Manual Chapter : Access Reporting and Statistics

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.0.0
Manual Chapter

Access Reporting and Statistics

About Access and SWG reports

Access reports focus on session and logging data from Access devices (managed devices with APM licensed and provisioned). F5 Secure Web Gateway Services reports focus on user requests (for URLs or applications, for example) from Access devices with Secure Web Gateway Services provisioned. BIG-IQ Centralized Management Access also supports high availability. Thus, users can view both Access and SWG reports on a secondary BIG-IQ system.
Access reports and SWG reports provide the following features.
  • Reports on any combination of discovered devices, Access groups, and clusters
  • Graphs for typical areas of concern and interest, such as cross-geographical comparisons or top 10 issues
  • Tabular data to support the graphs
  • Ability in some screens to drill down from summarized data to details
  • Ability to save data to CSV files

Setup requirements for Access and SWG reports

Before you can produce Access reports and SWG reports, you must ensure that these tasks are already complete:
  • A BIG-IQ data collection device is configured in the BIG-IQ system.
  • Add the BIG-IP devices to the BIG-IQ inventory.
  • Discover the BIG-IP devices with the Access service configuration.
  • Run the data collection device configuration setup on the devices from the Access Reporting screen.

What data goes into Access reports for the All Devices option?

The
All Devices
option for Access reports includes data from the devices that are currently managed (discovered) in the BIG-IQ system. This is in addition to data from devices that were managed at some point during the report timeframe, but that are not currently managed. With
All Devices
selected, if data from unmanaged devices exists, it displays in reports.
An unmanaged device might be unmanaged temporarily or permanently. Any time a configuration management change causes APM® to be undiscovered, the device and its data are moved to
All Devices
until APM is re-discovered on the device.
You cannot generate a report for an unmanaged device. However, you can generate a report for the timeframe when the device was managed, and then search the report for the unmanaged device name. In the Summary report, All Active Sessions includes the number of sessions that were active on the device when it became unmanaged. Those sessions stay in the Summary and in the Active sessions reports until the next session status update, which occurs every 15 minutes.

About upgrades affecting reports

When you upgrade a BIG-IQ® Centralized Management system without taking a snapshot, it deletes all reporting data, including both Access and SWG reports. After upgrading, users cannot obtain these reports from the BIG-IP® devices. To prevent the loss of reports, users should take an Elasticsearch snapshot before upgrading, and restore the snapshot after upgrading. For more information on elasticsnapshots, refer to
F5 BIG-IQ Centralized Management: Upgrading Logging Nodes to Version
x.x.

View SWG statistics for all managed devices

Before you can display statistcs in the SWG analytics screen, you must have the following configured:
  • A BIG-IQ data collection device configured for the BIG-IQ device
  • The BIG-IP device located in your network and running a compatible software version
  • To view the SWG Dashboard, statistics collection on the BIG-IP device should be enabled.
    For BIG-IP devices running versions 13.1.0.5 or later, enabling the BIG-IP device's statistics collection may affect the information that appears in the Secure Web Gateway Summary screen (
    Monitoring
    DASHBOARDS
    Access
    Secure Web Gateway
    Secure Web Gateway Summary
    ).
  • For BIG-IP devices running versions 13.1.0.5, or later, you must have AVR provisioned on your BIG-IP device.
View statistics for all traffic managed with Secure Web Gateway (SWG) to ensure that your configured access profile properly secures the users within your network.
  1. At the top of the screen, click
    Monitoring
    .
  2. Click
    DASHBOARDS
    SWG
    .
    The screen displays the SWG analytics screen. By default, the screen displays statistics from the past hour. You can adjust the time settings using the controls found at the top of the screen.
  3. To display events that correspond with the chart timeline, click
    Events
    .
    Events that occurred within the selected time period are displayed in the chart. You can select the event icons within the chart to display event details.
  4. Expand the dimensions found at the far right of the screen to view additional data.
  5. Filter displayed data by dimension objects:
    1. To filter data by one or more BIG-IP devices, expand
      BIG-IP Host Names
      or
      BIG-IP Blade Numbers
      and select one or more dimension objects.
    2. To filter data by traffic or security settings (e.g. a URL category and a corresponding action) expand the remaining dimensions and select one or more dimension objects.
      You can select objects from multiple dimensions. Once you select an object, only dimensions with corresponding data are displayed in the charts and dimensions
To edit your SWG settings go to
Configuration
ACCESS
Access Groups
and select the Access group name. For more information about Access group configuration, refer to the
BIG-IQ Centralized Management: Access
on
support.f5.com
for configuration information.

