Manual Chapter :
Monitoring Web Application Security Event Logs
Applies To:
Show VersionsBIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0
Monitoring Web Application Security Event Logs
Monitoring application security events logs
You can view Web Application Security event logs to review applications and
virtual server activities. You can use these logs to view event details, which can
provide insights into your current application protection. This information can be
useful for editing your current protection policy. Application security event logs
provide certain quick links in each event, which allow you to make immediate
adjustments, if necessary.
Due to the configuration of an AS3
application, some event details may not be available.
Tagging and filtering logs
BIG-IQ Centralized Management enables a single view of all
filters and log entries (and details for each entry) from multiple BIG-IP
devices.
You use tags and filters to allow you to select which events to
view.
- Filters allow you to select the events to view by constructing a query that the events must match.
- You can assign tags to events to label them, so that you can use that label in queries.
Event logs based on user privileges
The system administrator has the ability to provide granular access to view and/or edit specific BIG-IP objects, such as virtual servers, applications,
Monitor event logs and define tags
You
can review Web Application Security events on applications and servers from one or more
BIG-IP devices. By default, the events are filtered to show only illegal requests. You
can use the Web Application Security Event Logs s to view the affected virtual server
or applications, and mitigate certain actions and protection configuration directly from
event details.
- Go to.To view a logging profile of a specific protected object, go toand select the logging profile link associate with the object in the dashboard's list.
- To see details of an event log entry, click in the event entry row.A screen on the right opens and shows details of the event. This view provides information, such as the reporting application or virtual server. Details also include client information, protection and logging policies, and full HTTP request/response header information.
- In the details screen, you can specify the kind of information to see.
- You can specify compact or full information. At the top of the screen, clickCompactfor summary information, or clickFullfor complete information.
- You can view either HTTP header request or response information. ClickRequestfor request information orResponsefor response information. Both kinds of information contain violation links in blue that you can click for more information.
- Select links in the details area to complete the following actions:It is recommended to view inFulldetails format.FieldLink DescriptionSource IP AddressAdd a source IP address directly to the Web Application Security policy's allowlist settings.GeolocationDisallow traffic from an event's geolocation.Security PolicyEdit the policy's settings.Destination IP AddressView the virtual server's properties, when available
- To create and apply tags to events, select the events using the check box to the left, and clickTagsabove the event list.A dialog box opens.
- To create a tag, type the tag name in the provided field and click+.
- To apply a tag to the selected events, select the check box to the left of the tag and clickApply.
Tags are useful for sorting event types that the system does not categorize, by default. You can use tags to quickly sort and filter the event list. - To export selected events as a CSV or PDF file, select the event using the check box to the left, and clickExport.
- To display only events that contain a specified string, type that string in the Filter field in the upper right of the screen.
You can create a search filter to quickly view events that match pre-defined
criteria.
View and delete event log tags
You can review the tags defined for
use with Web Application Security events and remove the tags.
- Click.The Tags screen shows the defined tags.
- To remove a tag, select the check box to the left of it and clickRemove, then confirm the deletion in the dialog box that opens.The tag is removed from the Tags screen.
Create a new log filter
You can create new filters to better manage the
events in your logs. The filters are based on a fixed set of query parameters, with an
option to manually enter all available parameters into a query expression. For more
details about the required syntax, see
Query expression
syntax for log
filters.
- From the log screen, click the filter icon at the top right of the screen ().
- ClickCreate.The New Filter configuration popup screen opens.
- Type a uniqueFilter Name.
- In the Query Parameters area, add the query information.Adding information to these fields automatically populates theQuery Expressionbox. Refer to the Query expression syntax for log filters to view all query options.
- Once you have the custom filter the way you want it, clickSave & Apply.
The new filter is added to the filter list. You can select this filter later to query the list according to the set parameters.
Query expression syntax for log filters
On the New Filter configuration popup screen, the Query Expression area for creating a new log filter
requires specific syntax. To manually run query parameters, use the syntax requirements
listed here.
General Syntax
- Express elements of the filter query as key value pairs, separated by a colon, such asprofile_name:"MyCurrentProfile".
- Use the following operators within a filter query.OperatorUsage ExampleANDThis:p1 AND bar:(A AND B AND "another value")AND NOTAND NOT qux:errorORname:"this is a name" OR bar:(A OR B OR C)OR NOTOR NOT qux:error*support_id:*123*. This operator can only be used for text fields.
- Enclose values that havespaces within quotation marks, such askey:"two words".
- Query any field for more than one value by enclosing the values with parentheses, such askey:(a b "two words"). In this case, the default operator is OR.
- Only pre-defined values are allowed for fields with a type of multi-value. These values are listed in the Query Parameters area, next to the relevant field.
- In a policy name, you must include the full path to the policy, such as/Common/MyPolicy.
Dates
- Values with a type of date can accept valid date formats, such as'Oct 30, 2017 00:00:00'.
- Values of the date range type can accept input in the format of[min_date...max_date], such as'[Oct 30, 2017 00:00:00...Oct 30, 2017 06:00:00]'. The date range might also contain only minimum without maximum, and the reverse, such as'[Oct 30, 2017 00:00:00...]'or'[...Oct 30, 2017 00:00:00]'.
Numeric Values
- Values of the numeric range type can accept input in the format of[min...max], such as'[1...100]'. The numeric range might also contain only minimum without maximum, and the reverse, such as'[1...]'or'[...100]'.