Manual Chapter : About Monitoring APM Data in BIG-IQ

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0, 8.0.0, 7.1.0
Manual Chapter

About Monitoring APM Data in BIG-IQ

About Access and SWG reports

Access reports focus on session and logging data from Access devices (managed devices with APM licensed and provisioned). F5 Secure Web Gateway Services reports focus on user requests (for URLs or applications, for example) from Access devices with Secure Web Gateway Services provisioned. BIG-IQ Centralized Management Access also supports high availability. Thus, users can view both Access and SWG reports on a secondary BIG-IQ system.
Access reports and SWG reports provide the following features.
  • Reports on any combination of discovered devices, Access groups, and clusters
  • Graphs for typical areas of concern and interest, such as cross-geographical comparisons or top 10 issues
  • Tabular data to support the graphs
  • Granular user data
  • Ability in some screens to drill down from summarized data to details
  • Ability to save data to CSV files

Setup requirements for Access and SWG reports

Before you can produce Access reports and SWG reports, you must ensure that these tasks are already complete:
  • A BIG-IQ data collection device is configured in the BIG-IQ system.
  • Add the BIG-IP devices to the BIG-IQ inventory.
  • Discover the BIG-IP devices with the Access service configuration.
  • Run the data collection device configuration setup on the devices from the Access Reporting screen.

What data goes into Access reports for the All Devices option?

The
All Devices
option for Access reports includes data from the devices that are currently managed (discovered) in the BIG-IQ system. This is in addition to data from devices that were managed at some point during the report timeframe, but that are not currently managed. With
All Devices
selected, if data from unmanaged devices exists, it displays in reports.
An unmanaged device might be unmanaged temporarily or permanently. Any time a configuration management change causes APM® to be undiscovered, the device and its data are moved to
All Devices
until APM is re-discovered on the device.
You cannot generate a report for an unmanaged device. However, you can generate a report for the timeframe when the device was managed, and then search the report for the unmanaged device name. In the Summary report, All Active Sessions includes the number of sessions that were active on the device when it became unmanaged. Those sessions stay in the Summary and in the Active sessions reports until the next session status update, which occurs every 15 minutes.

Create flexible reports using the Access summary dashboard

For Access Policy Manager (APM) to have monitoring data for your device, you must add the BIG-IP device to the BIG-IQ Centralized Management system. The system must then discover the device, and a user must run the Access remote logging configuration on the device. You can use the Access Summary dashboard to view aggregated data from APM policies managed by this BIG-IQ environment. Data you can view includes authentication, connectivity, user, session, and license information. To do so, on the Main tab, navigate to
Monitoring
DASHBOARDS
Access
Access Summary
.
Widget Title
Description
ACCESS GROUP/DEVICE
Select
Managed Devices
or select one or more of these options:
  • Select
    All Devices
    to view data from all BIG-IP devices managed by this BIG-IQ.
  • Select
    All Managed Devices
    to view data from all devices provisioned with APM managed by this BIG-IQ.
  • Select the name of an Access group name to include all devices in a specified Access group.
  • Select the name of a cluster to view the reported Access data from a cluster of BIG-IP devices.
  • Select the name of a BIG-IP device to view APM data from the device in this report.
TIMEFRAME
Adjust the time frame to reflect the period for which you would like to view data. You can do this by either: selecting the interval from the
TIMEFRAME
drop down menu, or by dragging the date selector from the horizontal widget below it.
You can also select a timeframe between two specific dates or before or after a selected date by selecting
Between
,
Before
, or
After
and then selecting a date or date range from the calendar widget.
Once you have selected the time frame or date range you are interested in, the data on this dashboard will change to reflect the new time period.
All Active Sessions
From this dashlet, you can view all unique active session using this device or devices. You can drill down on this information and obtain more data about: top 10 client IP addresses, top 10 countries, top 10 users, top 10 Access profiles, top 10 virtual servers, top 10 client profiles, and top 10 Access policies associated with this metric. When multiple devices are selected, you can see the active sessions over time.
Sessions Created
From this widget, you can view all new sessions initiated during the timeframe currently displayed at the top of the page. Select this widget to drill down and obtain more data about: top 10 client IP addresses, top 10 countries, top 10 users, top 10 Access profiles, top 10 virtual servers, top 10 client profiles, and top 10 Access policies associated with this metric.
Unique Users
View the number of unique users during the timeframe specified at the top of the page. Select this widget to drill down and obtain more data about: top 10 client IP addresses, top 10 countries, top 10 users, top 10 Access profiles, top 10 virtual servers, top 10 client profiles, and top 10 Access policies associated with this metric.
Sign-In Denied
From this widget, you can view the number of sessions that have been denied. Select this widget to drill down and obtain more data about: top 10 client IP addresses, top 10 countries, top 10 users, top 10 Access profiles, top 10 virtual servers, top 10 client profiles, and top 10 Access policies associated with this metric.
Active Sessions Over Time
You can track the
Average Established
number of sessions in an interval of time, the
Average Attempted
number of sessions in one interval of time, the
Maximum Established
number of sessions in an interval of time, and the
Maximum Attempted
number of sessions in an interval of time. You can remove any of these components from the graph to focus your report by selecting the name of the component in the ledger at the top right corner of the chart.
The time intervals with the horizontal axis will adjust depending on the length of time you select in the
Timeframe
widget at the top of the page. For example, longer time frames will yield larger intervals for data collection and shorter time frames will yield shorter intervals for data collection.
Average
and
Maximum
refer to the aggregated data in a single unit of time on the horizontal axis. You can check what units of time the graph is using in the top left corner of the chart.
Denied Sessions / Auth Failures Over Time
This widget allows you to track denied sessions and Authentication failures against each other. You can remove either denies sessions or Authentication failures from the data set by selecting either of these components in the legend at the top right corner of the chart.
Top 3 Devices by License Usage
You can view devices by license usage in one of three categories: Access Sessions, Connectivity Sessions, and Secure Web Gateway (SWG) Sessions. Click on any of these categories to view the license usage for each, including the threshold and usage limit of each of the top three devices. By hovering over the bar graph for a device, you can view how many users are licensed for this device (displayed as the
Limit
) and how many are currently using it (displayed as
Usage
.
Session Count Distribution Across Countries
Use this widget to select a geographic location to view from the map to view more information about session logon locations in another dashboard. You can also view more data about sessions originating from unknown location by clicking on
Unknown Locations
at the bottom of the dashlet. To zoom in or out on the map widget, use the
+
and
-
icons.
Top Users by Session Count
You can view the top 10 users with the most sessions for this device or set of devices. To learn more about the activity of each user, select the name to navigate to a summary dashboard displaying usage data for this user only.