About the application dashboard

The Application Summary dashboard is your starting point to view and download general reports for BIG-IQ Access.

View the Application Summary dashboard

The BIG-IQ Centralized Management Application Summary dashboard displays information regarding the applications linked to the system.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click
    Monitoring
    .
  3. On the left, select
    DASHBOARDS
    Access
    Application Summary
    .
The Application Summary screen opens, showing detailed information and charts for specific applications.

About user visibility

You can monitor your user base by viewing the BIG-IQ Centralized Management Access user dashboard for data on specific users. The system displays which users created the most sessions, were denied the most sessions, and had the longest total session duration. The administrator can enter a specific user name to get the following details for the user:
  • The user login locations on a world map
  • The total sessions, denied sessions, and session duration
  • The Access denied sessions.
  • The top authentication failures, including AD Auth and LDAP only
  • The device type users used to log into the system
  • The reason the system terminated the session
  • The login history showing the success and failures over time
  • The most accessed applications
  • The most accessed URLs
  • The login failure attempts over time, sorted by the reason
  • The client session duration over time
  • The Access denied reason over time

About application visibility

You can monitor your applications by viewing the BIG-IQ Centralized Management Access user dashboard for data on which applications are linked to the BIG-IQ Access component. The system displays the top applications used and the application usage time. Administrators can expand the GUI for a specific application and view the following information:
  • The application access history
  • The users who use the application the most
  • The access history
  • The world map, showing where the user is access the application

About denied sessions

You can monitor the sessions that BIG-IQ® Centralized Management denies. By using the Access Monitoring option, you can view the following information:
  • The history of denied sessions
  • The reasons why sessions were denied
  • The top denied users, sorted by session count
  • The top authentication failures
  • The top denied policies
  • The top denied sessions by country of origin
  • The top denied session by the virtual server
  • The denied sessions, sorted by the client platform

Viewing denied sessions

You can use the BIG-IQ Centralized Management Access reporting features to see which sessions were denied by the system, as well to create a report.
  1. Log in to the BIG-IQ system with your user name and password.
  2. Click
    Monitoring
    DASHBOARDS
    Access
    Sessions
    Denied
    .
  3. From the
    ACCESS GROUP/DEVICE
    list at upper left, select
    Managed Devices
    or select one or more of these options:
    • <
      Access group name
      >
      - Select to include all devices in the Access group.
    • <
      Cluster display name
      >
      - Select to include the devices in the cluster.
    • <
      Device name
      >
      - Select to include the device. You can select any device from
      Managed Devices
      ,
      <
      Access group name
      >
      , or
      <
      Cluster display name
      >
      .
  4. From the
    TIMEFRAME
    list, specify a time frame:
    • Select a predefined time period - These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period - Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  5. To save report data in a comma-separated values file, click the
    CSV Report
    button.
    A CSV file downloads.
From here, you can view details regarding denied sessions and create a report.

Managing a specific user in Access reporting

You can use the BIG-IQ Centralized Management Access reporting tools to view the user dashboard for data on a specific user.
  1. Log in to the BIG-IQ system with your user name and password.
  2. Click
    Monitoring
    DASHBOARDS
    Access
    User Summary
    .
    The User Summary screen displays, showing detailed information for specific users.

