Manual Chapter : Logging and Auditing

Applies To:

Show Versions Show Versions

Enterprise Manager

  • 3.1.1
Manual Chapter

Overview: Logging for devices and Enterprise Manager

Enterprise Managercreates separate audit and system event logs specific to:

  • Enterprise Manager activities associated with device management events
  • System events for Enterprise Manager itself, not related to device management

Enabling audit logging for device management events

Audit logs contain information about management operations performed from Enterprise Manager for a device, or for itself. Activities logged include creating a device alert, enabling a node, and so forth.
  1. In the navigation pane, click System > Logs > Configuration > Options.
  2. In the Audit Logging area at the bottom of the screen, for the MCP setting, select Enable.
  3. Click the Update button.
Enterprise Manager creates an audit log entry any time it performs a change to a managed device.

Viewing and searching audit logs for device configuration changes

You must enable audit logging before you can view or search for events specific to device management.
From the Audit List screen, you can view or search any configuration changes you have made to the managed devices in your network. Use this information to monitor device management events and troubleshoot configuration issues.
  1. On the Main tab, click System > Logs > Audit > List. The Audit List screen opens to display an overview of the activity for managed devices.
  2. To search for a particular event, type a string in the Search field and click the Search button.

Viewing and searching Enterprise Manager system event logs

Enterprise Manager logs all system events specific to the operating system and other Linux components, not associated with Enterprise Manager software. This information is stored in the /var/log/messages file.

You can view the details derived from this data from the System Enterprise Management Logs screen.

  1. On the Main tab, click System > Logs > System.
  2. On the Menu bar, click Enterprise Management. The screen displays system events specific to Enterprise Manager.
  3. To search for a particular event, type a string in the Search field and click the Search button.

Processes used for logging system events

The Enterprise Manager system uses the following processes for logging system events.

System process This enables
emadmind The scheduled Enterprise Manager ConfigSnyc feature
emalertd Custom alerting features for managed devices, including creating alert instances, assigning alert actions, and logging alert events
emdeviced Device management features such as managing device lists, performing high availability functions, and refreshing device status information
emfiled Features required to manage device configuration archives, including scheduling a rotating archive schedule, and maintaining pinned archives
emrptschedd Scheduled reports creation activities
swimd Software image management features, including importing software or hotfix images to the software repository, and deploying software or hotfixes to managed devices

Overview: Collecting and aggregating log files with LogIQ

With LogIQ, you can view aggregated log events for all of your managed BIG-IP devices from a centralized location and, with its powerful search tool, easily locate specific log events. LogIQ also provides you with the ability to increase storage as needed, by utilizing storage resources from your hypervisor.

You incorporate LogIQ into your network configuration by configuring two VLAN interfaces on your hypervisor. The first interface connects Enterprise Manager™ to the Management VLAN, and the second connects BIG-IP LTM to the Traffic VLAN.

Standard implementation of LogIQ in your network

LogIQ components

The LogIQ feature is comprised of these components.

Component Description
LogIQ Collector The file that you download (LogIQ-Collector<version>.ova) and install on an ESXi hypervisor (on which storage has been allocated for the LogIQ Collector), and add to the index cluster for log event storage.
Index cluster A collection of LogIQ Collectors on which you store log events.
Source devices Managed BIG-IP devices from which you collect log events.

About configuring LogIQ

To start collecting and aggregating log event files through LogIQ, you perform the following tasks.

  • Configure two VLAN interfaces as follows:
    • A VLAN that connects to Enterprise Manager through the Management network interface
    • A VLAN that connects to the BIG-IP LTM through the Traffic network interface
    Important: LogIQ is compatible only with BIG-IP LTM devices running version 11.3.0 and later.

    For specific instructions about how to configure the hypervisor that is located in a network with a DHCP server, refer to your VMware ESXi hypervisor documentation.

  • Download the LogIQ Collector .ova file and deploy it on your VMware ESXi hypervisor version 5.0.0, allocating sufficient storage space for your log indexing volume and retention requirements.
  • Specify the default settings for the index cluster. (These settings apply to any LogIQ Collectors added to the index cluster.)
  • Add the LogIQ Collector to the index cluster.
  • Specify the source devices (managed BIG-IP systems), from which to collect the data.
  • Configure a network logging profile on the source device
Important: The LogIQ feature is compatible only with the VMware ESXi hypervisor, version 5.0.0. By default, the LogIQ Collector is configured with 4 CPU cores, 4GB RAM, and 32GB system disk. You must add a new disk to retain logs in the ESXi hypervisor. If you add the disk while the LogIQ feature is running, you must reboot the system before Enterprise Manager can detect the new disk.

Configuring IP addresses for VLAN interfaces from the command line

Before you can download and install LogIQ Collector, you must configure a management VLAN interface and a traffic VLAN interface. The LogIQ Collector is based on standard Linux CentOS distribution. Therefore, if you do not have a DHCP configured in your network to dynamically assign the IP addresses for the required interfaces, you can configure the IPV4 or IPV6 addresses from the command line.

