Applies To:

Show Versions Show Versions

Manual Chapter: Access Reporting and Statistics
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Access Reporting and Statistics

About Access and SWG reports

Access reports focus on session and logging data from Access devices (managed devices with APM licensed and provisioned). F5® Secure Web Gateway Services reports focus on user requests (for URLs or applications, for example) from Access devices with Secure Web Gateway Services provisioned. BIG-IQ® Centralized Management Access also supports high availability. Thus, users can view both Access and SWG reports on a secondary BIG-IQ system.

Access reports and SWG reports provide the following features.

  • Reports on any combination of discovered devices, Access groups, and clusters
  • Graphs for typical areas of concern and interest, such as cross-geographical comparisons or top 10 issues
  • Tabular data to support the graphs
  • Ability in some screens to drill down from summarized data to details
  • Ability to save data to CSV files

Setup requirements for Access and SWG reports

Before you can produce Access reports and SWG reports, you must ensure that these tasks are already complete.

  • Set up the BIG-IQ® Centralized Management data collection devices.
  • Add the BIG-IP® devices to BIG-IQ inventory.
  • Discover the devices. (Devices with the Access service configuration are what you need.)
  • Run the data collection device configuration setup on the devices from the Access Reporting screen.

What data goes into Access reports for the All Devices option?

The All Devices option for Access reports includes data from the devices that are currently managed (discovered) in the BIG-IQ® system. This is in addition to data from devices that were managed at some point during the report timeframe, but that are not currently managed. With All Devices selected, if data from unmanaged devices exists, it displays in reports.

An unmanaged device might be unmanaged temporarily or permanently. Any time a configuration management change causes APM® to be undiscovered, the device and its data are moved to All Devices until APM is re-discovered on the device.

You cannot generate a report for an unmanaged device. However, you can generate a report for the timeframe when the device was managed, and then search the report for the unmanaged device name. In the Summary report, All Active Sessions includes the number of sessions that were active on the device when it became unmanaged. Those sessions stay in the Summary and in the Active sessions reports until the next session status update, which occurs every 15 minutes.

About upgrades affecting reports

When you upgrade a BIG-IQ® Centralized Management system without taking a snapshot, it deletes all reporting data, including both Access and SWG reports. After upgrading, users cannot obtain these reports from the BIG-IP® devices. To prevent the lost of reports, users should take an Elasticsearch snapshot before upgrading, and restore the snapshot after upgrading. For more information on elasticsnapshots, refer to F5 BIG-IQ Centralized Management: Upgrading Logging Nodes to Version x.x.

About the application dashboard

The Application Summary dashboard is your starting point to view and download general reports for BIG-IQ Access.

View the Application Summary dashboard

The BIG-IQ Centralized Management Application Summary dashboard displays information regarding the applications linked to the system.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Application Summary.
The Application Summary screen opens, showing detailed information and charts for specific applications.

About user visibility

You can monitor your user base by viewing the BIG-IQ® Centralized Management Access user dashboard for data on specific users. The system displays which users created the most sessions, were denied the most sessions, and had the longest total session duration. The administrator can enter a specific user name to get the following details for the user:

  • The user login locations on a world map
  • The total sessions, denied sessions, and session duration
  • The Access denied sessions.
  • The top authentication failures, including AD Auth and LDAP only
  • The device type users used to log into the system
  • The reason the system terminated the session
  • The login history showing the success and failures over time
  • The most accessed applications
  • The most accessed URLs
  • The login failure attempts over time, sorted by the reason
  • The client session duration over time
  • The Access denied reason over time

About application visibility

You can monitor your applications by viewing the BIG-IQ® Centralized Management Access user dashboard for data on which applications are linked to the BIG-IQ Access component. The system displays the top applications used and the application usage time. Administrators can expand the GUI for a specific application and view the following information:

  • The application access history
  • The users who use the application the most
  • The access history
  • The world map, showing where the user is access the application

About denied sessions

You can monitor the sessions that BIG-IQ® Centralized Management denies. By using the Access Monitoring option, you can view the following information:

  • The history of denied sessions
  • The reasons why sessions were denied
  • The top denied users, sorted by session count
  • The top authentication failures
  • The top denied policies
  • The top denied sessions by country of origin
  • The top denied session by the virtual server
  • The denied sessions, sorted by the client platform

