Manual Chapter : Logging Access events

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.0.0
Manual Chapter

Logging Access events

About event logs in BIG-IQ Access

BIG-IQ Centralized management provides visibility solutions for activity within Access Policy Manager (APM) configurations. BIG-IQ logs various events, enabling you to monitor activity, functionality, and health for all of your access policies and configured resources. You may use BIG-IQ to manage which events are logged, as well as set a standard severity (or
log level
) for the log messages of each event type within an Access Group.
BIG-IQ allows users to configure log levels for all of the following Access System logs:
  • Access Policy
  • Per-Request Policy
  • Access Control Lists (ACLs)
  • Single-Sign On (SSO)
  • Secure Web Gateway
  • External Client Authentication (ECA)
  • OAuth
  • PingAccess Profile
  • Virtual Desktop Infrastructure (VDI)
  • Endpoint Management System
  • ADFS Proxy
The log levels you can set these reports to are, from least severe to most severe,
Debug
,
Informational
,
Notice
,
Warning
,
Error
,
Critical
,
Alert
,
Emergency
.
You may also able event logging for URL Requests, Allowed Events, Blocked Events, and Confirmed Events.

Configuring event logs settings

Configure event logs settings for BIG-IQ Access Policy Manager (APM) by following the procedure below.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of an Access group.
    A new screen displays the group's properties.
  3. The screen displays the event log settings in the working configuration for the Access group.
    • To create an log setting, click the
      Create
      button.
    • To delete an log setting, select the check box next to the object and click the
      Delete
      button.
  4. Click
    Create
    or select an existing resource to begin configuration.
  5. Type a name for the name for the log setting.
  6. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  7. In the
    SSO Configuration Description
    field, type a descriptive text for the configuration.
  8. For
    Access System Logs
    , click the check box to specify a publisher for Access system logs and log levels.
  9. For
    Access Logs Publisher
    , select a log publisher.
  10. For the system log types, beginning with
    Access Policy
    and ending with
    HTTP Connector
    , select a log level from the drop-down lists. You will receive the least amount of messages, and will only receive the most severe ones, if you select
    Emergency
    , and you will receive the most amount of messages if you select
    Debug
    . These fields are available for configuration for Access Groups running BIG-IP version 13.1 and later. The default is
    Notice
    .
  11. For
    URL Request Logs
    , click the check box to select a publisher for the logs and specifies the URL requests to log based on whether the request was blocked or allowed.
  12. For
    URL Request Logs Publisher
    , select a log publisher.
  13. For
    Log Allowed Events
    , click the check box to log request data when a user tries to access a URL that the URL filter allows.
  14. For
    Log Blocked Events
    , click the check box to log request data when a user tries to access a URL that the URL filter blocks.
  15. For
    Log Confirmed Events
    , click the check box to log request data when a user confirms a request for access to a URL for which the URL filter requires confirmation.
  16. Click
    Save
    .
  17. Once you have finished configuring General Log Settings, you may configure
    Profiles Settings
    .
  18. Move log settings between the
    Available
    and
    Selected
    lists.
  19. Click
    Save & Close
    .
The new log settings configuration will display in the Event Logs Settings list.

Configuring Access event logging over multiple DCDs

BIG-IQ receives Access Policy Manager (APM) events from BIG-IP via it's Data Collection Devices (DCD). To optimize the process, while ensuring high availability, it is best to load balance log events to a remote logging pool of DCDs. This will prevent data loss, in the instance that a DCD becomes unavailable, without unnecessary duplication of information.
While Access has an automated process for creating a logging profile, and its associated objects, you need manually add your DCD pool to the Log Publisher's destination list.
To complete this process for Access, you must have previously configured the following:
  • An imported and discovered BIG-IP device that hosts Dos Protection and its logging profile.
  • A remote logging pool of DCDs configured to the service port number
    9997
    .
For more information about configuring a remote pool of DCDs, see
Connect Devices to a Data Collection Device Cluster
in the
Planning and Implementing a BIG-IQ Deployment
guide at
support.f5.com
.
If you have already created or imported your logging profile, use this process to adjust the existing settings to include the remote logging pool of DCDs.

