Viewing and maintaining log messages is an important part of maintaining the Access Policy Manager. Log messages inform you on a regular basis of the events that are happening on the system. Some of these events pertain to general events happening within the system, while other events are specific to the Access Policy Manager, such as stopping and starting Access Policy Manager system services.
The Access Policy Manager uses syslog-ng to log events. The
syslog-ng utility is an enhanced version of the standard logging utility
syslog.
| | Access Policy events
Access Policy event messages include logs pertinent to access policy, sso, network access, and portal access. To view access policy events, run Access Policy reports; expand Access Policy and click Reports. |
| | Audit Logging
Audit event messages are those that the Access Policy Manager system logs as a result of changes made to its configuration. |
For more information on other log events, refer to BIG-IP® TMOS®: Concepts on the Ask F5
TM web site,
http://support.f5.com.
The logging mechanism on an Access Policy Manager system includes several features designed to keep you informed of system events in the most effective way possible.
One of the primary features of logging is its ability to log different types of events, ranging from system events to access control events. Through the Access Policy Manager system auditing feature, you can even track and report changes that administrator makes to the BIG-IP
® system configuration, such as adding a virtual server or changing an access policy. For more information, see
Understanding log content, and
Understanding log types.
When setting up logging on the Access Policy Manager, you can customize the logs by designating the minimum severity level, or log level, that you want the system to report when a type of event occurs. The
minimum log level indicates the minimum severity level at which the system logs that type of event.
The logs that the BIG-IP system generates include several types of information. For example, some logs show a timestamp, host name, and service for each event. Moreover, logs sometimes include a status code, while the audit log shows a user name and a transaction ID corresponding to each configuration change. All logs contain an up to 2-line description of each event.
Table 13.1, following, displays the categories of information contained in the logs, and the specific logs in which the information is displayed.
By default, Access Policy Manager writes logs to a database and to the /var/log/apm file. Access Policy Manager reports run against the data in the database. You can: Specify how frequently to remove the oldest logs from the database; Control the maximum number of log entries that the database can hold; Remove all existing log records
| 1. | From the Main tab, select Access Policy > Reports > Preferences. The Preferences window opens. |
| 2. | In the Log Rotation Period box, type a number between 0 and 90. The default value is 0. When set to 0, log database tables are rotated only when the database contains the maximum number of log entries. When set to a value between 1 and 90, log database tables are rotated every n number of days. (If the maximum number of log entries is reached despite regular rotation, log database tables are rotated regardless.) |
| 3. | In the Maximum Number Of Log Entries box, type a number between 100000 and 5000000 (100,000 and 5,000,000). Do not type commas. The default value is 5000000. |
| 1. | From the Main tab, select Access Policy > Reports > Preferences. The Preferences window opens. |
| 2. | Next to Log Database Maintenance, click Delete. All records are deleted from the reporting log database. |
In addition to logging to a database, Access Policy Manager logs to the /var/log/apm file. You might need the log file to help you troubleshoot a problem. If you configured logging to a remote server, you need Access Policy Manager to write to the log file for remote logging to work.
| 1. | From the Main tab, select Access Policy > Reports > Preferences. |
| 2. | Clear the Enabled box for Write To APM Log File. |
When running performance tests or under a very high traffic load, the /var/log/apm file can grow very large. While testing and otherwise, when a very high traffic load persists, you can mitigate the effect by disabling logging to /var/log/apm/ or by setting the log level to emergency only.
To configure log rotation for the BIG-IP system, use the tmsh sys log-rotate command. For more information about tmsh, refer to the
Traffic Management Shell (tmsh) Reference Guide. You can also use the man pages for tmsh.
To configure remote logging, use the tmsh modify /sys syslog remote-servers command. For more information about the command, refer to the
Traffic Management Shell (tmsh) Reference Guide. You can also use the man pages for tmsh.
| | Access policy: Includes messages created during access policy validation, sso, network access, and portal access. |
| | Audit: Includes configuration changes. |
| | Access policy events: Messages are logged in a database; you can view them using Access Policy Manager reports. By default, messages are also logged to the /var/log/apm file. |
| | Audit events: Messages are logged in the /var/log/audit file when audit logging is enabled. |
Many events that occur on Access Policy Manager are operating system-related events, and do not specifically apply to the Access Policy Manager. The Access Policy Manager logs the messages for these events in the /var/log/messages file.
Using the Configuration utility, you can display audit log messages. Table 13.2 shows some sample audit log entries. In this example, the first entry shows that user Janet enabled the audit logging feature, while the second and third entries show that user Matt designated the BIG-IP system to be a redundant system with a unit ID of
1.
Using the Configuration utility, you can set log levels on auditing events and other types of events. The
minimum log level indicates the minimum severity level at which the system logs that type of event. For more information, see
To set a minimum log level for local traffic events, following.
For auditing events, you can set a log level that indicates the type of event that the system logs, such as the user-initiated loading of the Access Policy Manager system configurations, or system-initiated configuration changes. For more information, see
Setting log levels for auditing events.
| 2. | On the menu bar, click Configuration, and select Options. The Logs screen changes to display the various logging options available. |
| 2. | On the menu bar, click Configuration, and select Options. The Logs screen changes to display the various logging options available. |
An optional type of logging that you can enable is audit logging. Audit logging logs messages that pertain to configuration changes that users or services make to the BIG-IP system configuration. This type of audit logging is known as
MCP audit logging. (For more information, see
Auditing configuration changes.) Optionally, you can set up audit logging for any
tmsh commands that users type on the command line.