Running Access reports

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.
You can create Access reports for any device with the APM service configuration on it that has been discovered on the BIG-IQ system, whether or not the device is a member of an Access group. To create a report, you can select any combination of Access groups, clusters, and devices.
  1. At the top of the screen, click
    Monitoring
    .
  2. On the left, select
    DASHBOARDS
    Access
    .
    A Summary report (for all devices and a default timeframe) starts to generate and display.
  3. From the left, select any report that you want to run.
  4. At the top left of the screen, from the
    ACCESS GROUP/DEVICES
    list, either select one of the first two options (
    All Devices
    and
    All Managed Devices
    ) or, select one or more of the other options (
    <
    Access group name
    >
    ,
    <
    Cluster display name
    >
    , and
    <
    Device name
    >
    ).
    • All Devices
      Includes Access devices that are currently managed, and Access devices that were managed at one time but are not managed now. (A managed device is one that has been discovered with the APM service configuration.)
    • All Managed Devices
      Includes all Access devices that are currently discovered.
    • <
      Access group name
      >
      - Select to include all devices in the Access group.
    • <
      Cluster display name
      >
      - Select to include the devices in the cluster.
    • <
      Device name
      >
      - Select to include the device. You can select any device from
      Managed Devices
      ,
      <
      Access group name
      >
      , or
      <
      Cluster display name
      >
      .
  5. From the
    TIMEFRAME
    list, specify a time frame:
    • Select a predefined time period - These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period - Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  6. To save report data in a comma-separated values file, click the
    CSV Report
    button.
    A CSV file downloads.

Getting the details that underlie an Access report

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.
From the Summary report, and from most session reports, the initial display includes graphs that summarize the report data. You can get successively more detailed information by clicking a bar or a point on a graph or clicking a link if one is displayed on the screen.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click
    Monitoring
    .
  3. On the left, select
    DASHBOARDS
    Access
    .
    The Summary report is an example of the type of report that presents high-level data, and provides access to underlying data.
    A Summary report (for all devices and a default timeframe) starts to generate and display.
  4. Click anywhere in a summary to get more information.
    Top left portion of the Summary report display
    To get details from a summary, click the brightly colored number or the brightly colored bar.
    Additional graphs display, and supporting data displays in a table at the bottom of the screen.
  5. If more details are available, click the bars in the graphs to display more details.
  6. Scroll down to the table to view the supporting data.
  7. If the table includes a
    Session ID
    field, click the link in that field to open the session details.
    Session details popup screen (with addresses and host names blurred)
    Session details report displays local time, hostname, log level, message, and a Session Variables tab.
  8. To change which records display on this screen, select a log level from the
    LOG LEVEL
    list at the top of the screen.

About the maximum number records for Access and SWG reports

When you run an Access report or an SWG report, Access can get up to 10,000 records to display to you. After you scroll to the end of those 10,000 records, Access displays a message. At that point, all you can do is select fewer devices or select a shorter timeframe.

Setting the timeframe for your Access or SWG report

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.
Use the
TIMEFRAME
list at the top of any Access or SWG report to change the report time period.
  1. Log in to BIG-IQ Centralized Management with your admin user name and password.
  2. At the top of the screen, click
    Monitoring
    .
  3. To set a predefined timeframe, select one of these from the
    TIMEFRAME
    list:
    Last hour
    ,
    Last day
    ,
    Last week
    ,
    Last 30 days
    ,
    Last 3 months
    .
  4. To set a custom timeframe, select one of these from the
    TIMEFRAME
    list:
    • Between
      : Click each of the additional fields that display to select dates and times. The report displays the records between those dates and times.
    • Before
      : Click the additional fields that display to select a date and a time. The report displays the records before that date and time.
    • After
      : Click the additional fields that display to select a date and a time. The report displays the records after that date and time.

Errors with session reports in Access: causes and resolutions

Problem
A session is over, but it continues to display in the Active sessions report.
Resolution
If a session starts when logging nodes are up and working, but terminates during a period when logging modes are unavailable, the session remains in the Active sessions report for 15 minutes. After 15 minutes, the session status is updated and the session is dropped from the report.
Problem
Active sessions are included in the Summary and Active sessions reports for a device that is no longer managed.
Resolution
Sessions were active on a device when it was removed from an Access group and became unmanaged. Sessions that were active when the device became unmanaged remain counted in All Active Sessions on the Summary screen and stay in the Active sessions report until the next session status update, which occurs every 15 minutes.
Problem
A session is over, but
Session Termination
and
Session Duration
are blank in a session report.
Resolution
If a session starts when logging nodes are up and working but terminates during a period when logging nodes are unavailable, the session termination is not recorded and the session duration cannot be calculated.

What can cause logging nodes to become unavailable?

Logging nodes are highly available, but it is still possible for them to become unavailable. This could occur, for example, if all logging nodes are on devices in the same rack in a lab, and the power to the lab shuts down.