Viewing denied sessions

You can use the BIG-IQ Centralized Management Access reporting features to see which sessions were denied by the system, as well to create a report.
  1. Log in to the BIG-IQ system with your user name and password.
  2. Click Monitoring > DASHBOARDS > Access > Sessions > Denied.
  3. From the ACCESS GROUP/DEVICE list at upper left, select Managed Devices or select one or more of these options:
    • <Access group name> - Select to include all devices in the Access group.
    • <Cluster display name> - Select to include the devices in the cluster.
    • <Device name> - Select to include the device. You can select any device from Managed Devices, <Access group name>, or <Cluster display name>.
  4. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  5. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.
From here, you can view details regarding denied sessions and create a report.

Managing a specific user in Access reporting

You can use the BIG-IQ Centralized Management Access reporting tools to view the user dashboard for data on a specific user.
  1. Log in to the BIG-IQ system with your user name and password.
  2. Click Monitoring > DASHBOARDS > Access > User Summary.
    The User Summary screen displays, showing detailed information for specific users.

Running Access reports

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.
You can create Access reports for any device with the APM service configuration on it that has been discovered on the BIG-IQ system, whether or not the device is a member of an Access group. To create a report, you can select any combination of Access groups, clusters, and devices.
  1. At the top of the screen, click Monitoring.
  2. On the left, select DASHBOARDS > Access.
    A Summary report (for all devices and a default timeframe) starts to generate and display.
  3. From the left, select any report that you want to run.
  4. At the top left of the screen, from the ACCESS GROUP/DEVICES list, either select one of the first two options (All Devices and All Managed Devices) or, select one or more of the other options (<Access group name>, <Cluster display name>, and <Device name>).
    • All Devices Includes Access devices that are currently managed, and Access devices that were managed at one time but are not managed now. (A managed device is one that has been discovered with the APM service configuration.)
    • All Managed Devices Includes all Access devices that are currently discovered.
    • <Access group name> - Select to include all devices in the Access group.
    • <Cluster display name> - Select to include the devices in the cluster.
    • <Device name> - Select to include the device. You can select any device from Managed Devices, <Access group name>, or <Cluster display name>.
  5. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  6. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.

Getting the details that underlie an Access report

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.
From the Summary report, and from most session reports, the initial display includes graphs that summarize the report data. You can get successively more detailed information by clicking a bar or a point on a graph or clicking a link if one is displayed on the screen.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access.
    The Summary report is an example of the type of report that presents high-level data, and provides access to underlying data.
    A Summary report (for all devices and a default timeframe) starts to generate and display.
  4. Click anywhere in a summary to get more information.
    Figure 1. Top left portion of the Summary report display To get details from a summary, click the brightly colored number or the brightly colored bar.
    Additional graphs display, and supporting data displays in a table at the bottom of the screen.
  5. If more details are available, click the bars in the graphs to display more details.
  6. Scroll down to the table to view the supporting data.
  7. If the table includes a Session ID field, click the link in that field to open the session details.
    Figure 2. Session details popup screen (with addresses and host names blurred) Session details report displays local time, hostname, log level, message, and a Session Variables tab.
  8. To change which records display on this screen, select a log level from the LOG LEVEL list at the top of the screen.

About the maximum number records for Access and SWG reports

When you run an Access report or an SWG report, Access can get up to 10,000 records to display to you. After you scroll to the end of those 10,000 records, Access displays a message. At that point, all you can do is select fewer devices or select a shorter timeframe.

Setting the timeframe for your Access or SWG report

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.
Use the TIMEFRAME list at the top of any Access or SWG report to change the report time period.
  1. Log in to BIG-IQ Centralized Management with your admin user name and password.
  2. At the top of the screen, click Monitoring.
  3. To set a predefined timeframe, select one of these from the TIMEFRAME list: Last hour, Last day, Last week, Last 30 days, Last 3 months.
  4. To set a custom timeframe, select one of these from theTIMEFRAME list:
    • Between: Click each of the additional fields that display to select dates and times. The report displays the records between those dates and times.
    • Before: Click the additional fields that display to select a date and a time. The report displays the records before that date and time.
    • After: Click the additional fields that display to select a date and a time. The report displays the records after that date and time.

