Manual Chapter : Managing Audit Logs

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.2.0, 8.1.0
Manual Chapter

Managing Audit Logs

About audit logs

You use audit logs to review changes in the BIG-IQ system. All BIG-IQ system roles have read-only access to the audit log, and can view and filter entries. Any user with the appropriate privileges can initiate an action.
All API traffic on the BIG-IQ system, and every REST service command for all licensed modules, is logged in a separate, central audit log (
restjavad-audit.n.log
) which is located in
/var/log
on the BIG-IQ system.

Considerations when using the audit log

When using the audit log, consider the following:
  • The audit log does not record an entry for every generation of a task. It only records an entry when the task status changes.
  • When an object is deleted and then recreated with the same name, partition, and other information, the difference between those objects may show the deleted object as being the previous generation of the new object.
  • By default, not all columns are displayed by the audit log to conserve space. To review what columns are displayed, click the gear icon in the upper right of the Audit Logging screen.

Actions and objects that generate audit log entries in Access

BIG-IQ® Centralized Management records in the audit log all user-initiated changes that occur on the management system. A change is defined as when certain objects are modified, when certain tasks change state, or when certain user actions are performed. For example, when the admin account is used to log in to the BIG-IQ system, the audit log records the time, the user (admin), the action (New) and the object type (Login). The log does not include changes that occurred on BIG-IP devices that were imported.
Changes to working-configuration objects generate audit log entries. In addition, these actions generate log entries:
  • Creating or deleting a user account.
  • Users logging in and logging out, including when the user is logged out due to inactivity.
  • Creating or canceling a device discovery or a device reimport.
  • Adding a new device to an access group.
  • Creating or deleting an access group.
  • Removing all services.
  • Reimporting a device.
  • Saving a configurable property in an existing device object.
  • Stopping a session.
  • Deleting a previously discovered device.
  • Creating or deleting a deployment task.
  • Creating a difference task.
  • Creating, restoring, or deleting a snapshot.
  • Editing some system information (such as editing a host name, a root password, a DNS entry, or an SNMP entry).

Audit log entry properties

The audit log displays the following properties for each log entry.
Property
Description
Source
IP address of the client machine that made the change.
This property is blank for actions that were initiated by an internal process. For example, when a user invokes a deployment action, the deployment action then invokes a difference task to find the differences between the current configuration and the one to be deployed. The difference task has no Source IP address.
Service
Indicates whether the change was made by the internal object synchronization service. This service synchronizes shared objects, such as virtual servers, from the Local Traffic & Network service to the Network Security or Web Application Security services.
  • If a check mark is displayed, the change was made by the internal object synchronization service, and no IP address is shown in the Source column. The check mark is only displayed in the Network Firewall Audit Log or the Web Application Security Audit Log screens.
  • If a check mark is not displayed, the change was not made by the internal object synchronization service.
Time
Time that the event occurred. The time is the BIG-IQ system local time and is expressed in the format: mmm dd, yyyy hh:mm:ss (time zone); for example:
Apr 19, 2016 13:09:03(EDT)
.
Node
Fully qualified domain name for the BIG-IQ system that recorded the event. This appears as the
Hostname
at the top of the BIG-IQ user interface.
User
Name of the account that initiated the action, such as an account named
Admin
for an administrative account.
Action
Type of modification. For operation changes, the action types include New, Delete, and Modify. For task changes, the action types include Start, Finish, Failed, and Canceled.
Object Name
Object identified by a user-friendly name; for example:
newRule1
,
deploy-test
, or
Common/global
. When the name
RootNode
is listed, that indicates that the object is associated with a BIG-IP device.
RootNode
is typically seen when creating, deleting or updating log profiles, service policies, or firewall policies.
Changes
Indicates whether there was a change in the object. If
View
occurs in this column, there is a change to the object. To view the detailed differences of the change, click
View
.
Object Type
Classification for this action. When the type
Root Node
is listed, that indicates that the object is associated with a BIG-IP device.
Root Node
is typically seen when creating, deleting or updating log profiles, service policies, or firewall policies.
Parent
The administrative partition and name of the parent object. This property is displayed for firewall rules, logging profiles, and DoS profiles. For firewall rules, the parent shows the rule list, firewall, or policy that contains the rule. A change in a firewall rule often also affects the rule's parent object.
Parent Type
Class or group of the parent object.
Version
Version of the configuration object. Typically, when a configuration object changes, the version is increased by 1. However, other audit entries, such as those for finishing snapshot creation or finishing deployment, may increase the version by more than 1.

View audit entry differences

In the audit log, when potential changes to an object are logged, the
View
link is shown in the Changes column for that entry. You can click
View
to examine the differences between generations of that object.
  1. On the left, expand
    LOGS
    , expand
    Audit Logs
    , and then click the component that you want to view audit entries for.
  2. To display differences for an object, click
    View
    in the Changes column.
    A popup screen opens, showing two columns that compare the differences between the two generations of the object in JSON. In these columns, additions to an object generation are highlighted in green, and differences are highlighted in gold.
    If the system cannot retrieve a generation of an object, the column displays either
    Generation Not Available
    or
    Generation does not exist
    . Object information may not be available if it has been automatically purged from the system to conserve disk space, or if it has been deleted.
    The JSON difference displayed for a delete entry in the audit log shows the JSON difference from the previous operation because the generation identifier is not incremented when an object is deleted.
  3. When you are finished, click
    Close
    on the popup screen to return to the Audit Logging screen.

