Applies To:Show Versions
BIG-IQ Centralized Management
- 8.2.0, 8.1.0
Monitoring Web Application Security Event Logs
Monitoring application security events logs
Tagging and filtering logs
- Filters allow you to select the events to view by constructing a query that the events must match.
- You can assign tags to events to label them, so that you can use that label in queries.
Event logs based on user privileges
Monitor event logs and define tags
- Go to.To view a logging profile of a specific protected object, go toand select the logging profile link associate with the object in the dashboard's list.
- To see details of an event log entry, click in the event entry row.A screen on the right opens and shows details of the event. This view provides information, such as the reporting application or virtual server. Details also include client information, protection and logging policies, and full HTTP request/response header information.
- In the details screen, you can specify the kind of information to see.
- You can specify compact or full information. At the top of the screen, clickCompactfor summary information, or clickFullfor complete information.
- You can view either HTTP header request or response information. ClickRequestfor request information orResponsefor response information. Both kinds of information contain violation links in blue that you can click for more information.
- Select links in the details area to complete the following actions:It is recommended to view inFulldetails format.FieldLink DescriptionSource IP AddressAdd a source IP address directly to the Web Application Security policy's allowlist settings.GeolocationDisallow traffic from an event's geolocation.Security PolicyEdit the policy's settings.Destination IP AddressView the virtual server's properties, when available
- To create and apply tags to events, select the events using the check box to the left, and clickTagsabove the event list.A dialog box opens.
Tags are useful for sorting event types that the system does not categorize, by default. You can use tags to quickly sort and filter the event list.
- To create a tag, type the tag name in the provided field and click+.
- To apply a tag to the selected events, select the check box to the left of the tag and clickApply.
- To export selected events as a CSV or PDF file, select the event using the check box to the left, and clickExport.
- To display only events that contain a specified string, type that string in the Filter field in the upper right of the screen.
View and delete event log tags
- Click.The Tags screen shows the defined tags.
- To remove a tag, select the check box to the left of it and clickRemove, then confirm the deletion in the dialog box that opens.The tag is removed from the Tags screen.
Create a new log filter
- From the log screen, click the filter icon at the top right of the screen ().
- ClickCreate.The New Filter configuration popup screen opens.
- Type a uniqueFilter Name.
- In the Query Parameters area, add the query information.Adding information to these fields automatically populates theQuery Expressionbox. Refer to the Query expression syntax for log filters to view all query options.
- Once you have the custom filter the way you want it, clickSave & Apply.
Query expression syntax for log filters
- Express elements of the filter query as key value pairs, separated by a colon, such asprofile_name:"MyCurrentProfile".
- Use the following operators within a filter query.OperatorUsage ExampleANDThis:p1 AND bar:(A AND B AND "another value")AND NOTAND NOT qux:errorORname:"this is a name" OR bar:(A OR B OR C)OR NOTOR NOT qux:error*support_id:*123*. This operator can only be used for text fields.
- Enclose values that havespaces within quotation marks, such askey:"two words".
- Query any field for more than one value by enclosing the values with parentheses, such askey:(a b "two words"). In this case, the default operator is OR.
- Only pre-defined values are allowed for fields with a type of multi-value. These values are listed in the Query Parameters area, next to the relevant field.
- In a policy name, you must include the full path to the policy, such as/Common/MyPolicy.
- Values with a type of date can accept valid date formats, such as'Oct 30, 2017 00:00:00'.
- Values of the date range type can accept input in the format of[min_date...max_date], such as'[Oct 30, 2017 00:00:00...Oct 30, 2017 06:00:00]'. The date range might also contain only minimum without maximum, and the reverse, such as'[Oct 30, 2017 00:00:00...]'or'[...Oct 30, 2017 00:00:00]'.
- Values of the numeric range type can accept input in the format of[min...max], such as'[1...100]'. The numeric range might also contain only minimum without maximum, and the reverse, such as'[1...]'or'[...100]'.