Managing Sessions

Running Session reports

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.
You can create Session reports for any device with the APM service configuration on it that has been discovered on the BIG-IQ system, whether or not the device is a member of an Access group. To create a report, you can select any combination of Access groups, clusters, and devices.
  1. At the top of the screen, click
    Monitoring
    .
  2. On the left, select
    DASHBOARDS
    Access
    Sessions
    .
    A Summary report (for all devices and a default timeframe) starts to generate and display.
  3. From the left, select any report that you want to run.
  4. At the top left of the screen, from the
    ACCESS GROUP/DEVICES
    list, either select one of the first two options (
    All Devices
    and
    All Managed Devices
    ) or select one or more of the other options (
    <
    Access group name
    >
    ,
    <
    Cluster display name
    >
    , and
    <
    Device name
    >
    ).
    • All Devices
      Includes Access devices that are currently managed, and Access devices that were managed at one time but are not managed now. (A managed device is one that has been discovered with the APM service configuration.)
    • All Managed Devices
      Includes all Access devices that are currently discovered.
    • <
      Access group name
      >
      - Select to include all devices in the Access group.
    • <
      Cluster display name
      >
      - Select to include the devices in the cluster.
    • <
      Device name
      >
      - Select to include the device. You can select any device from
      Managed Devices
      ,
      <
      Access group name
      >
      , or
      <
      Cluster display name
      >
      .
  5. From the
    TIMEFRAME
    list, specify a time frame:
    • Select a predefined time period - These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period - Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  6. To save report data in a comma-separated values file, click the
    CSV Report
    button.
    A CSV file downloads.

Stopping sessions on BIG-IP devices from Access

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.
You can stop currently active sessions on BIG-IP devices, using the Active sessions report on the BIG-IQ system.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click
    Monitoring
    .
  3. On the left, select
    DASHBOARDS
    Access
    .
    A Summary report (for all devices and a default timeframe) starts to generate and display.
  4. On the left, from
    Sessions
    , select
    Active
    .
    The screen displays a list of active sessions for all devices.
  5. To display sessions for particular devices, groups, or clusters only, select them from the
    ACCESS GROUP/DEVICE
    list at upper left.
    The screen displays the active sessions for the selected devices.
  6. To stop specific sessions only, select the sessions that you want to end and click
    Kill Selected Sessions
    .
  7. To stop all sessions, click
    Kill All Sessions
    .

Running Secure Web Gateway reports

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.
Only a device with SWG provisioned on it can provide data for Secure Web Gateway reports.
You can create SWG reports for Access groups, clusters (in Access groups), or devices that you select from the Access groups and clusters (in Access groups) on the BIG-IQ system.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click
    Monitoring
    .
  3. On the left, select
    DASHBOARDS
    Access
    Secure Web Gateway
    .
    A Summary report (for all devices and a default timeframe) starts to generate and display.
  4. From the left, select any report that you want to run.
  5. From the
    ACCESS GROUP/DEVICE
    list at upper left, select
    Managed Devices
    or select one or more of these options:
    • <
      Access group name
      >
      - Select to include all devices in the Access group.
    • <
      Cluster display name
      >
      - Select to include the devices in the cluster.
    • <
      Device name
      >
      - Select to include the device. You can select any device from
      Managed Devices
      ,
      <
      Access group name
      >
      , or
      <
      Cluster display name
      >
      .
  6. From the
    TIMEFRAME
    list, specify a time frame:
    • Select a predefined time period - These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period - Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  7. To save report data in a comma-separated values file, click the
    CSV Report
    button.
    A CSV file downloads.

Getting the details that underlie an SWG report

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.
Only a device with SWG provisioned on it can provide data for SWG reports.
From the Summary report, the initial display includes graphs that summarize the report data. You can get more detailed information by clicking a bar or a point on a graph to see additional graphs and tables with supporting entries.
  1. Log in to BIG-IQ Centralized Management with your admin user name and password.
  2. At the top of the screen, click
    Monitoring
    .
  3. On the left, select
    DASHBOARDS
    Access
    Secure Web Gateway
    .
    The Summary starts to generate and display. A timeline and some summaries display across the top of the screen. Graphs display under the summaries. Each graph provide different views of the data.
  4. Click any bar in a graph on the display to get more information.
    Additional graphs provide different views of the data, and supporting data displays in a table at the bottom of the screen.
  5. If more details are available, click the bars in the graphs to display them.
  6. Scroll down to the table to view the supporting data.

