Applies To:

Show Versions Show Versions

Manual Chapter: Enterprise Manager Administrator Guide: Auditing Enterprise Manager System Events
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


Auditing Enterprise Manager System Events

Working with Enterprise Manager system logging

Enterprise Manager provides a comprehensive set of auditing features so that you can track what types of enterprise management tasks were initiated from a particular Enterprise Manager system.

Viewing and managing log messages each provides you with continuous information about system events. Some events pertain to general operating system events, and some are specific to the Enterprise Manager system, such as the starting or stopping of a task, a software importation, or a device discovery.

The mechanism that the Enterprise Manager system uses to log events is the same as the BIG-IP system uses: the Linux utility syslog-ng. The syslog-ng utility is an enhanced version of the standard UNIX and Linux logging utility syslog.

The types of events that the Enterprise Manager system logs are:

  • System events
    System event messages are based on Linux events, and are not specific to the Enterprise Manager system.
  • Local traffic events
    Local-traffic event messages pertain specifically to the local Enterprise Manager system.
  • Audit events
    Audit event messages are those that the Enterprise Manager system logs as a result of changes to the Enterprise Manager system configuration. Logging audit events is optional.

Because Enterprise Manager is based on TMOS, the system logging feature works the same way as BIG-IP system logging, and the Enterprise Manager system logs all of the same information that the BIG-IP system does. You can review logging features, log types, and how to set log levels in the Logging BIG-IP System Events chapter in the BIG-IP Network and System Management Guide. You can use the procedures in that chapter to configure logging on the Enterprise Manager system. The following section describes additional processes that the Enterprise Manager system logs.

Understanding the specific processes logged by the system

The Enterprise Manager system introduces four processes to TMOS that enable the system to manage other F5 devices in the network. The four processes are:

  • discoveryd
    This process enables the device management features such as device discovery, managing device groups, performing high availability functions, and refreshing device status information.
  • swimd
    This process enables the software image management features, including importing software or hotfix images to the software repository, and deploying software or hotfixes to managed devices
  • emalertd
    This process enables the custom alerting features for managed devices, including creating alert instances, assigning alert actions, and logging alert events.
  • emfiled
    This process enables the features required to manage device configuration archives, including scheduling a rotating archive schedule, and maintaining pinned archives.

For each of these processes, Enterprise Manager can log a variety of events, including device discovery, software installations, alerts for managed devices, and tasks involving managed device configuration archives. When you enable audit logging, the process name appears in the system log along with a more specific description of the event.

Understanding the differences in logging options

Although the system event logging works in the same way as it does for a BIG-IP system, there are certain logging options that differ. Because the logging feature is designed to assist in traffic management, some of the logging options specific to traffic management may not apply to Enterprise Manager. When you set local traffic logging options, some of the events that you can choose to log may not produce logging, because Enterprise Manager does not deal with the same kind of traffic as a BIG-IP Local Traffic Manager system.

The Enterprise Manager system logs the messages for these events in the file /var/log/em.

Enabling audit logging

By default, the auditing feature that logs system events is not activated. If you want to log system events, you must enable audit logging. Audit logging logs messages that pertain to configuration changes that users or services make to the Enterprise Manager system configuration.

Audit logging logs messages whenever a Enterprise Manager system object, such as a software image or a device group, is created, modified, or deleted. There are three ways that objects can be configured:

  • By user action
  • By system action
  • By loading configuration data

You can choose one of four log levels for audit logging. In this case, the log levels do not affect the severity of the log messages; instead, they affect the initiator of the audit event.

The log levels for audit logging are:

  • Disable
    This turns audit logging off. This is the default value.
  • Enable
    This causes the system to log messages for user-initiated configuration changes only.
  • Verbose
    This causes the system to log messages for user-initiated configuration changes and any loading of configuration data.
  • Debug
    This causes the system to log messages for all user-initiated and system-initiated configuration changes.

To enable audit logging

  1. On the Main tab of the navigation pane, expand System, and click Logs.
    The System Logs screen opens.
  2. On the menu bar, click Options.
    The Options screen opens.
  3. In the Audit Logging section, in the Audit list, select a log level.
  4. Click Update.

Viewing system logs

You can find the Enterprise Manager system log in the same location as you can find it on the BIG-IP system. On the Main tab of the navigation pane, expand System, and click Logs. You can then choose a log type from the menu bar, depending on the type of log that you want to view.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)