Manual Chapter : Monitoring Web Application Security Event Logs

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0
Manual Chapter

Monitoring Web Application Security Event Logs

Monitoring application security events logs

You can view Web Application Security event logs to review applications and virtual server activities. You can use these logs to view event details, which can provide insights into your current application protection. This information can be useful for editing your current protection policy. Application security event logs provide certain quick links in each event, which allow you to make immediate adjustments, if necessary.
Due to the configuration of an AS3 application, some event details may not be available.

Tagging and filtering logs

BIG-IQ Centralized Management enables a single view of all filters and log entries (and details for each entry) from multiple BIG-IP devices.
You use tags and filters to allow you to select which events to view.
  • Filters allow you to select the events to view by constructing a query that the events must match.
  • You can assign tags to events to label them, so that you can use that label in queries.

Event logs based on user privileges

The system administrator has the ability to provide granular access to view and/or edit specific BIG-IP objects, such as virtual servers, applications,

Monitor event logs and define tags

You can review Web Application Security events on applications and servers from one or more BIG-IP devices. By default, the events are filtered to show only illegal requests. You can use the Web Application Security Event Logs s to view the affected virtual server or applications, and mitigate certain actions and protection configuration directly from event details.
  1. Go to
    Monitoring
    EVENTS
    Web Application Security
    Events
    .
    To view a logging profile of a specific protected object, go to
    Monitoring
    DASHBOARDS
    L7 Dashboard
    and select the logging profile link associate with the object in the dashboard's list.
  2. To see details of an event log entry, click in the event entry row.
    A screen on the right opens and shows details of the event. This view provides information, such as the reporting application or virtual server. Details also include client information, protection and logging policies, and full HTTP request/response header information.
  3. In the details screen, you can specify the kind of information to see.
    • You can specify compact or full information. At the top of the screen, click
      Compact
      for summary information, or click
      Full
      for complete information.
    • You can view either HTTP header request or response information. Click
      Request
      for request information or
      Response
      for response information. Both kinds of information contain violation links in blue that you can click for more information.
  4. Select links in the details area to complete the following actions:
    It is recommended to view in
    Full
    details format.
    Field
    Link Description
    Source IP Address
    Add a source IP address directly to the Web Application Security policy's allowlist settings.
    Geolocation
    Disallow traffic from an event's geolocation.
    Security Policy
    Edit the policy's settings.
    Destination IP Address
    View the virtual server's properties, when available
  5. To create and apply tags to events, select the events using the check box to the left, and click
    Tags
    above the event list.
    A dialog box opens.
    • To create a tag, type the tag name in the provided field and click
      +
      .
    • To apply a tag to the selected events, select the check box to the left of the tag and click
      Apply
      .
    Tags are useful for sorting event types that the system does not categorize, by default. You can use tags to quickly sort and filter the event list.
  6. To export selected events as a CSV or PDF file, select the event using the check box to the left, and click
    Export
    .
  7. To display only events that contain a specified string, type that string in the Filter field in the upper right of the screen.
You can create a search filter to quickly view events that match pre-defined criteria.

View and delete event log tags

You can review the tags defined for use with Web Application Security events and remove the tags.
  1. Click
    Monitoring
    EVENTS
    Web Application Security
    Filters and Tags
    Tags
    .
    The Tags screen shows the defined tags.
  2. To remove a tag, select the check box to the left of it and click
    Remove
    , then confirm the deletion in the dialog box that opens.
    The tag is removed from the Tags screen.

Create a new log filter

You can create new filters to better manage the events in your logs. The filters are based on a fixed set of query parameters, with an option to manually enter all available parameters into a query expression. For more details about the required syntax, see
Query expression syntax for log filters.
  1. From the log screen, click the filter icon at the top right of the screen ().
  2. Click
    Create
    .
    The New Filter configuration popup screen opens.
  3. Type a unique
    Filter Name
    .
  4. In the Query Parameters area, add the query information.
    Adding information to these fields automatically populates the
    Query Expression
    box. Refer to the Query expression syntax for log filters to view all query options.
  5. Once you have the custom filter the way you want it, click
    Save & Apply
    .
The new filter is added to the filter list. You can select this filter later to query the list according to the set parameters.

Query expression syntax for log filters

On the New Filter configuration popup screen, the Query Expression area for creating a new log filter requires specific syntax. To manually run query parameters, use the syntax requirements listed here.
General Syntax
  • Express elements of the filter query as key value pairs, separated by a colon, such as
    profile_name:"MyCurrentProfile"
    .
  • Use the following operators within a filter query.
    Operator
    Usage Example
    AND
    This:p1 AND bar:(A AND B AND "another value")
    AND NOT
    AND NOT qux:error
    OR
    name:"this is a name" OR bar:(A OR B OR C)
    OR NOT
    OR NOT qux:error
    *
    support_id:*123*
    . This operator can only be used for text fields.
  • Enclose values that havespaces within quotation marks, such as
    key:"two words"
    .
  • Query any field for more than one value by enclosing the values with parentheses, such as
    key:(a b "two words")
    . In this case, the default operator is OR.
  • Only pre-defined values are allowed for fields with a type of multi-value. These values are listed in the Query Parameters area, next to the relevant field.
  • In a policy name, you must include the full path to the policy, such as
    /Common/MyPolicy
    .
Dates
  • Values with a type of date can accept valid date formats, such as
    'Oct 30, 2017 00:00:00'
    .
  • Values of the date range type can accept input in the format of
    [min_date...max_date]
    , such as
    '[Oct 30, 2017 00:00:00...Oct 30, 2017 06:00:00]'
    . The date range might also contain only minimum without maximum, and the reverse, such as
    '[Oct 30, 2017 00:00:00...]'
    or
    '[...Oct 30, 2017 00:00:00]'
    .
Numeric Values
  • Values of the numeric range type can accept input in the format of
    [min...max]
    , such as
    '[1...100]'
    . The numeric range might also contain only minimum without maximum, and the reverse, such as
    '[1...]'
    or
    '[...100]'
    .