About VDI reports

You can monitor your virtual desktop infrastructure (VDI) by viewing the BIG-IQ Centralized Management Access user dashboard for VDI applications, and creating a VDI report. The system displays the top VDI applications used and the application usage time. Administrators can expand the UI for a specific application, and view the following information:
  • The top 10 VDI applications
  • The top users for the VDI applications
  • The application usage history

Managing Federation reports

Running OAuth reports

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.
Only a device with OAuth provisioned on it can provide data for OAuth reports.
You can create OAuth reports for Access groups, clusters (in Access groups), or devices that you select from the Access groups and clusters (in Access groups) on the BIG-IQ Centralized Management system.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click
    Monitoring
    .
  3. On the left, select
    DASHBOARDS
    Access
    Federation
    OAuth
    .
  4. Select
    Authorization Server
    ,
    Client
    , or
    Resource
    .
    A Summary report (for all devices and a default timeframe) starts to generate and display.
  5. From the left, select any report that you want to run.
  6. From the
    ACCESS GROUP/DEVICE
    list at upper left, select
    Managed Devices
    or select one or more of these options:
    • <
      Access group name
      >
      - Select to include all devices in the Access group.
    • <
      Cluster display name
      >
      - Select to include the devices in the cluster.
    • <
      Device name
      >
      - Select to include the device. You can select any device from
      Managed Devices
      ,
      <
      Access group name
      >
      , or
      <
      Cluster display name
      >
      .
  7. From the
    TIMEFRAME
    list, specify a time frame:
    • Select a predefined time period - These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period - Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  8. To save report data in a comma-separated values file, click the
    CSV Report
    button.
    A CSV file downloads.

Monitoring the OAuth server performance

The Authentication Server Summary screen shows several charts that you can use to track the health of your authorization server role. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click
    Monitoring
    .
  3. On the left, select
    DASHBOARDS
    Access
    Federation
    OAuth
    Authorization Server
    Server Performance
    .
    The Authorization Server Peformance screen opens.
  4. From the
    ACCESS GROUP/DEVICE
    list at upper left, select
    All Managed Devices
    or or one of the session-specific options.
  5. From the
    TIMEFRAME
    list, specify a time frame:
    • Select a predefined time period - These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period - Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  6. From the
    AUTHORIZATION SERVER
    list, select an OAuth authorization server.
  7. To save report data in a comma-separated values file, click the
    CSV Report
    button.
    A CSV file downloads.

Monitoring the OAuth token summary

The Token Summary screen shows several charts that you can use to track the health of your OAuth tokens. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click
    Monitoring
    .
  3. On the left, select
    DASHBOARDS
    Access
    Federation
    OAuth
    Authorization Server
    Tokens
    .
    The Authorization Server Peformance screen opens.
  4. From the
    ACCESS GROUP/DEVICE
    list at upper left, select
    All Managed Devices
    or or one of the session-specific options.
  5. From the
    TIMEFRAME
    list, specify a time frame:
    • Select a predefined time period - These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period - Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  6. From the
    AUTHORIZATION SERVER
    list, select an OAuth authorization server.
  7. From the
    GRANT TYPE
    list, select an OAuth2 grant type.
  8. To save report data in a comma-separated values file, click the
    CSV Report
    button.
    A CSV file downloads.

Running SAML reports

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.
Only a device with SAML provisioned on it can provide data for SAML reports.
You can create SAML reports for Access groups, clusters (in Access groups), or devices that you select from the Access groups and clusters (in Access groups) on the BIG-IQ Centralized Management system.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click
    Monitoring
    .
  3. On the left, select
    DASHBOARDS
    Access
    Federation
    SAML
    .
  4. Select
    SP Summary
    or
    IdP Summary
    .
    A Summary report (for all devices and a default timeframe) opens, displaying chart data for assertions over time, the top SPs or IdPs with successful assertions, the top client IP addresses, the top subject values with successful assertions, and the top SP or IdPs with failed assertions.
  5. From the
    ACCESS GROUP/DEVICE
    list at upper left, select
    All Managed Devices
    or or one of the session-specific options.
  6. From the
    TIMEFRAME
    list, specify a time frame:
    • Select a predefined time period - These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period - Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  7. From the
    SP
    list, select a service provider.
  8. To save report data in a comma-separated values file, click the
    CSV Report
    button.
    A CSV file downloads.
  9. To view the successful SP assertions, click
    Assertions Success
    .
    The Successful Assertions screen opens, displaying data and statistics for the top 10 client IP's, platform distribution, geolocation distribution, subject values and SPs with successful assertions.
  10. To view the failed SP assertions, click
    Assertions Failed
    .
    The Failed Assertions screen opens, displaying data and statistics for the top 10 client IP's, platform distribution, geolocation distribution, subject values and SPs with failed assertions.