Access report problems: causes and resolutions

Problem Resolution
A session is over, but it continues to display in the Active sessions report. If a session starts when logging nodes are up and working, but terminates during a period when logging modes are unavailable, the session remains in the Active sessions report for 15 minutes. After 15 minutes, the session status is updated and the session is dropped from the report.
Active sessions are included in the Summary and Active sessions reports for a device that is no longer managed. Sessions were active on a device when it was removed from an Access group and became unmanaged. Sessions that were active when the device became unmanaged remain counted in All Active Sessions on the Summary screen and stay in the Active sessions report until the next session status update, which occurs every 15 minutes.
A session is over, but Session Termination and Session Duration are blank in a session report. If a session starts when logging nodes are up and working but terminates during a period when logging nodes are unavailable, the session termination is not recorded and the session duration cannot be calculated.

What can cause logging nodes to become unavailable?

Logging nodes are highly available, but it is still possible for them to become unavailable. This could occur, for example, if all logging nodes are on devices in the same rack in a lab, and the power to the lab shuts down.

Sessions

Running Session reports

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.
You can create Session reports for any device with the APM service configuration on it that has been discovered on the BIG-IQ system, whether or not the device is a member of an Access group. To create a report, you can select any combination of Access groups, clusters, and devices.
  1. At the top of the screen, click Monitoring.
  2. On the left, select DASHBOARDS > Access > Sessions.
    A Summary report (for all devices and a default timeframe) starts to generate and display.
  3. From the left, select any report that you want to run.
  4. At the top left of the screen, from the ACCESS GROUP/DEVICES list, either select one of the first two options (All Devices and All Managed Devices) or select one or more of the other options (<Access group name>, <Cluster display name>, and <Device name>).
    • All Devices Includes Access devices that are currently managed, and Access devices that were managed at one time but are not managed now. (A managed device is one that has been discovered with the APM service configuration.)
    • All Managed Devices Includes all Access devices that are currently discovered.
    • <Access group name> - Select to include all devices in the Access group.
    • <Cluster display name> - Select to include the devices in the cluster.
    • <Device name> - Select to include the device. You can select any device from Managed Devices, <Access group name>, or <Cluster display name>.
  5. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  6. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.

Stopping sessions on BIG-IP devices from Access

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.
You can stop currently active sessions on BIG-IP devices, using the Active sessions report on the BIG-IQ system.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access.
    A Summary report (for all devices and a default timeframe) starts to generate and display.
  4. On the left, from Sessions, select Active.
    The screen displays a list of active sessions for all devices.
  5. To display sessions for particular devices, groups, or clusters only, select them from the ACCESS GROUP/DEVICE list at upper left.
    The screen displays the active sessions for the selected devices.
  6. To stop specific sessions only, select the sessions that you want to end and click Kill Selected Sessions.
  7. To stop all sessions, click Kill All Sessions.

Running Secure Web Gateway reports

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.Only a device with SWG provisioned on it can provide data for Secure Web Gateway reports.
You can create SWG reports for Access groups, clusters (in Access groups), or devices that you select from the Access groups and clusters (in Access groups) on the BIG-IQ system.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Secure Web Gateway.
    A Summary report (for all devices and a default timeframe) starts to generate and display.
  4. From the left, select any report that you want to run.
  5. From the ACCESS GROUP/DEVICE list at upper left, select Managed Devices or select one or more of these options:
    • <Access group name> - Select to include all devices in the Access group.
    • <Cluster display name> - Select to include the devices in the cluster.
    • <Device name> - Select to include the device. You can select any device from Managed Devices, <Access group name>, or <Cluster display name>.
  6. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  7. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.

Getting the details that underlie an SWG report

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.Only a device with SWG provisioned on it can provide data for SWG reports.
From the Summary report, the initial display includes graphs that summarize the report data. You can get more detailed information by clicking a bar or a point on a graph to see additional graphs and tables with supporting entries.
  1. Log in to BIG-IQ Centralized Management with your admin user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Secure Web Gateway.
    The Summary starts to generate and display. A timeline and some summaries display across the top of the screen. Graphs display under the summaries. Each graph provide different views of the data.
  4. Click any bar in a graph on the display to get more information.
    Additional graphs provide different views of the data, and supporting data displays in a table at the bottom of the screen.
  5. If more details are available, click the bars in the graphs to display them.
  6. Scroll down to the table to view the supporting data.