Configure a DCD pool as a Log Destination

You must create a remote logging pool for the DCDs configured to the service port of your module. For more information see
Connect Devices to a Data Collection Device cluster
in the
Planning and Implementing a BIG-IQ Deployment
guide at
support.f5.com
.
Create a Remote High-Speed Log and Splunk-type Log Destination to specify that log messages are sent to your pool of DCDs.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    LOCAL TRAFFIC
    Logs
    Log Destinations
    .
    The Log Destinations screen displays a list of the log destinations that are defined on this device.
  2. Click
    Create
    .
  3. Type a unique
    Name
    for this destination.
  4. From the
    Type
    list, select
    Remote High-Speed Log
  5. From the
    Protocol
    list, select
    TCP
    .
  6. From the
    Device
    list, select the BIG-IP device that hosts your service module's policy or profile.
  7. From the
    Pool
    list, select your pool of DCDs.
  8. Click
    Save & Close
    .
    The Log Destinations screen opens.
  9. Click
    Create
    .
  10. Type a unique
    Name
    for this destination.
  11. From the
    Type
    list, select
    Splunk
    .
  12. Under the
    Forward To
    field, select
    Remote High-Speed Log
    , and select the Remote High-Speed log saved in step 8.
  13. Click
    Save & Close
    .
You have now designated your DCD pool as a remote destination for BIG-IP to send its logging data. If your system has multiple modules that require event logging, ensure that you repeat this process for the module's designated DCD pool.
Create a Log Publisher to specify that BIG-IP system sends log messages to BIG-IQ. When configuring your Log Publisher ensure you are adding the Splunk-type Log Destination.

Configure logging for Access Policy Manager

BIG-IP devices that you configure for remote logging send Access reporting and SWG log report data to the BIG-IQ data collection device for storage and management.
  1. At the top left of the screen, click
    Monitoring
    DASHBOARDS
    Access
    .
  2. Click
    Remote Logging Configuration
    .
    The Remote Logging Configuration screen opens to display all of the discovered BIG-IP devices that are provisioned with the Access service.
  3. Select the BIG-IP devices for which you want to enable remote logging, and then click
    Configure
    .
    The
    hostname
    of the primary data collection device is displayed, and the status changes to let you know whether the enable request was successful.
You have now configured your logging of Access events from the BIG-IP devices associated with the virtual servers. Once you have deployed your changes, you can view these events on the
Monitoring
DASHBOARDS
Access
Logging Messages (All)
screen.
To ensure that data is load balanced among your DCD devices, you must change the remote log destination. For more information see
Edit log publisher destinations
.
Once you have completed this process, ensure that all your changes to your Local Traffic and Shared Security virtual servers are deployed over the host BIG-IP device. You can deploy your changes by going to,
Deployment
EVALUATE & DEPLOY
Local Traffic & Network
and
Deployment
EVALUATE & DEPLOY
Access

Edit a Log Publisher Log Destination

You must have created the log destination before you can add it to the an existing Log Publisher. For more information see
Managing Logs
in
support.f5.com
.
Edit the Log Publisher destination settings to change the pools that receive remote logging messages from BIG-IP.
  1. At the top of the screen, click
    Configuration
    , then, on the left, click
    LOCAL TRAFFIC
    Logs
    Log Publishers
    .
    The screen displays a list of the Log Publishers that are defined on this device.
  2. Select the name of the log publisher you wish to edit.
    The log publisher properties screen opens.
  3. To add log destinations, select the Log Destination(s) from the
    Available
    list and use the arrow to move your selection to the
    Selected
    list.
    You can filter the
    Available
    list by selecting the type of destination from the drop-down list.
  4. To remove log destinations, select the Log Destination(s) from the
    Selected
    list and use the arrow to move your selection to the
    Available
    list.
  5. Click
    Save & Close
You have changed the remote destinations associated with the Log Publisher. This will alter where the BIG-IP device sends its log data.
Deploy changes to your BIG-IP device.