Running SP assertion reports

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.
Only a device with SAML provisioned on it can provide data for SAML reports.
The SP Assertions screen shows several charts that you can use to track the health of your SAML SP assertions. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click
    Monitoring
    .
  3. On the left, select
    DASHBOARDS
    Access
    Federation
    SAML
    .
  4. Select
    SP Summary
    SP Assertions Report
    .
    The SP Assertions screen opens, displaying a table with assertion information.
  5. From the
    ACCESS GROUP/DEVICE
    list at upper left, select
    All Managed Devices
    or or one of the session-specific options.
  6. From the
    TIMEFRAME
    list, specify a time frame:
    • Select a predefined time period - These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period - Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  7. From the
    SP
    list, select a service provider.
  8. To save report data in a comma-separated values file, click the
    CSV Report
    button.
    A CSV file downloads.

Running SP error reports

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.
Only a device with SAML provisioned on it can provide data for SAML reports.
The SP Errors screen shows several charts that you can use to track the health of your SAML SP errors. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click
    Monitoring
    .
  3. On the left, select
    DASHBOARDS
    Access
    Federation
    SAML
    .
  4. Select
    SP Summary
    SP Error Report
    .
    The SP Errors screen opens, displaying a table with error reports.
  5. From the
    ACCESS GROUP/DEVICE
    list at upper left, select
    All Managed Devices
    or or one of the session-specific options.
  6. From the
    TIMEFRAME
    list, specify a time frame:
    • Select a predefined time period - These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period - Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  7. From the
    SP
    list, select a service provider.
  8. To save report data in a comma-separated values file, click the
    CSV Report
    button.
    A CSV file downloads.

Running IdP assertion reports

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.
Only a device with SAML provisioned on it can provide data for SAML reports.
The IdP Assertions screen shows several charts that you can use to track the health of your SAML IdPs assertions. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click
    Monitoring
    .
  3. On the left, select
    DASHBOARDS
    Access
    Federation
    SAML
    .
  4. Select
    IdP Summary
    IdP Assertions Report
    .
    The IdP Assertions screen opens, displaying a table with assertion information.
  5. From the
    ACCESS GROUP/DEVICE
    list at upper left, select
    All Managed Devices
    or or one of the session-specific options.
  6. From the
    TIMEFRAME
    list, specify a time frame:
    • Select a predefined time period - These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period - Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  7. From the
    IdP
    list, select an identity provider.
  8. To save report data in a comma-separated values file, click the
    CSV Report
    button.
    A CSV file downloads.

Running IdP error reports

For Access to have report data for a device, the device must have been added to the BIG-IQ Centralized Management system, discovered, and had the Access remote logging configuration run for it.
Only a device with SAML provisioned on it can provide data for SAML reports.
The IdP Errors screen shows several charts that you can use to track the health of your SAML IdP errors. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click
    Monitoring
    .
  3. On the left, select
    DASHBOARDS
    Access
    Federation
    SAML
    .
  4. Select
    IdP Summary
    IdP Error Report
    .
    The IdPs Errors screen opens, displaying a table with error reports.
  5. From the
    ACCESS GROUP/DEVICE
    list at upper left, select
    All Managed Devices
    or or one of the session-specific options.
  6. From the
    TIMEFRAME
    list, specify a time frame:
    • Select a predefined time period - These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period - Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  7. From the
    IdP
    list, select an identity provider.
  8. To save report data in a comma-separated values file, click the
    CSV Report
    button.
    A CSV file downloads.