About VDI reports

You can monitor your virtual desktop infrastructure (VDI) by viewing the BIG-IQ® Centralized Management Access user dashboard for VDI applications, and creating a VDI report. The system displays the top VDI applications used and the application usage time. Administrators can expand the UI for a specific application, and view the following information:
  • The top 10 VDI applications
  • The top users for the VDI applications
  • The application usage history

Managing federation reports

Running OAuth reports

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.Only a device with OAuth provisioned on it can provide data for OAuth reports.
You can create OAuth reports for Access groups, clusters (in Access groups), or devices that you select from the Access groups and clusters (in Access groups) on the BIG-IQ Centralized Management system.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Federation > OAuth.
  4. Select Authorization Server, Client, or Resource.
    A Summary report (for all devices and a default timeframe) starts to generate and display.
  5. From the left, select any report that you want to run.
  6. From the ACCESS GROUP/DEVICE list at upper left, select Managed Devices or select one or more of these options:
    • <Access group name> - Select to include all devices in the Access group.
    • <Cluster display name> - Select to include the devices in the cluster.
    • <Device name> - Select to include the device. You can select any device from Managed Devices, <Access group name>, or <Cluster display name>.
  7. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  8. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.

Monitoring the OAuth server performance

The Authentication Server Summary screen shows several charts that you can use to track the health of your authorization server role. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.

  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Federation > OAuth > Authorization Server > Server Performance.
    The Authorization Server Peformance screen opens.
  4. From the ACCESS GROUP/DEVICE list at upper left, select All Managed Devices or or one of the session-specific options.
  5. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  6. From the AUTHORIZATION SERVER list, select an OAuth authorization server.
  7. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.

Monitoring the OAuth token summary

The Token Summary screen shows several charts that you can use to track the health of your OAuth tokens. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.

  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Federation > OAuth > Authorization Server > Tokens.
    The Authorization Server Peformance screen opens.
  4. From the ACCESS GROUP/DEVICE list at upper left, select All Managed Devices or or one of the session-specific options.
  5. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  6. From the AUTHORIZATION SERVER list, select an OAuth authorization server.
  7. From the GRANT TYPE list, select an OAuth2 grant type.
  8. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.

Running SAML reports

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.Only a device with SAML provisioned on it can provide data for SAML reports.
You can create SAML reports for Access groups, clusters (in Access groups), or devices that you select from the Access groups and clusters (in Access groups) on the BIG-IQ Centralized Management system.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Federation > SAML.
  4. Select SP Summary or IdP Summary.
    A Summary report (for all devices and a default timeframe) opens, displaying chart data for assertions over time, the top SPs or IdPs with successful assertions, the top client IP addresses, the top subject values with successful assertions, and the top SP or IdPs with failed assertions.
  5. From the ACCESS GROUP/DEVICE list at upper left, select All Managed Devices or or one of the session-specific options.
  6. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  7. From the SP list, select a service provider.
  8. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.
  9. To view the successful SP assertions, click Assertions Success.
    The Successful Assertions screen opens, displaying data and statistics for the top 10 client IP's, platform distribution, geolocation distribution, subject values and SPs with successful assertions.
  10. To view the failed SP assertions, click Assertions Failed.
    The Failed Assertions screen opens, displaying data and statistics for the top 10 client IP's, platform distribution, geolocation distribution, subject values and SPs with failed assertions.

Running SP assertion reports

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.Only a device with SAML provisioned on it can provide data for SAML reports.

The SP Assertions screen shows several charts that you can use to track the health of your SAML SP assertions. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.

  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Federation > SAML.
  4. Select SP Summary > SP Assertions Report.
    The SP Assertions screen opens, displaying a table with assertion information.
  5. From the ACCESS GROUP/DEVICE list at upper left, select All Managed Devices or or one of the session-specific options.
  6. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  7. From the SP list, select a service provider.
  8. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.

Running SP error reports

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.Only a device with SAML provisioned on it can provide data for SAML reports.

The SP Errors screen shows several charts that you can use to track the health of your SAML SP errors. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.

  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Federation > SAML.
  4. Select SP Summary > SP Error Report.
    The SP Errors screen opens, displaying a table with error reports.
  5. From the ACCESS GROUP/DEVICE list at upper left, select All Managed Devices or or one of the session-specific options.
  6. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  7. From the SP list, select a service provider.
  8. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.

Running IdP assertion reports

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.Only a device with SAML provisioned on it can provide data for SAML reports.