For both MCP and tmsh audit logging, you can choose one of four log levels. In this case, the log levels do not affect the severity of the log messages; instead, they affect the initiator of the audit event.
For detailed information about auditing events, refer to the BIG-IP® TMOS®: Concepts on the Ask F5
TM web site,
http://support.f5.com.
| | Disable
This turns audit logging off. This is the default value. |
| | Enable
This causes the system to log messages for user-initiated configuration changes only. |
| | Verbose
This causes the system to log messages for user-initiated configuration changes and any loading of configuration data. |
| | Debug
This causes the system to log messages for all user-initiated and system-initiated configuration changes. |
Access Policy Manager supplies built-in reports and enables you to create custom reports. Built-in Session Reports enable you to review information about the sessions created on the system. With Access Policy Manager, the All Sessions report is the default report and displays first. You can set a different report as the default. After displaying the default report, you can then choose to run and view other built-in reports, such as Current Sessions. You can also define and run custom reports.
The default report runs each time you open the Reports window. If you do not set the default report, the All Sessions report functions as the default.
| 1. | Select Access Policy > Reports > View Reports. |
The Report Parameters window opens, with a one-line description of the current default report and default Restrict by Time settings.
| 3. | Click Run Reports. The default report opens in the right pane. |
| a) | Scroll to the Session Reports list and select All Sessions > Run. The Report Parameters window opens, with a one-line description of the report and default Restrict by Time settings. |
| c) | Click Run Reports. The All Sessions report is displayed in a new tab. |
| 1. | Select Access Policy > Reports > View Reports. |
The Report Parameters window opens, with a one-line description of the default report along with default Restrict by Time settings.
| 2. | Click Run Reports. The default report is displayed. |
In addition to viewing the reports through the navigation pane, you can also use the command line interface and script, called
adminreport.pl to view additional reports, such as
acllogs,
logonlogs,
acllogsforsession,
and
saforsession.
Table 13.3 lists the available command line utility commands and their descriptions.
Custom reports enable you to define the desired data, any constraints that you want to place on the data, and the sort order to use in a report. You can save, edit, and delete custom report definitions. In addition to running custom reports, you can export the report data to files.
| 1. | Select Access Policy > Reports > View Reports. |
The Report Parameters window opens, with a one-line description of the default report along with default Restrict by Time settings.
| 2. | Click Run Reports. The default report is displayed. |
| 8. | Click Save. The Design Custom Report window closes. The name of the newly created custom report is displayed under Report Names in the Custom Reports area. |
| 1. | Select Access Policy > Reports > View Reports. |
The Report Parameters window opens, with a one-line description of the default report along with default
Restrict by Time settings.
| 2. | Click Run Reports. The default report is displayed. |
| 1. | Select Access Policy > Reports > View Reports. |
The Report Parameters window opens, with a one-line description of the default report along with default Restrict by Time settings.
| 2. | Click Run Reports. The default report is displayed. |
You can monitor overall system performance and Access Policy Manager session information. The BIG-IP
® system provides a dashboard that displays system statistics graphically, showing gauges and graphs, and you can view the same statistics in a table view. You can also view user session information specific to Access Policy Manager.
You can display the BIG-IP® system main dashboard from the navigation pane. Expand
Overview, and click
Dashboard tab. For more information on how to monitor overall system performance for the BIG-IP
® system, refer to
Getting Started Guide: BIG-IP®systems.
The dashboard also includes online help for information about how to interpret statistics on each of the panels that appear on the screens. Click the question mark (
?) in the upper right corner of any window to display the online help.
In addition to the BIG-IP® system main dashboard, you can use the Access Policy Manager dashboard to view specific Access Policy Manager users session-based statistics, as well as throughput data.
The top left panel of the Access Policy Manager dashboard displays the total and established connections for all current active and new sessions. This panel is called
Access Sessions.
You can view them in either real-time, or historical time ranges. You may want to view active sessions at various times of the day to determine the peak and select the best time to perform system maintenance, for example. If you notice that the total number of sessions peaked while the total number of established sessions remain low, this may be an indication that a possible malicious attack is occurring in your network environment.
The bottom left panel of the Access Policy Dashboard displays cache effectiveness by comparing the three available metrics. This panel is called
Portal Access. There are currently no tabs available for this panel, but the metrics include:
Hits and misses are derived by subtracting the server responses from the client responses. A server response indicates that the requested information was not in cache.
The right top panel of the Access Policy dashboard displays throughput data for the amount of traffic through the network access tunnels, as well as displays open and new connections. This panel is called
Network Access.
Use this panel to determine how much traffic is going through the tunnels, and how many people are generating that traffic. For example, if there are two tunnels, and those particular users are generating gigabytes of traffic, you may want to further investigate the activities on those tunnels.
| | Throughput: Displays the amount of throughput for data transfers through the network access tunnels. |
| | Open Connections: Displays the number of open connections through the network access tunnels. |
| | New Connections: Displays the number of new connections through the network access tunnels. |
| | Compression: Displays the compression level through the network access tunnel. The Compression tab provides a gauge as well as a chart. |
ACL Actions: Displays the action that the access control list takes when an access control entry is encountered.
in the upper left corner of each window, you 
