Enterprise Managercreates separate audit and system event logs specific to:
Enterprise Manager logs all system events specific to the operating system and other Linux components, not associated with Enterprise Manager software. This information is stored in the /var/log/messages file.
You can view the details derived from this data from the System Enterprise Management Logs screen.
The Enterprise Manager system uses the following processes for logging system events.
|System process||This enables|
|emadmind||The scheduled Enterprise Manager ConfigSnyc feature|
|emalertd||Custom alerting features for managed devices, including creating alert instances, assigning alert actions, and logging alert events|
|emdeviced||Device management features such as managing device lists, performing high availability functions, and refreshing device status information|
|emfiled||Features required to manage device configuration archives, including scheduling a rotating archive schedule, and maintaining pinned archives|
|emrptschedd||Scheduled reports creation activities|
|swimd||Software image management features, including importing software or hotfix images to the software repository, and deploying software or hotfixes to managed devices|
With LogIQ, you can view aggregated log events for all of your managed BIG-IP devices from a centralized location and, with its powerful search tool, easily locate specific log events. LogIQ also provides you with the ability to increase storage as needed, by utilizing storage resources from your hypervisor.
You incorporate LogIQ into your network configuration by configuring two VLAN interfaces on your hypervisor. The first interface connects Enterprise Manager™ to the Management VLAN, and the second connects BIG-IP LTM to the Traffic VLAN.
The LogIQ feature is comprised of these components.
|LogIQ Collector||The file that you download (LogIQ-Collector<version>.ova) and install on an ESXi hypervisor (on which storage has been allocated for the LogIQ Collector), and add to the index cluster for log event storage.|
|Index cluster||A collection of LogIQ Collectors on which you store log events.|
|Source devices||Managed BIG-IP devices from which you collect log events.|
To start collecting and aggregating log event files through LogIQ, you perform the following tasks.
For specific instructions about how to configure the hypervisor that is located in a network with a DHCP server, refer to your VMware ESXi hypervisor documentation.
Before you can download and install LogIQ Collector, you must configure a management VLAN interface and a traffic VLAN interface. The LogIQ Collector is based on standard Linux CentOS distribution. Therefore, if you do not have a DHCP configured in your network to dynamically assign the IP addresses for the required interfaces, you can configure the IPV4 or IPV6 addresses from the command line.
You download the LogIQ Collector .ova file so that you can install it on an ESXi hypervisor for indexing and querying collected log events using the LogIQ feature.
When you add the first LogIQ Collector to the index cluster, it is available to index log events.
You can create a network firewall logging profile only after you add a LogIQ Collector to the index cluster and specify a source device.
All specified log events are now collected and displayed on Enterprise Manager.
LogIQ features a powerful search tool that helps you easily locate specific log events. You can view all collected log events at once, or selected log events that occurred in a standard time period. You can also create your own customized time frame for which to view log events. These search options give you the flexibility to quickly find the information that you need.
|Filter description||Search string example|
|Use quotation marks to filter for an exact match.||source_ip="10.10.10.1"|
|Not using quotation marks will return more results.||source_ip=10.10.10|
|To broaden the filter and increase the number of results, use the Boolean operator OR.||source_IP="10.10.10.1" OR source_IP="10.10.10.2"|
|To narrow the filter to an exclusive set of parameters, use the Boolean operator AND.||source_ip="10.10.10.1" AND dest_ip="192.168.1.1"|
When you have LogIQ configured, you can view all collected logs or only those specific to the network. You also have the option to view all collected network log events at once, or selected network log events that occurred in a standard time period. Another option is to create your own customized time frame for which to view network log events. These search options give you the flexibility to quickly find the information that you need.