The IdP Assertions screen shows several charts that you can use to track the health of your SAML IdPs assertions. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.

  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Federation > SAML.
  4. Select IdP Summary > IdP Assertions Report.
    The IdP Assertions screen opens, displaying a table with assertion information.
  5. From the ACCESS GROUP/DEVICE list at upper left, select All Managed Devices or or one of the session-specific options.
  6. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  7. From the IdP list, select an identity provider.
  8. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.

Running IdP error reports

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.Only a device with SAML provisioned on it can provide data for SAML reports.

The IdP Errors screen shows several charts that you can use to track the health of your SAML IdP errors. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.

  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Federation > SAML.
  4. Select IdP Summary > IdP Error Report.
    The IdPs Errors screen opens, displaying a table with error reports.
  5. From the ACCESS GROUP/DEVICE list at upper left, select All Managed Devices or or one of the session-specific options.
  6. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  7. From the IdP list, select an identity provider.
  8. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.

Configure remote high-speed BIG-IQ and SWG event logging

You can configure the BIG-IQ® system to log information about BIG-IQ and Secure Web Gateway events and send the log messages to remote high-speed log servers.

When configuring remote high-speed logging of events, it is helpful to understand the objects you need to create and why, as described here:

Object Reason
Pool of remote log servers Create a pool of remote log servers to which the BIG-IP system can send log messages.
Destination (unformatted) Create a log destination of Remote High-Speed Log type that specifies a pool of remote log servers.
Destination (formatted) If your remote log servers are the ArcSight, Splunk, or Remote Syslog type, create an additional log destination to format the logs in the required format and forward the logs to a remote high-speed log destination.
Publisher Create a log publisher to send logs to a set of specified log destinations.
Log Setting Add event logging for the APM system and configure log levels for it or add logging for URL filter events, or both. Settings include the specification of up to two log publishers: one for access system logging and one for URL request logging.
Access profile Add log settings to the access profile. The log settings for the access profile control logging for the traffic that comes through the virtual server to which the access profile is assigned.

Task summary

Perform these tasks to configure remote high-speed BIG-IQ and SWG event logging on the BIG-IQ system.
Note: Enabling remote high-speed logging impacts BIG-IQ system performance.

Task list

Creating a pool of remote logging servers

Before creating a pool of log servers, gather the IP addresses of the servers that you want to include in the pool. Ensure that the remote log servers are configured to listen to and receive log messages from the BIG-IP system.
Create a pool of remote log servers to which the BIG-IP system can send log messages.
  1. On the Main tab, click Local Traffic > Pools.
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. Using the New Members setting, add the IP address for each remote logging server that you want to include in the pool:
    1. Type an IP address in the Address field, or select a node address from the Node List.
    2. Type a service number in the Service Port field, or select a service name from the list.
      Note: Typical remote logging servers require port 514.
    3. Click Add.
  5. Click Finished.

Create a new log destination

Before you can create a new log destination, you must have configured a remote log server to send the logs to.

Use this screen to create a new log destination for a managed device.

Create a log destination to specify that log messages are sent to a remote log server.

