Manual Chapter : Managing Audit Logs
Applies To:Show Versions
BIG-IQ Centralized Management
- 7.0.0, 6.1.0
Managing Audit Logs
About audit logs
You use audit logs to review changes in the BIG-IQ® system. All BIG-IQ system roles have read-only access to the audit log, and can view and filter entries. Any user with the appropriate privileges can initiate an action.
All API traffic on the BIG-IQ system, and every REST service command for all licensed modules, is logged in a separate, central audit log (
restjavad-audit.n.log) which is located in
/var/logon the BIG-IQ system.
Considerations when using the audit
When using the audit log, consider the following:
- The audit log does not record an entry for every generation of a task. It only records an entry when the task status changes.
- When an object is deleted and then recreated with the same name, partition, and other information, the difference between those objects may show the deleted object as being the previous generation of the new object.
- By default, not all columns are displayed by the audit log to conserve space. To review what columns are displayed, click the gear icon in the upper right of the Audit Logging screen.
Actions and objects that generate audit log
entries in Access
BIG-IQ® Centralized Management records in the audit log all user-initiated changes that occur on the management system. A change is defined as when certain objects are modified, when certain tasks change state, or when certain user actions are performed. For example, when the admin account is used to log in to the BIG-IQ system, the audit log records the time, the user (admin), the action (New) and the object type (Login). The log does not include changes that occurred on BIG-IP® devices that were imported.
Changes to working-configuration objects generate audit log entries. In addition, these actions generate log entries:
- Creating or deleting a user account.
- Users logging in and logging out, including when the user is logged out due to inactivity.
- Creating or cancelling a device discovery or a device reimport.
- Adding a new device to an access group.
- Creating or deleting an access group.
- Removing all services.
- Reimporting a device.
- Saving a configurable property in an existing device object.
- Stopping a session.
- Deleting a previously discovered device.
- Creating or deleting a deployment task.
- Creating a difference task.
- Creating, restoring, or deleting a snapshot.
- Editing some system information (such as editing a host name, a root password, a DNS entry, or an SNMP entry).
Audit log entry properties
The audit log displays the following properties for each log entry.
IP address of the client machine that made the change.
This property is blank for actions that were initiated by an internal process. For example, when a user invokes a deployment action, the deployment action then invokes a difference task to find the differences between the current configuration and the one to be deployed. The difference task has no Source IP address.
Indicates whether the change was made by the internal object synchronization service. This service synchronizes shared objects, such as virtual servers, from the Local Traffic & Network service to the Network Security or Web Application Security services.
Time that the event occurred. The time is the BIG-IQ system local time and is expressed in the format: mmm dd, yyyy hh:mm:ss (time zone); for example:
Apr 19, 2016 13:09:03(EDT).
Fully qualified domain name for the BIG-IQ system that recorded the event. This appears as the
Hostnameat the top of the BIG-IQ user interface.
Name of the account that initiated the action, such as an account named
Adminfor an administrative account.
Type of modification. For operation changes, the action types include New, Delete, and Modify. For task changes, the action types include Start, Finish, Failed, and Cancelled.
Object identified by a user-friendly name; for example:
Common/global. When the name
RootNodeis listed, that indicates that the object is associated with a BIG-IP device.
RootNodeis typically seen when creating, deleting or updating log profiles, service policies, or firewall policies.
Indicates whether there was a change in the object. If
Viewoccurs in this column, there is a change to the object. To view the detailed differences of the change, click
Classification for this action. When the type
Root Nodeis listed, that indicates that the object is associated with a BIG-IP device.
Root Nodeis typically seen when creating, deleting or updating log profiles, service policies, or firewall policies.
The administrative partition and name of the parent object. This property is displayed for firewall rules, logging profiles, and DoS profiles. For firewall rules, the parent shows the rule list, firewall, or policy that contains the rule. A change in a firewall rule often also affects the rule's parent object.
Class or group of the parent object.
Version of the configuration object. Typically, when a configuration object changes, the version is increased by 1. However, other audit entries, such as those for finishing snapshot creation or finishing deployment, may increase the version by more than 1.
View audit entry differences
In the audit log, when potential changes to an object are logged, the
Viewlink is shown in the Changes column for that entry. You can click
Viewto examine the differences between generations of that object.
- At the top of the screen, clickMonitoring.
- On the left, expandLOGS, expandAudit Logs, and then click the component that you want to view audit entries for.
- To display differences for an object, clickViewin the Changes column.A popup screen opens, showing two columns that compare the differences between the two generations of the object in JSON. In these columns, additions to an object generation are highlighted in green, and differences are highlighted in gold.If the system cannot retrieve a generation of an object, the column displays eitherGeneration Not AvailableorGeneration No previous generation. Object information may not be available if it has been automatically purged from the system to conserve disk space, or if it has been deleted.The JSON difference displayed for a delete entry in the audit log shows the JSON difference from the previous operation because the generation identifier is not incremented when an object is deleted.