Filter entries in the audit log

You can use the Filter field at the top right of the Audit Logging screen to rapidly narrow the scope displayed, and to more easily locate an entry in the audit log.
  • Filtering is text-based.
  • Filtering is not case-sensitive.
  • You can use wild cards, or partial text.
  • All BIG-IQ Centralized Management roles can filter entries.
  • To clear the filter, click the
    X
    to the right of the search string in the
    Filtered by
    field on the left.
  1. At the top of the screen, click
    Applications
    .
  2. On the left, expand
    LOGS
    , expand
    Audit Logs
    , and then click the component that you want to view audit entries for.
  3. Use the Filter field in the upper right corner to narrow your search:
    1. Select the field that you want to specify filter options for.
    2. Type the information specific to the object you want to filter on.
    3. Select
      Exact
      if you want to view only logs that completely match the filtering content you typed. Or, if you want to view any logs that include the filtering content, select
      Contains
      .
    4. Press
      Enter
      .
    Option
    Description
    All
    Specifies that all objects should be filtered using the filter text. When this option is used, both the user-visible and the underlying data are searched for a match, so you may see matches to your filter text which do not appear to match it.
    Client Address
    For
    Filter
    , type the IP address of the device that generates the logs. Log entries from devices with a different IP address will not be displayed.
    Time
    Type both a date and a time. Displayed times are given in the local time of the BIG-IQ system. Supported time formats are highly Web browser-dependent. Time formats other than those listed might appear to filter successfully but are not supported. Entering a single date and time results in a filter displaying all entries from the specified date and time to the current date and time.
    For time formats that use letters and numbers, enter the date time in one of the following formats:
    • mmm dd yyyy hh:mm:ss. Example:
      Jan 7 2014 8:30:00
    • mmm dd, yyyy hh:mm:ss (time zone). Example:
      Apr 28, 2016 13:09:03(EDT)
    • mmm dd, yyyy. Example:
      Apr 28, 2016
    • mmm dd, yyyy hh:mm:ss. Example:
      Apr 28, 2016 16:09:06
    • ddd mmm dd yyyy hh:mm:ss. Example:
      Thu Jan 16 2014 11:13:50
    For time formats that use only numbers, enter the date time in one of the following formats:
    • mm/dd/yy hh:mm:ss. Example:
      01/01/16 12:14:15
    • m/d/yy hh:mm:ss. Example:
      1/1/14 12:14:15
    • mm/dd/yyyy hh:mm:ss. Example:
      1/1/2014 12:14:15
    Node
    Type the node name in the filter.
    User
    Type the user account name in the filter.
    Action: Operation
    Type the operation action name in the filter. Operation actions include: New, Delete, and Modify.
    Search results for a search on values in the Action column may match additional hidden values since the underlying metadata is being searched.
    Action: Task Status
    Type the task status action name in the filter. Task status actions include: Start, Finish, Cancelled, and Failed.
    Search results for a search on values in the Action column may match additional hidden values since the underlying metadata is being searched.
    Object Name
    Type the full or partial name of the object in the filter. If a partition name is displayed, do not include it in the filter. For example, Common/AddressList_4 would be entered as
    AddressList_4
    . Because the device-specific object name includes the BIG-IP host name, you can enter a full or partial device name to get all objects for a specific BIG-IP device.
    Object Type
    Type the object type in the filter.
    Parent
    Type the parent name in the filter. Only appears for rules to show the rule list, firewall, or policy that contains the rule.
    Parent Type
    Type the Parent Type name in the filter. Only appears when the Parent field contains a value.
    Contains
    Specifies that the filter text is contained within the object specified. When you select
    Contains
    :
    • If the filter text is a string, the filter text matches an entire string or only a part of a string.
    • If the filter text is an IP address, the filter text matches an IPV4 or IPV6 address that is the same as the filter text, or matches an IPV4 address range or subnet that includes the filter text. IPV6 addresses can not be found within a range or subnet.
    • If the filter text is a port number, the filter text matches a port number that is the same as the filter text, or matches a port number range that includes the filter text.
    Exact
    Specifies that the filter text is exactly contained within the object specified. When
    Exact
    is selected:
    • If the filter text is a string, the filter text matches only the entire string.
    • If the filter text is an IP address, the filter text matches only an IPV4 or IPV6 address that is the same as the filter text.
    • If the filter text is a port number, the filter text matches only a port number that is the same as the filter text.
The result of a search filter operation is a set of entries that match the filter criteria, sorted by time.

Customizing the audit log display

You can customize the audit log display to assist you in locating information faster.
  • To customize the order of columns displayed, click any column header and drag the column to the location you want.
  • To sort by column, click the name of the column you want to sort. Not all columns can be sorted. When sorting items in the Object Name column, partition names are ignored. For example, the object name
    Common/rule1
    would be sorted without the common partition name, as if it were named
    rule1
    .
  • To resize columns, click the column side and drag it to the preferred location.
  • To select what columns are displayed, click the gear icon in the upper right of the Audit Logging screen. In the popup screen, select columns you want to display and clear columns you do not want to display. Move your cursor away from the screen to dismiss it.

