Manual Chapter : Manage Web Application Security Log Profile

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Manage Web Application Security Log Profile

Monitoring application security events logs

You can view Web Application Security event logs to review applications and virtual server activities. You can use these logs to view event details, which can provide insights into your current application protection. This information can be useful for editing your current protection policy. Application security event logs provide certain quick links in each event, which allow you to make immediate adjustments, if necessary.
Due to the configuration of an AS3 application, some event details may not be available.

Tagging and filtering logs

BIG-IQ Centralized Management enables a single view of all filters and log entries (and details for each entry) from multiple BIG-IP devices.
You use tags and filters to allow you to select which events to view.
  • Filters allow you to select the events to view by constructing a query that the events must match.
  • You can assign tags to events to label them, so that you can use that label in queries.

Monitor event logs and define tags

You can review Web Application Security events on applications and servers from one or more BIG-IP devices. By default, the events are filtered to show only illegal requests. You can use the Web Application Security Event Logs s to view the affected virtual server or applications, and mitigate certain actions and protection configuration directly from event details.
  1. Go to
    Monitoring
    EVENTS
    Web Application Security
    Events
    .
    To view a logging profile of a specific protected object, go to
    Monitoring
    DASHBOARDS
    L7 Dashboard
    and select the logging profile link associate with the object in the dashboard's list.
  2. To see details of an event log entry, click in the event entry row.
    A screen on the right opens and shows details of the event. This view provides information, such as the reporting application or virtual server. Details also include client information, protection and logging policies, and full HTTP request/response header information.
  3. In the details screen, you can specify the kind of information to see.
    • You can specify compact or full information. At the top of the screen, click
      Compact
      for summary information, or click
      Full
      for complete information.
    • You can view either HTTP header request or response information. Click
      Request
      for request information or
      Response
      for response information. Both kinds of information contain violation links in blue that you can click for more information.
  4. Select links in the details area to complete the following actions:
    It is recommended to view in
    Full
    details format.
    Field
    Link Description
    Source IP Address
    Add a source IP address directly to the Web Application Security policy's whitelist settings.
    Geolocation
    Disallow traffic from an event's geolocation.
    Security Policy
    Edit the policy's settings.
    Destination IP Address
    View the virtual server's properties, when available
  5. To create and apply tags to events, select the events using the check box to the left, and click
    Tags
    above the event list.
    A dialog box opens.
    • To create a tag, type the tag name in the provided field and click
      +
      .
    • To apply a tag to the selected events, select the check box to the left of the tag and click
      Apply
      .
    Tags are useful for sorting event types that the system does not categorize, by default. You can use tags to quickly sort and filter the event list.
  6. To export selected events as a CSV or PDF file, select the event using the check box to the left, and click
    Export
    .
  7. To display only events that contain a specified string, type that string in the Filter field in the upper right of the screen.
You can create a search filter to quickly view events that match pre-defined criteria.

Accept Policy Builder suggestions from the request log

To accept request suggestions from the request log, your Policy Builder must have
Learning Mode
enabled (automatic or manual) and
Enforcement Mode
must be
Blocking
.
You can enable Policy Builder violation suggestions directly from your Web Application Security request log. Use the request log to evaluate violations and accept policy suggestions, based on Policy Builder's findings.
Not all violations will result in Policy Builder suggestions. If so, there is not option to accept request suggestions.
  1. Go to
    Monitoring
    EVENTS
    Web Application Security
    Events
    .
    To view a logging profile of a specific protected object, go to
    Monitoring
    DASHBOARDS
    L7 Dashboard
    and select the logging profile link associate with the object in the dashboard's list.
  2. Select an event from the request list.
    The request event's details are displayed in the pane to the right of the screen.
  3. Click the
    Accept Request
    button.
    A confirmation pop-up indicates that the action is complete.
Policy builder suggestions, based on the request, are added to the Web Application Security policy.

Edit object logging profiles

Your system must have the following configuration to view event logs:
  • Discover and activate a BIG-IQ Data Collection Device.
  • Configure a BIG-IP device to collect event logs and send them to the BIG-IQ Centralized Management Data Collection Device. Part of this configuration includes a virtual server configured with a logging profile.
  • Configure a logging profile for Web Application Security, assign it to a virtual server, and deploy it to the BIG-IP device that has been configured to collect log events. A
    logging profile
    is used to determine which events the system logs, and where, and the format of these events. It then directs security events to a BIG-IQ Data Collection Device, and the BIG-IQ Centralized Management system retrieves them from that node.
You can edit logging profiles to change the kind of information the system should log, and where you would like to store the logged data.
  1. Go to
    Monitoring
    EVENTS
    Web Application Security
    Events
    .
    To view a logging profile of a specific protected object, go to
    Monitoring
    DASHBOARDS
    L7 Dashboard
    and select the logging profile link associate with the object in the dashboard's list.
  2. Click the Logging Profile column header to sort objects by log profile.
  3. Click the name of a Logging profile you would like to edit
    The logging profile properties screen opens.
  4. Modify the properties as needed.
    Logging profile properties are described in the
    Create logging profiles
    section of
    BIG-IQ: Security
    on
    support.f5.com
    for configuration information.
  5. Save your work.
The settings are incorporated into your log profile. If the profile is assigned to a virtual server, the next deployment sends the new configuration to one or more BIG-IP devices.