- When you are finished, clickCloseon the popup screen to return to the Audit Logging screen.
Filter entries in the audit log
You can use the Filter field at the top right of the Audit Logging screen to rapidly narrow the scope displayed, and to more easily locate an entry in the audit log.
- Filtering is text-based.
- Filtering is not case-sensitive.
- You can use wild cards, or partial text.
- All BIG-IQ Centralized Management roles can filter entries.
- To clear the filter, click theXto the right of the search string in theFiltered byfield on the left.
- At the top of the screen, clickMonitoring.
- On the left, expandLOGS, expandAudit Logs, and then click the component that you want to view audit entries for.
- Use the Filter field in the upper right corner to narrow your search:
OptionDescriptionAllSpecifies that all objects should be filtered using the filter text. When this option is used, both the user-visible and the underlying data are searched for a match, so you may see matches to your filter text which do not appear to match it.Client AddressForFilter, type the IP address of the device that generates the logs. Log entries from devices with a different IP address will not be displayed.TimeType both a date and a time. Displayed times are given in the local time of the BIG-IQ system. Supported time formats are highly Web browser-dependent. Time formats other than those listed might appear to filter successfully but are not supported. Entering a single date and time results in a filter displaying all entries from the specified date and time to the current date and time.For time formats that use letters and numbers, enter the date time in one of the following formats:
- Select the field that you want to specify filter options for.
- Type the information specific to the object you want to filter on.
- SelectExactif you want to view only logs that completely match the filtering content you typed. Or, if you want to view any logs that include the filtering content, selectContains.
For time formats that use only numbers, enter the date time in one of the following formats:
- mmm dd yyyy hh:mm:ss. Example:Jan 7 2014 8:30:00
- mmm dd, yyyy hh:mm:ss (time zone). Example:Apr 28, 2016 13:09:03(EDT)
- mmm dd, yyyy. Example:Apr 28, 2016
- mmm dd, yyyy hh:mm:ss. Example:Apr 28, 2016 16:09:06
- ddd mmm dd yyyy hh:mm:ss. Example:Thu Jan 16 2014 11:13:50
NodeType the node name in the filter.UserType the user account name in the filter.Action: OperationType the operation action name in the filter. Operation actions include: New, Delete, and Modify.Search results for a search on values in the Action column may match additional hidden values since the underlying metadata is being searched.Action: Task StatusType the task status action name in the filter. Task status actions include: Start, Finish, Cancelled, and Failed.Search results for a search on values in the Action column may match additional hidden values since the underlying metadata is being searched.Object NameType the full or partial name of the object in the filter. If a partition name is displayed, do not include it in the filter. For example, Common/AddressList_4 would be entered asAddressList_4. Because the device-specific object name includes the BIG-IP host name, you can enter a full or partial device name to get all objects for a specific BIG-IP device.Object TypeType the object type in the filter.ParentType the parent name in the filter. Only appears for rules to show the rule list, firewall, or policy that contains the rule.Parent TypeType the Parent Type name in the filter. Only appears when the Parent field contains a value.ContainsSpecifies that the filter text is contained within the object specified. When you selectContains:
- mm/dd/yy hh:mm:ss. Example:01/01/16 12:14:15
- m/d/yy hh:mm:ss. Example:1/1/14 12:14:15
- mm/dd/yyyy hh:mm:ss. Example:1/1/2014 12:14:15
ExactSpecifies that the filter text is exactly contained within the object specified. WhenExactis selected:
- If the filter text is a string, the filter text matches an entire string or only a part of a string.
- If the filter text is an IP address, the filter text matches an IPV4 or IPV6 address that is the same as the filter text, or matches an IPV4 address range or subnet that includes the filter text. IPV6 addresses can not be found within a range or subnet.
- If the filter text is a port number, the filter text matches a port number that is the same as the filter text, or matches a port number range that includes the filter text.
- If the filter text is a string, the filter text matches only the entire string.
- If the filter text is an IP address, the filter text matches only an IPV4 or IPV6 address that is the same as the filter text.
- If the filter text is a port number, the filter text matches only a port number that is the same as the filter text.
The result of a search filter operation is a set of entries that match the filter criteria, sorted by time.
Customizing the audit log display
You can customize the audit log display to assist you in locating information faster.
- To customize the order of columns displayed, click any column header and drag the column to the location you want.
- To sort by column, click the name of the column you want to sort. Not all columns can be sorted. When sorting items in the Object Name column, partition names are ignored. For example, the object nameCommon/rule1would be sorted without the common partition name, as if it were namedrule1.
