Manual Chapter : Managing Audit Logs in BIG-IQ Network Security

Applies To:

Show Versions Show Versions

BIG-IQ Security

  • 4.4.0
Manual Chapter

About firewall audit logs and the viewer

In large customer environments, multiple users can make changes to security policies. These policy changes to working-configuration objects are captured in a central location (the BIG-IQ Network Security database) not on individual BIG-IP Advanced Firewall Manager (AFM) devices.

Note: A change is defined as: object created, object deleted, object modified.

Users who can access the BIG-IQ Network Security console (shell) have access to this database.

BIG-IQ Network Security logs every configuration change in an audit log, which becomes an important tool for debugging and tracking changes to firewall devices. Audit log entries are visible through the system interface Audit Logs link. The audit log viewer retrieves entries from this database for display in the system interface.

Note: All API traffic on the BIG-IQ system, every REST service command for all licensed modules, is logged in a separate, central audit log (restjavad-audit.n.log).

About firewall audit log entry generation

Changes to these working-configuration objects generate log entries:

  • Firewalls
  • Policies
  • Rule lists
  • Address lists
  • Port lists
  • Schedules
  • Snapshots

These actions also generate log entries:

  • Add/edit BIG-IQ Network Security system roles. Tracking role modification provides auditing for the assignment of users to roles.
  • Create/cancel device discovery and reimport.
  • Delete previously-discovered device.
  • Create/delete deployment task.
  • Create difference task.
  • Create/delete snapshot.
  • Edit of system information (such as host name and internal self IP).

About firewall audit logs and high-availability

In high-availability (HA) configurations, each node maintains its own audit log. Entries are synced after the HA configuration is set. If you have entries on the primary node and then configure HA, the previously-generated entries on the primary will not be replicated to the standby node; new entries will be replicated.

All deletions, whether performed manually through the Audit Log viewer or performed as part of a delete and archive operation, are not deleted on the standby node.

Also, archives are configured separately on each node.

Firewall audit log entry properties

The firewall audit log viewer displays the following properties for each entry.

Property Description
Client IP IP address for the BIG-IQ system.
Time User-friendly timeline of all changes, as well as tasks that were started and canceled. Time is preserved in UTC (Coordinated Universal Time), but the system interface displays the time in the user's local time zone.
Node FQDN for the BIG-IQ system that recorded the event.
User User who initiated the action.
Object Name Object identified by a user-friendly name; for example: newRule1, deploy-test, or Common/global. This entry is also a link; when activated, it shows the JSON for the object.
Type Class or group of the object modified.
Action Type of modification (New, Delete, or Update).
Version Number of times the system generated the object.

Locating the firewall audit log using SSH

You can review BIG-IQ Network Security audit log contents periodically from the command line and then archive contents locally for off-device processing, troubleshooting, and future reference.
  1. To examine audit logs using SSH, log in to BIG-IQ Network Security with Administrator or Security_Manager credentials.
  2. Navigate to the audit log location: /var/log/audit.
  3. Examine files with the naming convention: audit.n.txt. where n is the log number.
  4. Once you have located the logs, you can view or save the log locally through a method of your choice.

About the firewall audit log viewer

The Audit Log viewer retrieves entries from the audit log for display in the BIG-IQ Network Security system interface.

Note: The Audit Log viewer is not updated dynamically. You must refresh the page to get new entries.

All BIG-IQ system user roles have read-only access and can view entries. Only users with the role of Administrator or Security_Manager can delete entries or modify configuration settings.

Viewing differences in the viewer

You can use the built-in firewall audit log viewer provided in BIG-IQ Network Security to examine differences between entries listed in the viewer. If the system finds no differences, it displays a message to that effect.
  1. Log in to BIG-IQ Network Security with Administrator or Security_Manager credentials.
  2. Below Network Security, click Audit Logs to display the viewer.
  3. To display differences between object generations, click an object in the Object Name column,which open the Difference Viewer. Areas of differences are highlighted in gold. Additions to a generation are highlighted in green. Textual JSON appears for each difference found.
  4. When you are finished, click Close.