Note: If your network has a DHCP server, refer to your hypervisor documentation for instructions about how to configure the required VLAN interfaces.
  1. Log in to the hypervisor console screen as the root user. The default password is default.
  2. To set addresses for your management and traffic VLANs, type the following commands: # serviceConfig interface set Management <IP address/subnet mask> # serviceConfig interface set Traffic <IP address/subnet mask>.
  3. You can review the configuration by typing # serviceConfig interface list.
F5 recommends that at this point you change the default password using the passwd command.

Downloading the LogIQ Collector

You download the LogIQ Collector .ova file so that you can install it on an ESXi hypervisor for indexing and querying collected log events using the LogIQ feature.

  1. From a web browser, navigate to the F5 Downloads page at https://downloads.f5.com.
  2. Locate and download the EM LogIQ Collector package ending with .ova.
  3. On your VMware client, deploy the .ova file.
  4. Allocate a sufficient amount of storage for the LogIQ Collector from the hypervisor, as required by your log indexing volume and retention needs.

Specifying default settings for LogIQ Collector index clusters

It is important to specify default settings before you add a LogIQ Collector to the index cluster, because once you do, it is immediately available to index log events. If you make changes to these default settings after you have added LogIQ Collectors, the new changes overwrite the previous settings.
  1. On the Main tab, click Enterprise ManagementLogIQ > Index Cluster Config.
  2. In the Maximum Days in Archive field, specify the number of days that you want to keep collected log events. Note that if you change this setting to a smaller number in the future, the system may need to delete log entries to meet the newly reduced limit. Log event storage is dependent on disk space, regardless of the number of days specified.
  3. Click the Save button, located directly below the Maximum Days in Archive setting.
  4. To populate the DNS and Time Configuration settings with those configured for the Enterprise Manager system, click the Load Local Settings button located at the bottom of the screen. To specify alternative settings, complete steps 5-7.
  5. For the Domain Name Servers setting, in the Address field, type the IP address of the DNS server that you want to use for the index cluster, and click the Add button.
  6. From the Timezone list, select a time zone.
  7. For the Network Time Protocol Servers setting, in the Address field, type the IP address of the FQDN of the NTP server, and click the Add button.
  8. Click the Save button to change the default settings that you specified for the index cluster.

Adding a LogIQ Collector to the index cluster

You must download and configure the LogIQ Collector, allocate resources for the LogIQ Collector from your hypervisor, and configure the index cluster default settings before you add a LogIQ Collector to the index cluster.

When you add the first LogIQ Collector to the index cluster, it is available to index log events.

  1. On the Main tab, click Enterprise ManagementLogIQ > Index Cluster.
  2. Click the Add Device button.
  3. In the LogIQ Collector IP Address field, type the IP address of the LogIQ Collector that you downloaded.
  4. If you want the source device to use an IPV6 address (if available) for the traffic VLAN, select the Use IPV6 address check box.
  5. Click the Add button.
  6. The LogCollector you added displays in the index cluster table.
  7. Click the address of the LogIQ Collector that you added.
  8. In the Storage Devices list, select the check box next to an available device from which you can allocate storage for LogIQ.
  9. Click the Allocate storage button.
  10. In the dialog box that displays, click the Add button.
The LogIQ Collector you added to the index cluster displays in an up state, and is now available for index collection and log event indexing.
Next you must specify the source devices from which to collect log events.

Specifying a source device for LogIQ

The LogIQ feature indexes collected log events from the source devices that you specify.
  1. On the Main tab, click Enterprise Management > LogIQ > Source Devices.
  2. Click the Add devices button.
  3. Use the Device List and Device Filter settings to specify which devices you want displayed.
  4. Select the check box next to the source device for which you want to collect log events.
  5. Click the Add devices button.
You must now configure a logging profile on the source device you specified, to use the em-centlog-pub publisher.

Configuring a network firewall logging profile on a source device

You can create a network firewall logging profile only after you add a LogIQ Collector to the index cluster and specify a source device.

Important: To configure a network firewall logging profile, you must have Advanced Firewall (AFM) provisioned on the source device. You provision this on the System > Resource Provisioning > Configuration.
When you create a logging profile, you specify the log events that you want collected by the LogIQ Collector.
  1. On the Main tab, click Security > Event Logs > Logging Profiles.
  2. Click the Create button.
  3. In the Profile Name field, type a unique name to identify this logging profile.
  4. For the Network Firewall logging profile setting, select the Enabled check box.
  5. From the Publisher list, select em-centlog-pub.
  6. Select the check box next to each type of log event that you want to log.
  7. From the Storage Format list, select the format type that you want to use for the log events.
    1. If you want to use a delimiter to separate the fields, in the Delimiter field, type a value.
    2. From the Available items list, select the items that you want stored.
  8. If you want to collect IP Intelligence log events, from the Publisher list, select em-centlog-pub.
  9. Click the Finished button.

All specified log events are now collected and displayed on Enterprise Manager.

Tip: For additional information logging profiles, refer to the BIG-IP Local Traffic Manager documentation specific to high-speed logging.