- To resize columns, click the column side and drag it to the preferred location.
- To select what columns are displayed, click the gear icon in the upper right of the Audit Logging screen. In the popup screen, select columns you want to display and clear columns you do not want to display. Move your cursor away from the screen to dismiss it.
Managing audit log archive settings
You can view or change the audit archive settings. The archived audit log files are stored in the
/var/config/rest/auditArchive/directory on the BIG-IQ system. You can view Access audit logs based on the following Access roles:
- Log in to BIG-IQ Centralized Management system with Administrator or Security Manager credentials.
- SelectAudit Loggingfrom the BIG-IQ menu.
- Click theArchive Settingsbutton in the upper left of the Audit Logging screen to display the audit log settings.
- Complete or review the properties and status settings, and clickSave.PropertyDescriptionRetain EntriesSpecifies the number of days after the audit log entries are archived.Weekly UpdateSpecifies which days of the week to update the audit log. Select the check box to the left of each day that you want the audit log to be updated. The default is every day.Start TimeSpecifies when the audit archiving should begin. The default is 12:00 am.Items ExpiredDisplays the read-only number of entries that have expired.Last ErrorIf an error has occurred, displays the read-only error text for any errors found.Last Error TimeIf an error has occurred, displays a read-only value that contains the time the last error was found. The time in the field is the BIG-IQ system local time and is expressed in the format: ddd mmm dd yyyy hh:mm:ss, for example,Fri Jan 17 2014 23:50:00.
About archived audit logs
You can view or change how audit logs are archived by clicking the
Archive Settingsbutton on the Audit Logging screen.
Archived audit log files are stored in the
archive-audit.n.txtfile in the appropriate subdirectory of the
/var/config/rest/auditArchivedirectory on the BIG-IQ® Centralized Management system:
- Network Security audit log:/var/config/rest/auditArchive/networkSecurity/
- Web Application Security audit log:/var/config/rest/auditArchive/webAppSecurity/
- Fraud Protection Service audit log:/var/config/rest/auditArchive/websafe/
- Local Traffic and Network audit log:/var/config/rest/auditArchive/adc/
- Device Management audit log:/var/config/rest/auditArchive/device/
- Access audit log:/var/config/rest/auditArchive/access/
Audit entries are appended to the
archive-audit.0.txtfile. When the
archive-audit.0.txtfile reaches approximately 800 MB, the contents are copied to
archive-audit.1.txt, compressed into the
archive-audit.1.txt.gzfile, and a new empty
archive-audit.0.txtfile is created, which then has new audit entries appended to it.
Up to five compressed archived audit files can be created before those files begin to be overwritten to conserve space. The compressed audit log archive is named
archive-audit.n.txt.gz, where n is a number from 1 to 5. As the audit log archives are created and updated, the content of the archives is rotated so that the newest archive is always
archive-audit.1.txt.gzand the oldest is always the highest numbered archive, typically,
The file content rotation occurs whenever
archive-audit.0.txtis full. At that time, the content of each
rchive-audit.n.txt.gzfile is copied into the file with the next higher number, and the content of
archive-audit.0.txtis copied into
archive-audit.1.txtand then compressed to create
archive-audit.1.txt.gz. If all five
archive-audit.n.txt.gzfiles exist, during the rotation the contents of
archive-audit.5.txt.gzare overwritten, and are no longer available.
About audit logs in high-availability configurations
In high-availability (HA) configurations, there is a primary and secondary BIG-IQ® system. During failover, the audit log entries and the audit archive settings are copied from the primary to the secondary system before the secondary system becomes the new primary system.
However, archived audit logs are not copied from the primary to the secondary BIG-IQ system.
About the REST API audit log
The REST API audit log records all API traffic on the BIG-IQ® system. It logs every REST service command for all licensed modules in a central audit log (
restjavad-audit.n.log) located on the system.
The current iteration of the log is named
restjavad-audit.0.log. When the log reaches a certain user-configured size, a new log is created and the number is incremented. You can configure and edit settings in
Any user who can access the BIG-IQ system console (shell) has access to this file.
Managing the REST API audit log
The REST API audit log contains an entry for every REST API command processed by the BIG-IQ system, and is an essential source of information about the modules licensed under the BIG-IQ system. It can provide assistance in compliance, troubleshooting, and record-keeping. With it, you can review log contents periodically, and save contents locally for off-device processing and archiving.
- Using SSH, log in to the BIG-IQ Access system with administrator credentials.
- Navigate to therestjavadlog location:/var/log.
- Examine files with the naming convention:restjavad-audit.n.log.The letternrepresents the log number.
- Once you have located it, you can view or save the log locally through a method of your choice.