Manual Chapter :
Managing Application Security Log Profiles
Applies To:
Show VersionsBIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0, 8.0.0
Managing Application Security Log Profiles
Monitoring application security events logs
You can view Web Application Security event logs to review applications and
virtual server activities. You can use these logs to view event details, which can
provide insights into your current application protection. This information can be
useful for editing your current protection policy. Application security event logs
provide certain quick links in each event, which allow you to make immediate
adjustments, if necessary.
Due to the configuration of an AS3
application, some event details may not be available.
Tagging and filtering logs
BIG-IQ Centralized Management enables a single view of all
filters and log entries (and details for each entry) from multiple BIG-IP
devices.
You use tags and filters to allow you to select which events to
view.
- Filters allow you to select the events to view by constructing a query that the events must match.
- You can assign tags to events to label them, so that you can use that label in queries.
Event logs based on user privileges
The system administrator has the ability to provide granular access to view and/or edit specific BIG-IP objects, such as virtual servers, applications,
Monitor event logs and define tags
You
can review Web Application Security events on applications and servers from one or more
BIG-IP devices. By default, the events are filtered to show only illegal requests. You
can use the Web Application Security Event Logs s to view the affected virtual server
or applications, and mitigate certain actions and protection configuration directly from
event details.
- Go to.To view a logging profile of a specific protected object, go toand select the logging profile link associate with the object in the dashboard's list.
- To see details of an event log entry, click in the event entry row.A screen on the right opens and shows details of the event. This view provides information, such as the reporting application or virtual server. Details also include client information, protection and logging policies, and full HTTP request/response header information.
- In the details screen, you can specify the kind of information to see.
- You can specify compact or full information. At the top of the screen, clickCompactfor summary information, or clickFullfor complete information.
- You can view either HTTP header request or response information. ClickRequestfor request information orResponsefor response information. Both kinds of information contain violation links in blue that you can click for more information.
- Select links in the details area to complete the following actions:It is recommended to view inFulldetails format.FieldLink DescriptionSource IP AddressAdd a source IP address directly to the Web Application Security policy's allowlist settings.GeolocationDisallow traffic from an event's geolocation.Security PolicyEdit the policy's settings.Destination IP AddressView the virtual server's properties, when available
- To create and apply tags to events, select the events using the check box to the left, and clickTagsabove the event list.A dialog box opens.
- To create a tag, type the tag name in the provided field and click+.
- To apply a tag to the selected events, select the check box to the left of the tag and clickApply.
Tags are useful for sorting event types that the system does not categorize, by default. You can use tags to quickly sort and filter the event list. - To export selected events as a CSV or PDF file, select the event using the check box to the left, and clickExport.
- To display only events that contain a specified string, type that string in the Filter field in the upper right of the screen.
You can create a search filter to quickly view events that match pre-defined
criteria.
Accept Policy Builder suggestions from the request log
To accept request suggestions from the request log,
your Policy Builder must have
Learning Mode
enabled (automatic or
manual) and Enforcement Mode
must
beBlocking
.You can enable Policy Builder violation suggestions
directly from your Web Application Security request log. Use the request log to evaluate
violations and accept policy suggestions, based on Policy Builder's findings.
Not
all violations will result in Policy Builder suggestions. If so, there is not option
to accept request suggestions.
- Go to.To view a logging profile of a specific protected object, go toand select the logging profile link associate with the object in the dashboard's list.
- Select an event from the request list.The request event's details are displayed in the pane to the right of the screen.
- Click theAccept Requestbutton.A confirmation pop-up indicates that the action is complete.
Policy builder suggestions, based on the request, are
added to the Web Application Security policy.
Edit object logging profiles
Your system must have the following configuration to
view event logs:
- Discover and activate a BIG-IQ Data Collection Device.
- Configure a BIG-IP device to collect event logs and send them to the BIG-IQ Centralized Management Data Collection Device. Part of this configuration includes a virtual server configured with a logging profile.
- Configure a logging profile for Web Application Security, assign it to a virtual server, and deploy it to the BIG-IP device that has been configured to collect log events. Alogging profileis used to determine which events the system logs, and where, and the format of these events. It then directs security events to a BIG-IQ Data Collection Device, and the BIG-IQ Centralized Management system retrieves them from that node.
You can edit logging profiles to change the kind of information the system should log, and where you would like to store the logged data.
- Go to.To view a logging profile of a specific protected object, go toand select the logging profile link associate with the object in the dashboard's list.
- Click the Logging Profile column header to sort objects by log profile.
- Click the name of a Logging profile you would like to editThe logging profile properties screen opens.
- Modify the properties as needed.Logging profile properties are described in theCreate logging profilessection ofBIG-IQ: Securityonsupport.f5.comfor configuration information.
- Save your work.
The settings are incorporated into your log profile. If the profile is assigned to a virtual server, the next deployment sends the new configuration to one or more BIG-IP devices.