Configure remote high-speed BIG-IQ and SWG event logging

You can configure the BIG-IQ system to log information about BIG-IQ and Secure Web Gateway events and send the log messages to remote high-speed log servers.
When configuring remote high-speed logging of events, it is helpful to understand the objects you need to create and why, as described here:
Object
Reason
Pool of remote log servers
Create a pool of remote log servers to which the BIG-IP system can send log messages.
Destination (unformatted)
Create a log destination of Remote High-Speed Log type that specifies a pool of remote log servers.
Destination (formatted)
If your remote log servers are the ArcSight, Splunk, or Remote Syslog type, create an additional log destination to format the logs in the required format and forward the logs to a remote high-speed log destination.
Publisher
Create a log publisher to send logs to a set of specified log destinations.
Log Setting
Add event logging for the APM system and configure log levels for it or add logging for URL filter events, or both. Settings include the specification of up to two log publishers: one for access system logging and one for URL request logging.
Access profile
Add log settings to the access profile. The log settings for the access profile control logging for the traffic that comes through the virtual server to which the access profile is assigned.

Create a pool of remote logging servers

Before creating a pool of log servers, gather the IP addresses of the servers that you want to include in the pool. Ensure that the remote log servers are configured to listen to and receive log messages from the BIG-IP system.
Create a pool of remote log servers to which the BIG-IP system can send log messages.
  1. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pool List screen opens.
  2. Click
    Create
    .
    The New Pool screen opens.
  3. In the
    Name
    field, type a unique name for the pool.
  4. Using the
    New Members
    setting, add the IP address for each remote logging server that you want to include in the pool:
    1. Type an IP address in the
      Address
      field, or select a node address from the
      Node List
      .
    2. Type a service number in the
      Service Port
      field, or select a service name from the list.
      Typical remote logging servers require port
      514
      .
    3. Click
      Add
      .
  5. Click
    Finished
    .

Create a new log destination

Before you can create a new log destination, you must have configured a remote log server to send the logs to.
Use this screen to create a new log destination for a managed device.
Create a log destination to specify that log messages are sent to a remote log server.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    LOCAL TRAFFIC
    Logs
    Log Destinations
    .
    The Log Destinations screen displays a list of the log destinations that are defined on this device.
  2. To create a new log destination, click
    Create
    .
    The New Log destination screen opens so you can define the settings you want for this destination.
  3. In the
    Name
    field, type in a name for the log destination you are creating.
  4. For
    Type
    , select the kind of destination you are creating.
    Depending on the selection you make, additional controls are displayed.
  5. Specify the additional settings needed to suit the requirements for this log destination. The fields required to create a new log destination depend on the type you choose. BIG-IQ denotes required fields using an amber box. You can also determine whether you have completed all of the required fields by noting whether the
    Save & Close
    button is enabled.
    Except for the Devices and Device Specific settings, the parameters on this screen perform the same function as they do when you configure a log destination on a BIG-IP device. For details about the purpose or function of a particular setting, refer to the BIG-IP reference information on
    support.f5.com
    . From the BIG-IP Knowledge Center, select the BIG-IP LTM module and the software version you have installed; then select the appropriate guide. For example, information about the log destination parameters for BIG-IP version 13.0 is provided in the External Monitoring of BIG-IP Systems: Implementations, Version 13.0 guide.
  6. When you create a Log Destination and select a type of
    IPFIX
    or
    Remote High-Speed Log
    , you need to specify which devices to associate this destination with. When you create a Log Destination and select a type of
    Management Port
    you can specify device specific settings or, if no device specific settings are defined, the base configuration settings are used for any device associated with this log destination.
    For additional detail on device-specific log destination types, refer to
    What is a device specific log destination?
    in the
    F5 BIG-IQ Centralized Management: Local Traffic & Network Implementations
    guide on
    support.f5.com
    .
    • If you have a lot of devices that you need to associate with this log destination and want to automate the process:
      1. Use the steps below to specify one device and then click
        Save
        .
      2. Associate this log destination with the log publishers that are pinned to your managed devices.
      3. Come back and edit this log destination. A
        Find Relevant Devices
        button displays. You can use this button to let BIG-IQ assemble a list of devices. BIG-IQ finds the BIG-IP devices that this destination can be deployed to. You can use the list to create a device-specific instance of this destination for each BIG-IP.
      4. Click
        Save
        to add the listed devices to the Device Specific list.
    • To specify the devices for this log destination manually:
      1. Select the device you want this destination to use
      2. If you are creating an
        IPFIX
        or
        Remote High-Speed Log
        destination log, select the pool that you want each device to use.
      3. Use the button to add additional devices to the list.
      4. Use the button to remove a device from the list.
      5. Click
        Save
        to add the listed devices to the Device Specific list.
    Devices you select for this log destination are added to the Device Specific list.
    Click on a device name in the Device Specific list to edit settings for that device. Bear in mind though that changes you make to one device do not change the settings for other devices, or for the base configuration for the log destination.
  7. Click
    Save & Close
    .
    The system creates the new log destination with the settings you specified.
Changes that you make are made only to the pending version. The
pending version
serves as a repository for changes you stage before deploying them to the managed device. Object settings for the pending version are not the same as the object settings on the actual BIG-IP device until they are deployed or discarded.
When you finish specifying the settings for this log destination, the next step is to evaluate and then deploy the changes to the target device. Until you deploy the changes stored in the pending version, objects on the managed device are not changed.