Filtering entries in the viewer

The Filter field at the top of the Audit Logs page enables you to rapidly narrow the scope displayed in the viewer, and more easily locate an entry in the audit log.
  • Filtering is text-based.
  • Filtering is not case-sensitive.
  • To clear the filter, click the X at the end of the search string under the Filter field.
  • All BIG-IQ system roles have read-only access to the audit log and can filter entries.
Note: You can use wild cards in all filtering operations.
  1. Log in to BIG-IQ Network Security.
  2. Below Network Security, click Audit Logs
  3. In the Filter field, type the information specific to the object you want to filter on, and click Apply.
    Option Description
    Client IP Type the client IP address in the filter.

    Note that when a task is not initiated by a user, the entry in the Client IP column is blank.

    Time (mix of letters and numbers) Type a date/time in any of the following formats:
    • mmm dd yyyy hh:mm:ss. Example: Jan 7 2014 8:30:00
    • ddd mmm dd yyyy hh:mm. Example: Thu Jan 16 2014 11:01
    • ddd mmm dd yyyy hh:mm:ss. Example: Thu Jan 16 2014 11:13:50

    Formats are highly browser-dependent. Other formats might appear to filter successfully, but are not supported.

    You must include both a date and a time.

    Entering a single date/time results in a filter that displaysall entries from the specified date/time to the current date/time.

    To filter on a range of times, enter the dates/times in one of the supported formats, separated by a hyphen. Example: jan 21 2014 11:04-jan 21 2014 11:05.

    Time (numbers only) Type a date/time in any of the following formats:
    • m/d hh:mm:ss. Example: 1/1 12:14:15
    • mm/dd hh:mm:ss. Example: 01/01 12:14:15
    • m/d hh:mm. Example: 1/1 12:14
    • m/d h:mm. Example: 1/1 2:14
    • mm/dd hh:mm. Example: 01/01 12:14
    • mm/dd/yy hh:mm:ss. Example: 01/01 12:14:15
    • m/d/yy hh:mm:ss. Example: 1/1/14 12:14:15
    • mm/dd/yy hh:mm. Example: 01/01/14 12:14
    • m/d/yy hh:mm. Example: 1/1/14 12:14
    • mm/dd/yyyy hh:mm:ss. Example: 1/1/2014 12:14:15

    You must include both a date and a time.

    Typing a single date/time results in a filter displaying all entries from the specified date/time to the current date/time.

    To filter on a range of times, type the dates/times in one of the supported formats, separated by a hyphen. Example: 1/1 12:14:15-1/1 12:14:18.

    Node Type the node name in the filter.
    User Type the user in the filter.
    Object Name Type the name of the object in the filter. If a partition name is displayed, do not include it in the filter. For example, you would specify /Common/AddressList_4 as AddressList_4.

    Note that entries in the Object Name column are links to the JSON representing the object. If the object does not have a name, the system places a dash in the column. The dash is also a link to the JSON.

    Type Type the type in the filter. Note that WC stands for working configuration.
    Action Type the action in the filter.
    Version Type the version number in the filter.
The result of a filter (or search) operation is a set of entries that match the filter criteria, sorted by time.

Deleting entries in the viewer

You can prune entries in the audit log viewer to constrain the list to relevant data and a manageable size. Use the scroll bar to the right to scroll through entries.

There is no set limit on the number of entries that the viewer can display, although the viewer will not display archived entries.

Users with BIG-IQ system roles of either Administrator or Security_Manager can delete entries. All system user roles have read-only access to the audit log, and can view entries.