About viewing and searching all collected log events

LogIQ features a powerful search tool that helps you easily locate specific log events. You can view all collected log events at once, or selected log events that occurred in a standard time period. You can also create your own customized time frame for which to view log events. These search options give you the flexibility to quickly find the information that you need.

Viewing all collected log events for a standard time period

You can view all of the log events that LogIQ has collected, or you can easily limit the number displayed by specifying a standard time period in which an event occurred.
  1. On the Main tab, click Enterprise Management > LogIQ > Search.
  2. From the Time Period list, select a standard period of time for which you want to view log events.
  3. Click the Update button.
Enterprise Manager displays the events that LogIQ collected during the specified time period.

Viewing all collected log events for a custom time period

You can reduce the volume or range of collected events that are displayed by setting a custom time period for filtering.
  1. From the Time Period list, select Custom.
  2. Click in the From field.
    1. On the calendar, click the first day from which you want to view collected log events. Alternatively, click the Now button to populate the From field with the current date and time.
    2. For the Hour, Minute, and Second settings, move the slide bar to the right to specify the time of day to start displaying collected log events.
  3. Click in the To field.
    1. On the calendar, click the last day for which you want to view collected log events. Alternatively, click the Now button to populate the To field with the current date and time.
    2. For the Hour, Minute, and Second settings, move the slide bar to the right to specify the time of day to stop displaying collected log events.
  4. Click the Update button.
Enterprise Manager displays the events that LogIQ collected during the custom time period.

Creating a search filter for all collected log events

Before you can create a filter to look for specific entries, you must have configured LogIQ and have collected log events.
Log events provide you with information on which you need to act, as well as information to help you troubleshoot issues. You can use the LogIQ feature's sophisticated searching mechanism to filter log events by explicit attributes to help you find a specific event.
  1. On the Main tab, click Enterprise Management > LogIQ > Search.
  2. In the New Filter field, type a string that includes the field name and the specific data that you are searching for. The acceptable formats include those shown here.
    Filter description Search string example
    Use quotation marks to filter for an exact match. source_ip="10.10.10.1"
    Not using quotation marks will return more results. source_ip=10.10.10
    To broaden the filter and increase the number of results, use the Boolean operator OR. source_IP="10.10.10.1" OR source_IP="10.10.10.2"
    To narrow the filter to an exclusive set of parameters, use the Boolean operator AND. source_ip="10.10.10.1" AND dest_ip="192.168.1.1"
  3. Optionally, place your cursor over an element in an event log and click it to add it to the search filter.
  4. Click the Add button after each filter you create.
  5. When you have added the last filter that you want to use, click the Update button.
The log event table refreshes to display only those events that include the filters that you specified.

About viewing and searching only network events

When you have LogIQ configured, you can view all collected logs or only those specific to the network. You also have the option to view all collected network log events at once, or selected network log events that occurred in a standard time period. Another option is to create your own customized time frame for which to view network log events. These search options give you the flexibility to quickly find the information that you need.

Viewing collected network log events for a standard time period

You can view all of the network log events that LogIQ has collected, or you can easily limit the number displayed by specifying a standard time period in which a network event occurred.
  1. On the Main tab, click Security > Event Logs > Network.
  2. From the Time Period list, select a standard period of time for which you want to view network log events.
  3. Click the Update button.
Enterprise Manager displays the network log events that LogIQ collected during the specified time period.

Viewing collected network log events for a custom time period

You can reduce the volume or range of collected events that are displayed by setting a custom time period for filtering.
  1. On the Main tab, click Enterprise Management > LogIQ > Search.
  2. From the Time Period list, select Custom.
  3. Click in the From field.
    1. On the calendar, click the first day from which you want to view collected log events. Alternatively, click the Now button to populate the From field with the current date and time.
    2. For the Hour, Minute, and Second settings, move the slide bar to the right to specify the time of day to start displaying collected log events.
  4. Click in the To field.
    1. On the calendar, click the last day for which you want to view collected log events. Alternatively, click the Now button to populate the To field with the current date and time.
    2. For the Hour, Minute, and Second settings, move the slide bar to the right to specify the time of day to stop displaying collected log events.
  5. Click the Update button.
Enterprise Manager displays the events that LogIQ collected during the custom time period.

Creating a search filter for collected network log events

Before you can create a filter to look for specific entries, you must have configured LogIQ and have collected log events.
Network log events provide you with information on which you need to act, as well as information to help you troubleshoot issues. You can use the sophisticated drag-and-drop method that Enterprise Manager provides to select specific log events and attributes as filters to find a precise event.
  1. On the Main tab, click Security > Network.
  2. Locate the log event, or log event element that you want to add to the custom search filter.
  3. To add all of the elements of a single log event, hover over the first column of an log event table and drag it to the Custom Search field. Alternatively, you can hover over a single element in a log event and drag it to the Custom Search field.
  4. When you have selected the last log event or element, click the Update button.
The log event table refreshes to display only those events that include the filters that you specified.