects are captured in a central location (the BIG-IQ Network Security database) not on individual BIG-IP Advanced Firewall Manager (AFM) devices.
Users who can access the BIG-IQ Network Security console (shell) have access to this database.
BIG-IQ Network Security logs every configuration change in an audit log, which becomes an important tool for debugging and tracking changes to firewall devices. Audit log entries are visible through the system interface Audit Logs link. The audit log viewer retrieves entries from this database for display in the system interface.
Changes to these working-configuration objects generate log entries:
These actions also generate log entries:
In high-availability (HA) configurations, each node maintains its own audit log. Entries are synced after the HA configuration is set. If you have entries on the primary node and then configure HA, the previously-generated entries on the primary will not be replicated to the standby node; new entries will be replicated.
All deletions, whether performed manually through the Audit Log viewer or performed as part of a delete and archive operation, are not deleted on the standby node.
Also, archives are configured separately on each node.
The firewall audit log viewer displays the following properties for each entry.
|Client IP||IP address for the BIG-IQ system.|
|Time||User-friendly timeline of all changes, as well as tasks that were started and canceled. Time is preserved in UTC (Coordinated Universal Time), but the system interface displays the time in the user's local time zone.|
|Node||FQDN for the BIG-IQ system that recorded the event.|
|User||User who initiated the action.|
|Object Name||Object identified by a user-friendly name; for example: newRule1, deploy-test, or Common/global. This entry is also a link; when activated, it shows the JSON for the object.|
|Type||Class or group of the object modified.|
|Action||Type of modification (New, Delete, or Update).|
|Version||Number of times the system generated the object.|
The Audit Log viewer retrieves entries from the audit log for display in the BIG-IQ Network Security system interface.
All BIG-IQ system user roles have read-only access and can view entries. Only users with the role of Administrator or Security_Manager can delete entries or modify configuration settings.
|Client IP||Type the client IP address in the filter.
Note that when a task is not initiated by a user, the entry in the Client IP column is blank.
|Time (mix of letters and numbers)||Type a date/time in any of the following formats:
Formats are highly browser-dependent. Other formats might appear to filter successfully, but are not supported.
You must include both a date and a time.
Entering a single date/time results in a filter that displaysall entries from the specified date/time to the current date/time.
To filter on a range of times, enter the dates/times in one of the supported formats, separated by a hyphen. Example: jan 21 2014 11:04-jan 21 2014 11:05.
|Time (numbers only)||Type a date/time in any of the following formats:
You must include both a date and a time.
Typing a single date/time results in a filter displaying all entries from the specified date/time to the current date/time.
To filter on a range of times, type the dates/times in one of the supported formats, separated by a hyphen. Example: 1/1 12:14:15-1/1 12:14:18.
|Node||Type the node name in the filter.|
|User||Type the user in the filter.|
|Object Name||Type the name of the object in the filter. If a partition name is
displayed, do not include it in the filter. For example, you would
specify /Common/AddressList_4 as AddressList_4.
Note that entries in the Object Name column are links to the JSON representing the object. If the object does not have a name, the system places a dash in the column. The dash is also a link to the JSON.
|Type||Type the type in the filter. Note that WC stands for working configuration.|
|Action||Type the action in the filter.|
|Version||Type the version number in the filter.|
You can prune entries in the audit log viewer to constrain the list to relevant data and a manageable size. Use the scroll bar to the right to scroll through entries.
There is no set limit on the number of entries that the viewer can display, although the viewer will not display archived entries.
Users with BIG-IQ system roles of either Administrator or Security_Manager can delete entries. All system user roles have read-only access to the audit log, and can view entries.
|To delete:||Do this:|
|A single entry||Select the check box for the entry you want to delete and then click Remove. You will not receive a confirmation dialog box.|
|All entries stored on this BIG-IQ system||Select the check box in the header row and then click
Remove. In the confirmation dialog box, click
Yes to confirm that you want to delete all
Important: This action removes all entries, not just those visible in the viewer page.
|Multiple entries||Combine selecting with the Shift key, and then click Remove. You will not receive a confirmation dialog box.|
|A filtered batch of entries||Type a text string in the Filter field at the top of the page and
click Apply. The result after applying the filter
is a batched set of entries that match the criteria.
Select the check box at the top of the table in the header row and click Remove.The batch of entries is removed. Note that if you delete a large batch of entries, the operation may take some time if the system has a lot of entries. Also, you must keep the Audit Logs viewer open the entire time.
|Days to keep entries||Default is 30 days. The field must contain an integer between 1 and 366.|
|Check expiration at this time||Contains the hour and minute when expirations on entries will be checked. You can type the hour and the minute manually (in the format hh:mm). Or, you can click in the field to view and edit in the Choose Time dialog box. Adjust the Hour and Minute sliders to reflect the desired hour and minute, and then click Done.|
|When entries expire||Controls whether entries are deleted from the audit log when they
expire, or deleted from the audit log but archived to the audit log
Expired entries are saved to a predefined file at /var/log/firewall/archive-audit.0.txt.
|Next run time||Informational, read-only setting, indicating the next time entries will be archived. Run time is expressed in the format: ddd mmm dd yyyy hh:mm:ss. Example: Tue Jan 28 2014 02:50:00.|
|Last run time||Informational, read-only setting, indicating the last time entries were archived. Run time is expressed in the format: ddd mmm yyyy hh:mm:ss. Example: Tue Jan 28 2014 02:50:00.|
|Entries expired at last run time||Number of entries that expired at the last run time.|
|Last Error||Informational, read-only setting. The field contains the text No error or the error text for any errors found.|
|Last Error Time||Informational, read-only setting. Time in the field is expressed in
the format: ddd mmm dd yyyy hh:mm:ss
Example: Fri Jan 17 2014 23:50:00.
The REST API audit log records all API traffic on the BIG-IQ system. It logs every REST service command for all licensed modules in a central audit log (restjavad-audit.n.log) located on the system.
Any user who can access the BIG-IQ Network Security console (shell) has access to this file.