  1. At the top of the screen, click Configuration, then, on the left, click LOCAL TRAFFIC > Logs > Log Destinations.
    The Log Destinations screen displays a list of the log destinations that are defined on this device.
  2. To create a new log destination, click Create.
    The New Log destination screen opens so you can define the settings you want for this destination.
  3. In the Name field, type in a name for the log destination you are creating.
  4. For Type, select the kind of destination you are creating.
    Depending on the selection you make, additional controls are displayed.
  5. Specify the additional settings needed to suit the requirements for this log destination. The fields required to create a new log destination depend on the type you choose. BIG-IQ denotes required fields using an amber box. You can also determine whether you have completed all of the required fields by noting whether the Save & Close button is enabled.
    Note: Except for the Devices and Device Specific settings, the parameters on this screen perform the same function as they do when you configure a log destination on a BIG-IP device. For details about the purpose or function of a particular setting, refer to the BIG-IP reference information on support.f5.com. From the BIG-IP Knowledge Center, select the BIG-IP LTM module and the software version you have installed; then select the appropriate guide. For example, information about the log destination parameters for BIG-IP version 13.0 is provided in the External Monitoring of BIG-IP Systems: Implementations, Version 13.0 guide.
  6. When you create a Log Destination and select a type of IPFIX or Remote High-Speed Log, you need to specify which devices to associate this destination with. When you create a Log Destination and select a type of Management Port you can specify device specific settings or, if no device specific settings are defined, the base configuration settings are used for any device associated with this log destination.
    Note: For additional detail on device-specific log destination types, refer to What is a device specific log destination? in the F5 BIG-IQ Centralized Management: Local Traffic & Network Implementations guide on support.f5.com.
    • If you have a lot of devices that you need to associate with this log destination and want to automate the process:
      1. Use the steps below to specify one device and then click Save.
      2. Associate this log destination with the log publishers that are pinned to your managed devices.
      3. Come back and edit this log destination. A Find Relevant Devices button displays. You can use this button to let BIG-IQ assemble a list of devices. BIG-IQ finds the BIG-IP devices that this destination can be deployed to. You can use the list to create a device-specific instance of this destination for each BIG-IP.
      4. Click Save to add the listed devices to the Device Specific list.
    • To specify the devices for this log destination manually:
      1. Select the device you want this destination to use
      2. If you are creating an IPFIX or Remote High-Speed Log destination log, select the pool that you want each device to use.
      3. Use the button to add additional devices to the list.
      4. Use the button to remove a device from the list.
      5. Click Save to add the listed devices to the Device Specific list.
    Devices you select for this log destination are added to the Device Specific list.
    Note: Click on a device name in the Device Specific list to edit settings for that device. Bear in mind though that changes you make to one device do not change the settings for other devices, or for the base configuration for the log destination.
  7. Click Save & Close.
    The system creates the new log destination with the settings you specified.

Create a new log publisher

Before you can create a new log publisher, configure a log destination with a pool of remote log servers so you can assign it to your publisher as you create it.

Log publishers specify log destinations that BIG-IP devices can send their log messages to.

  1. At the top of the screen, click Configuration, then, on the left, click LOCAL TRAFFIC > Logs > Log Publishers.
    The Log Publishers screen displays a list of the log publishers that are defined on this device.
  2. To create a new log publisher, click Create.
    The New Log Publisher screen opens so you can define the settings you want for this publisher.
  3. In the Name field, type in a name for the log publisher you are creating.
  4. Select the Log Destinations for this publisher.
    1. Select a destination type from the Available list.
      The list of destinations displays only the type you selected.
    2. Select one or more destinations from the Available list.
    3. Move the selected destinations to the Selected list.
      If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or ArcSight.
  5. Specify the additional settings needed to suit the requirements for this log publisher.
    The parameters on this screen are optional and perform the same function as they do when you configure a log publisher on a BIG-IP device.
    Note: For details about the purpose or function of a particular setting, refer to the BIG-IP reference information on support.f5.com. From the BIG-IP Knowledge Center, select the BIG-IP LTM module and the software version you have installed; then select the appropriate guide. For example, information about the log publisher parameters for BIG-IP version 13.0 is provided in the External Monitoring of BIG-IP Systems: Implementations guide.
  6. Click Save & Close.
    The system creates the new log publisher with the settings you specified.

Configure log settings for access system and URL request events

Create log settings to enable event logging for access system events or URL filtering events or both. Log settings specify how to process event logs for the traffic that passes through a virtual server with a particular access profile.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then on the left side of the screen, clickACCESS > Access Groups.
  3. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  4. Click EVENT LOGS SETTINGS > Create.
  5. Type a name for the name for the log setting.
  6. In the SSO Configuration Description field, type a descriptive text for the configuration.
  7. For Access System Logs, click the check box to specify a publisher for Access system logs and log levels.
  8. For Access Logs Publisher, select a log publisher.
  9. For the system log types, beginning with Access Policy and ending with ADFS Proxy, from the dropdown lists, select a log level. The default is Notice.
  10. For URL Request Logs, click the check box to select a publisher for the logs and specifies the URL requests to log based on whether the request was blocked or allowed.
  11. For URL Request Logs Publisher, select a log publisher.
  12. For Log Allowed Events, click the check box to log request data when a user tries to access a URL that the URL filter allows.
  13. For Log Blocked Events, click the check box to log request data when a user tries to access a URL that the URL filter blocks.
  14. For Log Confirmed Events, click the check box to log request data when a user confirms a request for access to a URL for which the URL filter requires confirmation.
  15. Click Save & Close.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.

Additional Comments (optional)