Create a new log publisher

Before you can create a new log publisher, configure a log destination with a pool of remote log servers so you can assign it to your publisher as you create it.
Log publishers specify log destinations that BIG-IP devices can send their log messages to.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    LOCAL TRAFFIC
    Logs
    Log Publishers
    .
    The Log Publishers screen displays a list of the log publishers that are defined on this device.
  2. To create a new log publisher, click
    Create
    .
    The New Log Publisher screen opens so you can define the settings you want for this publisher.
  3. In the
    Name
    field, type in a name for the log publisher you are creating.
  4. Select the Log Destinations for this publisher.
    1. Select a destination type from the Available list.
      The list of destinations displays only the type you selected.
    2. Select one or more destinations from the Available list.
    3. Move the selected destinations to the Selected list.
      If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or ArcSight.
  5. Specify the additional settings needed to suit the requirements for this log publisher.
    The parameters on this screen are optional and perform the same function as they do when you configure a log publisher on a BIG-IP device.
    For details about the purpose or function of a particular setting, refer to the BIG-IP reference information on support.f5.com. From the BIG-IP Knowledge Center, select the BIG-IP LTM module and the software version you have installed; then select the appropriate guide. For example, information about the log publisher parameters for BIG-IP version 13.0 is provided in the
    External Monitoring of BIG-IP Systems: Implementations
    guide.
  6. Click
    Save & Close
    .
    The system creates the new log publisher with the settings you specified.
Changes that you make are made only to the pending version. The
pending version
serves as a repository for changes you stage before deploying them to the managed device. Object settings for the pending version are not the same as the object settings on the actual BIG-IP device until they are deployed or discarded.
When you finish specifying the settings for this log publisher, the next step is to evaluate and then deploy the changes to the target device. Until you deploy the changes stored in the pending version, objects on the managed device are not changed.

Configure log settings for access system and URL request events

Create log settings to enable event logging for access system events or URL filtering events or both. Log settings specify how to process event logs for the traffic that passes through a virtual server with a particular access profile.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select
    Traffic & Network
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  3. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  4. Click
    EVENT LOGS SETTINGS
    Create
    .
  5. Type a name for the name for the log setting.
  6. In the
    SSO Configuration Description
    field, type a descriptive text for the configuration.
  7. For
    Access System Logs
    , click the check box to specify a publisher for Access system logs and log levels.
  8. For
    Access Logs Publisher
    , select a log publisher.
  9. For the system log types, beginning with
    Access Policy
    and ending with
    ADFS Proxy
    , from the dropdown lists, select a log level. The default is
    Notice
    .
  10. For
    URL Request Logs
    , click the check box to select a publisher for the logs and specifies the URL requests to log based on whether the request was blocked or allowed.
  11. For
    URL Request Logs Publisher
    , select a log publisher.
  12. For
    Log Allowed Events
    , click the check box to log request data when a user tries to access a URL that the URL filter allows.
  13. For
    Log Blocked Events
    , click the check box to log request data when a user tries to access a URL that the URL filter blocks.
  14. For
    Log Confirmed Events
    , click the check box to log request data when a user confirms a request for access to a URL for which the URL filter requires confirmation.
  15. Click
    Save & Close
    .