Note: Exercise care when deleting entries. Once deleted, entries cannot be retrieved.
  1. Log in to BIG-IQ Network Security with Administrator or Security_Manager credentials.
  2. At the top left of the screen, below Network Security, click Audit Logs to view the audit log.
  3. Delete one or multiple entries as specified:
    To delete: Do this:
    A single entry Select the check box for the entry you want to delete and then click Remove. You will not receive a confirmation dialog box.
    All entries stored on this BIG-IQ system Select the check box in the header row and then click Remove. In the confirmation dialog box, click Yes to confirm that you want to delete all entries.
    Important: This action removes all entries, not just those visible in the viewer page.
    Multiple entries Combine selecting with the Shift key, and then click Remove. You will not receive a confirmation dialog box.
    A filtered batch of entries Type a text string in the Filter field at the top of the page and click Apply. The result after applying the filter is a batched set of entries that match the criteria.

    Select the check box at the top of the table in the header row and click Remove.

    The batch of entries is removed. Note that if you delete a large batch of entries, the operation may take some time if the system has a lot of entries. Also, you must keep the Audit Logs viewer open the entire time.

Setting firewall audit log archival properties in the viewer

  1. Log in to BIG-IQ Network Security.
  2. Below Network Security, click Audit Logs.
  3. Hover over the Firewall header and click the gear icon to display the settable audit log properties.
  4. Complete the properties and status settings, and click Save.
    Property Description
    Days to keep entries Default is 30 days. The field must contain an integer between 1 and 366.
    Check expiration at this time Contains the hour and minute when expirations on entries will be checked. You can type the hour and the minute manually (in the format hh:mm). Or, you can click in the field to view and edit in the Choose Time dialog box. Adjust the Hour and Minute sliders to reflect the desired hour and minute, and then click Done.
    When entries expire Controls whether entries are deleted from the audit log when they expire, or deleted from the audit log but archived to the audit log archive.
    • Select Delete to delete the entry. (This action is permanent; you cannot get a deleted entry back.)
    • Select Delete and Archive to delete the entry but archive it for future reference.

    Expired entries are saved to a predefined file at /var/log/firewall/archive-audit.0.txt.

    Next run time Informational, read-only setting, indicating the next time entries will be archived. Run time is expressed in the format: ddd mmm dd yyyy hh:mm:ss. Example: Tue Jan 28 2014 02:50:00.
    Last run time Informational, read-only setting, indicating the last time entries were archived. Run time is expressed in the format: ddd mmm yyyy hh:mm:ss. Example: Tue Jan 28 2014 02:50:00.
    Entries expired at last run time Number of entries that expired at the last run time.
    Last Error Informational, read-only setting. The field contains the text No error or the error text for any errors found.
    Last Error Time Informational, read-only setting. Time in the field is expressed in the format: ddd mmm dd yyyy hh:mm:ss

    Example: Fri Jan 17 2014 23:50:00.

The result of a filter (or search) operation is a set of entries that match the filter criteria, sorted by time.

About the REST API audit log

The REST API audit log records all API traffic on the BIG-IQ system. It logs every REST service command for all licensed modules in a central audit log (restjavad-audit.n.log) located on the system.

Note: The current iteration of the log is named restjavad-audit.0.log. When the log reaches a certain user-configured size, a new log is created and the number is incremented. You can configure and edit settings in /etc/restjavad.log.conf.

Any user who can access the BIG-IQ Network Security console (shell) has access to this file.

Managing the REST API audit log

The REST API audit log contains an entry for every REST API command processed by the BIG-IQ system, and is an essential source of information about the modules licensed under the BIG-IQ Network Security system. It can provide assistance in compliance, troubleshooting, and record-keeping. With it, you can review log contents periodically, and ave contents locally for off-device processing and archiving.
  1. Using SSH, log in to the BIG-IQ Network Security device with administrator credentials.
  2. Navigate to the restjavad log location: /var/log.
  3. Examine files with the naming convention: restjavad-audit.n.log. where n is the log number.
  4. Once you have located it, you can view or save the log locally through a method of your choice.