Applies To:

Show Versions Show Versions

Manual Chapter: Audit Log
Manual Chapter
Table of Contents   |   << Previous Chapter

About the audit log

In large customer environments, multiple users make changes to security policies. These policy changes occur in a central location, such as the BIG-IQ Web Application Security database, and not on individual BIG-IP ASM devices. To address possible concerns, the BIG-IQ system provides an audit log that records all traffic (users, times, events, and so on). Users who can access the BIG-IQ console (shell) have access to this file.

The BIG-IQ system records every change (every configuration change to a working-configuration object) in the audit log. A change is defined as: any object created, object deleted, or object modified. Thus, the audit log is an important tool for debugging and tracking changes to devices.

Note: The audit log viewer retrieves entries from this database to display in the GUI.

Audit log properties

The audit log viewer in BIG-IQ Web Application Security displays these properties.

Item Description
Date Date of the audit log signature file entry.
Task status Status for task, such as Passed.
Steps status Status for each step.
Details A link that displays details, such as date, sub task, action, status, error/message, and device IP.

Managing the audit log using SSH

You can review audit log contents periodically using SSH and archive contents locally for off-device processing, troubleshooting, and future reference.

In high-availability (HA) configurations, each node maintains its own audit log. Entries are synced after the HA configuration is set. If you have entries on the primary node and then configure HA, the previously-generated entries on the primary will not be replicated to the standby node; new entries will be replicated.

  1. To examine audit logs using SSH, log in to the BIG-IQ system with Administrator or Security_Manager credentials.
  2. Navigate to the audit log location: /var/log/audit.
  3. Examine files with the naming convention: audit.n.txt. In this example, n is the log number.
  4. Once located, you can view or save the log locally through a method of your choice.

Managing the audit log using the GUI

You can view audit logs using the GUI.
  1. To examine audit logs using the GUI, log in to the BIG-IQ system with Administrator or Security_Manager credentials.
  2. Under Web Application Security, click Audit Logs. Each entry listed represents the result of a signature file Update & push task.
  3. To see the list of steps that occurred for that specific task, click the Details link.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Additional Comments (optional)