Manual Chapter : Viewing Event Logs in Web Application Security

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.4.0
Manual Chapter

About event log viewing

You can view Web Application Security event logs to review applications and server activities. BIG-IQ® Centralized Management enables a single view of all filters and log entries (and details for each entry) from multiple BIG-IP® devices.

You use tags and filters to allow you to select which events to view.

  • Filters allow you to select the events to view by constructing a query that the events must match.
  • You can assign tags to events to label them, so that you can use that label in queries.

Before you can view events, event logging must be configured as follows.

  1. Discover and activate a BIG-IQ Data Collection Device.
  2. Configure a BIG-IP device to collect event logs and send them to the BIG-IQ Centralized Management Data Collection Device. Part of this configuration includes a virtual server configured with a logging profile.
  3. Configure a logging profile for Web Application Security, assign it to a virtual server, and deploy it to the BIG-IP device that has been configured to collect log events. A logging profile is used to determine which events the system logs, and where, and the format of these events. It then directs security events to a BIG-IQ Data Collection Device, and the BIG-IQ Centralized Management system retrieves them from that node.

View event logs and define filters and tags

You can review Web Application Security events on applications and servers from one or more BIG-IP® devices. By default, the events are filtered to show only illegal requests. You can use the Web Application Security Event Logs screen to define tags and filters to help you find meaningful events.
  1. Click Monitoring > EVENTS > Web Application Security > Events .
  2. To create and apply tags to events, select the events using the check box to the left, and click Tags above the event list.
    A dialog box opens.
    • To create a tag, type the tag name in the provided field and click +.
    • To apply a tag to the selected events, select the check box to the left of the tag and click Apply.
  3. To create filters, click the filter icon to the left of the Filter field in the upper right of the screen. In the dialog box that opens, click Create.
    The New Filter dialog box opens.
    1. In the Filter Name setting, enter a name.
    2. In the Query Parameters area, supply those parameter settings you want to be part of the filter.
      Note that as you enter parameter settings, they are used to construct the filter query in the Query Expression area.
    3. Save your work.
      The new filter is listed on the Filters screen.
  4. To export selected events as a CSV file, select the event using the check box to the left, and click Export.
  5. To display only events that contain a specified string, type that string in the Filter field in the upper right of the screen.
  6. To see details of an event log entry, click in the event entry row.
    A screen on the right opens and shows details of the event.
  7. In the details screen, you can specify the kind of information to see.
    • You can specify compact or full information. At the top of the screen, click Compact for summary information, or click Full for complete information.
    • You can specify either request or response information. Click Request for request information or Response for response information. Both kinds of information contain links in blue that you can click for more information.

Use event log filters

You use event log filters to refine your searches through the event logs, including searches through event logs from multiple BIG-IP® devices.
  1. Click Monitoring > EVENTS > Web Application Security > Filters and Tags > Filters .
  2. To remove a filter, select the check box to the left of the filter and click Remove, then confirm the deletion in the dialog box that opens.
    The filter is removed from the Filters screen.
  3. To modify a filter, click the name of the filter.
    The filter properties screen opens.
  4. Review or revise the settings as needed.
    1. In the Query Expression area, review the current filter query, or type into the text box to modify it directly.
      In most cases, you will want to modify the query expression using the settings in the Query Parameters area, since that builds the query automatically, and so reduces the chance of error.
      The query has the format method:'value' protocol:'value' severity:'value'. For example: method:'GET' protocol:'HTTPS' severity:'error'.
    2. In the Query Parameters area, supply the parameter settings you want to be part of the filter.
      As you enter parameter settings, they are used to construct the filter query in the Query Expression area.
    3. Save your work.
    The filter is updated.

View and delete event log tags

You can review the tags defined for use with Web Application Security events and remove the tags.
  1. Click Monitoring > EVENTS > Web Application Security > Filters and Tags > Tags .
    The Tags screen shows the defined tags.
  2. To remove a tag, select the check box to the left of it and click Remove, then confirm the deletion in the dialog box that opens.
    The tag is removed from the Tags screen.