About upgrades affecting reports

When you upgrade a BIG-IQ® Centralized Management system without taking a snapshot, it deletes all reporting data, including both Access and SWG reports. After upgrading, users cannot obtain these reports from the BIG-IP® devices. To prevent the loss of reports, users should take an Elasticsearch snapshot before upgrading, and restore the snapshot after upgrading. For more information on elastic snapshots, refer to
F5 BIG-IQ Centralized Management: Upgrading Logging Nodes to Version
x.x.

Errors with session reports in Access: causes and resolutions

Problem
A session is over, but it continues to display in the Active sessions report.
Resolution
If a session starts when logging nodes are up and working, but terminates during a period when logging modes are unavailable, the session remains in the Active sessions report for 15 minutes. After 15 minutes, the session status is updated and the session is dropped from the report.
Problem
Active sessions are included in the Summary and Active sessions reports for a device that is no longer managed.
Resolution
Sessions were active on a device when it was removed from an Access group and became unmanaged. Sessions that were active when the device became unmanaged remain counted in All Active Sessions on the Summary screen and stay in the Active sessions report until the next session status update, which occurs every 15 minutes.
Problem
A session is over, but
Session Termination
and
Session Duration
are blank in a session report.
Resolution
If a session starts when logging nodes are up and working but terminates during a period when logging nodes are unavailable, the session termination is not recorded and the session duration cannot be calculated.

Setting the timeframe for your Access or SWG report

Before BIG-IQ can display Access report data for a managed BIG-IP device, you must first complete the following tasks:
  • Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
  • Discover and import the managed BIG-IP device
  • Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
To discover and import a configuration and deploy configurations to a managed BIG-IP device, users must belong to one of the following RBAC roles:
  • Admin
  • Access Manager
  • Access Deployer
Use the
TIMEFRAME
list at the top of any Access or SWG report to change the report time period.
  1. At the top of the screen, click
    Monitoring
    .
  2. To set a predefined timeframe, select one of these from the
    TIMEFRAME
    list:
    Last hour
    ,
    Last day
    ,
    Last week
    ,
    Last 30 days
    ,
    Last 3 months
    .
  3. To set a custom timeframe, select one of these from the
    TIMEFRAME
    list:
    • Between
      : Click each of the additional fields that display to select dates and times. The report displays the records between those dates and times.
    • Before
      : Click the additional fields that display to select a date and a time. The report displays the records before that date and time.
    • After
      : Click the additional fields that display to select a date and a time. The report displays the records after that date and time.

About upgrades affecting reports

When you upgrade a BIG-IQ® Centralized Management system without taking a snapshot, it deletes all reporting data, including both Access and SWG reports. After upgrading, users cannot obtain these reports from the BIG-IP® devices. To prevent the loss of reports, users should take an Elasticsearch snapshot before upgrading, and restore the snapshot after upgrading. For more information on elastic snapshots, refer to
F5 BIG-IQ Centralized Management: Upgrading Logging Nodes to Version
x.x.

About the maximum number records for Access and SWG reports

When you run an Access report or an SWG report, Access can get up to 10,000 records to display to you. After you scroll to the end of those 10,000 records, Access displays a message. At that point, all you can do is select fewer devices or select a shorter timeframe.