Managing audit log archive settings

You can view or change the audit archive settings. The archived audit log files are stored in the
/var/config/rest/auditArchive/
directory on the BIG-IQ system. You can view Access audit logs based on the following Access roles:
  • Deployer.
  • Editor.
  • Viewer
  • Manager.
You can view and configure Access archive settings with only the Access Manager role. The roles Auditor, Deployer, and Viewer cannot view or edit archive settings.
  1. At the top of the screen, click
    Applications
    .
  2. Select
    Audit Logging
    from the BIG-IQ menu.
  3. Click the
    Archive Settings
    button in the upper left of the Audit Logging screen to display the audit log settings.
  4. Complete or review the properties and status settings, and click
    Save
    .
    Property
    Description
    Retain Entries
    Specifies the number of days after the audit log entries are archived.
    Weekly Update
    Specifies which days of the week to update the audit log. Select the check box to the left of each day that you want the audit log to be updated. The default is every day.
    Start Time
    Specifies when the audit archiving should begin. The default is 12:00 am.
    Items Expired
    Displays the read-only number of entries that have expired.
    Last Error
    If an error has occurred, displays the read-only error text for any errors found.
    Last Error Time
    If an error has occurred, displays a read-only value that contains the time the last error was found. The time in the field is the BIG-IQ system local time and is expressed in the format: ddd mmm dd yyyy hh:mm:ss, for example,
    Fri Jan 17 2014 23:50:00
    .

About archived audit logs

You can view or change how audit logs are archived by clicking the
Archive Settings
button on the Audit Logging screen.
Archived audit log files are stored in the
archive-audit.n.txt
file in the appropriate subdirectory of the
/var/config/rest/auditArchive
directory on the BIG-IQ Centralized Management system:
  • Network Security audit log:
    /var/config/rest/auditArchive/networkSecurity/
  • Web Application Security audit log:
    /var/config/rest/auditArchive/webAppSecurity/
  • Fraud Protection Service audit log:
    /var/config/rest/auditArchive/websafe/
  • Local Traffic and Network audit log:
    /var/config/rest/auditArchive/adc/
  • Device Management audit log:
    /var/config/rest/auditArchive/device/
  • Access audit log:
    /var/config/rest/auditArchive/access/
Audit entries are appended to the
archive-audit.0.txt
file. When the
archive-audit.0.txt
file reaches approximately 800 MB, the contents are copied to
archive-audit.1.txt
, compressed into the
archive-audit.1.txt.gz
file, and a new empty
archive-audit.0.txt
file is created, which then has new audit entries appended to it.
Up to five compressed archived audit files can be created before those files begin to be overwritten to conserve space. The compressed audit log archive is named
archive-audit.n.txt.gz
, where n is a number from 1 to 5. As the audit log archives are created and updated, the content of the archives is rotated so that the newest archive is always
archive-audit.1.txt.gz
and the oldest is always the highest numbered archive, typically,
archive-audit.5.txt.gz
.
The file content rotation occurs whenever
archive-audit.0.txt
is full. At that time, the content of each
rchive-audit.n.txt.gz
file is copied into the file with the next higher number, and the content of
archive-audit.0.txt
is copied into
archive-audit.1.txt
and then compressed to create
archive-audit.1.txt.gz
. If all five
archive-audit.n.txt.gz
files exist, during the rotation the contents of
archive-audit.5.txt.gz
are overwritten, and are no longer available.

About audit logs in high-availability configurations

In high-availability (HA) configurations, there is an active and standby BIG-IQ. During failover, the audit log entries and the audit archive settings are copied from the active to the standby BIG-IQ before the standby becomes the new active BIG-IQ.
However, archived audit logs are not copied from the active to the standby BIG-IQ.

About the REST API audit log

The REST API audit log records all API traffic on the BIG-IQ system. It logs every REST service command for all licensed modules in a central audit log (
restjavad-audit.n.log
) located on the system.
The current iteration of the log is named
restjavad-audit.0.log
. When the log reaches a certain user-configured size, a new log is created and the number is incremented. You can configure and edit settings in
/etc/restjavad.log.conf
.
Any user who can access the BIG-IQ system console (shell) has access to this file.

Managing the REST API audit log

The REST API audit log contains an entry for every REST API command processed by the BIG-IQ system, and is an essential source of information about the modules licensed under the BIG-IQ system. It can provide assistance in compliance, troubleshooting, and record-keeping. With it, you can review log contents periodically, and save contents locally for off-device processing and archiving.
  1. Using SSH, log in to the BIG-IQ Access system with administrator credentials.
  2. Navigate to the
    restjavad
    log location:
    /var/log
    .
  3. Examine files with the naming convention:
    restjavad-audit.n.log
    .
    The letter
    n
    represents the log number.
  4. Once you have located it, you can view or save the log locally through a method of your choice.