Manual Chapter : Managing Audit Logs

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.3.0
Manual Chapter

About audit logs

You use audit logs to review changes in the BIG-IQ® system. All BIG-IQ system roles have read-only access to the audit log, and can view and filter entries. Any user with the appropriate privileges can initiate an action.

All API traffic on the BIG-IQ system, and every REST service command for all licensed modules, is logged in a separate, central audit log (restjavad-audit.n.log) which is located in /var/log on the BIG-IQ system.

Considerations when using the audit log

When using the audit log, consider the following:

  • The audit log does not record an entry for every generation of a task. It only records an entry when the task status changes.
  • When an object is deleted and then recreated with the same name, partition, and other information, the difference between those objects may show the deleted object as being the previous generation of the new object.
  • By default, not all columns are displayed by the audit log to conserve space. To review what columns are displayed, click the gear icon in the upper right of the Audit Logging screen.

Actions and objects that generate audit log entries

BIG-IQ® records in the audit log all user-initiated changes that occur on the BIG-IQ system. A change is defined as when certain objects are modified, when certain tasks change state, or when certain user actions are performed. For example, when the admin account is used to log in to the BIG-IQ system, the audit log records the time, the user (admin), the action (New) and the object type (Login). The log does not include changes that occurred on BIG-IP® devices that were imported.

Changes to working-configuration objects generate audit log entries. In addition, these actions generate log entries:

  • Creating or deleting a user account.
  • Users logging in and logging out, including when the user is logged out due to inactivity.
  • Creating or cancelling a device discovery or a device reimport.
  • Creating a Network Security Change Verifications action to verify the changes to a specific BIG-IP device or group.
  • Deleting a previously discovered device.
  • Creating or deleting a deployment task.
  • Creating a difference task.
  • Creating, restoring, or deleting a snapshot.
  • Editing some system information (such as editing a host name, a root password, a DNS entry, or an SNMP entry).

Audit log entry properties

The audit log displays the following properties for each log entry.

Property Description
Source IP address of the client machine that made the change.

This property is blank for actions that were initiated by an internal process. For example, when a user invokes a deployment action, the deployment action then invokes a difference task to find the differences between the current configuration and the one to be deployed. The difference task has no Source IP address.

Service Indicates whether the change was made by the internal object synchronization service. This service synchronizes shared objects, such as virtual servers, from the Local Traffic & Network service to the Network Security or Web Application Security services.
  • If a check mark is displayed, the change was made by the internal object synchronization service, and no IP address is shown in the Source column. The check mark is only displayed in the Network Firewall Audit Log or the Web Application Security Audit Log screens.
  • If a check mark is not displayed, the change was not made by the internal object synchronization service.
Time Time that the event occurred. The time is the BIG-IQ system local time and is expressed in the format: mmm dd, yyyy hh:mm:ss (time zone); for example: Apr 19, 2016 13:09:03(EDT).
Node Fully qualified domain name for the BIG-IQ system that recorded the event. This appears as the Hostname at the top of the BIG-IQ user interface.
User Name of the account that initiated the action, such as an account named Admin for an administrative account.
Action Type of modification. For operation changes, the action types include New, Delete, and Modify. For task changes, the action types include Start, Finish, Failed, and Cancelled.
Object Name Object identified by a user-friendly name; for example: newRule1, deploy-test, or Common/global. When the name RootNode is listed, that indicates that the object is associated with a BIG-IP device. RootNode is typically seen when creating, deleting or updating log profiles, service policies, or firewall policies.
Changes Indicates whether there was a change in the object. If View occurs in this column, there is a change to the object. To view the detailed differences of the change, click View.
Object Type Classification for this action. When the type Root Node is listed, that indicates that the object is associated with a BIG-IP device. Root Node is typically seen when creating, deleting or updating log profiles, service policies, or firewall policies.
Parent The administrative partition and name of the parent object. This property is displayed for firewall rules, logging profiles, and DoS profiles. For firewall rules, the parent shows the rule list, firewall, or policy that contains the rule. A change in a firewall rule often also affects the rule's parent object.
Parent Type Class or group of the parent object.
Version Version of the configuration object. Typically, when a configuration object changes, the version is increased by 1. However, other audit entries, such as those for finishing snapshot creation or finishing deployment, may increase the version by more than 1.

Viewing audit entry differences

In the audit log, when potential changes to an object are logged, the View link is shown in the Changes column for that entry. You can click View to examine the differences between generations of that object.
  1. At the top of the screen, click Monitoring.
  2. On the left, expand LOGS, then expand Audit Logs, and then , click the component that you want to view audit entries for.
  3. To display differences for an object, click View in the Changes column.
    A popup screen opens, showing two columns that compare the differences between the two generations of the object in JSON. In these columns, additions to an object generation are highlighted in green, and differences are highlighted in gold.
    If the system cannot retrieve a generation of an object, the column displays either Generation Not Available or Generation No previous generation. Object information may not be available if it has been automatically purged from the system to conserve disk space, or if it has been deleted.
    The JSON difference displayed for a delete entry in the audit log shows the JSON difference from the previous operation because the generation identifier is not incremented when an object is deleted.
  4. When you are finished, click Close on the popup screen to return to the Audit Logging screen.

Filtering entries in the audit log

You can use the Filter field at the top right of the Audit Logging screen to rapidly narrow the scope displayed, and to more easily locate an entry in the audit log.
  • Filtering is text-based.
  • Filtering is not case-sensitive.
  • You can use wild cards, or partial text.
  • All BIG-IQ® roles can filter entries.
  • To clear the filter, click the X to the right of the search string in the Filtered by field on the left.
  1. At the top of the screen, click Monitoring.
  2. On the left, expand LOGS, then expand Audit Logs, and then , click the component that you want to view audit entries for.
  3. Use the Filter field in the upper right corner to narrow your search:
    1. Select the field that you want to specify filter options for.
    2. Type the information specific to the object you want to filter on.
    3. Select Exact if you want to view only logs that completely match the filtering content you typed. Or, if you want to view any logs that include the filtering content, select Contains.
    4. Press Enter.
    Option Description
    All Specifies that all objects should be filtered using the filter text. When this option is used, both the user-visible and the underlying data are searched for a match, so you may see matches to your filter text which do not appear to match it.
    Client Address For Filter, type the IP address of the device that generates the logs. Log entries from devices with a different IP address will not be displayed.
    Time Type both a date and a time. Displayed times are given in the local time of the BIG-IQ system. Supported time formats are highly Web browser-dependent. Time formats other than those listed might appear to filter successfully but are not supported. Entering a single date and time results in a filter displaying all entries from the specified date and time to the current date and time.

    For time formats that use letters and numbers, enter the date time in one of the following formats:

    • mmm dd yyyy hh:mm:ss. Example: Jan 7 2014 8:30:00
    • mmm dd, yyyy hh:mm:ss (time zone). Example: Apr 28, 2016 13:09:03(EDT)
    • mmm dd, yyyy. Example: Apr 28, 2016
    • mmm dd, yyyy hh:mm:ss. Example: Apr 28, 2016 16:09:06
    • ddd mmm dd yyyy hh:mm:ss. Example: Thu Jan 16 2014 11:13:50

    For time formats that use only numbers, enter the date time in one of the following formats:

    • mm/dd/yy hh:mm:ss. Example: 01/01/16 12:14:15
    • m/d/yy hh:mm:ss. Example: 1/1/14 12:14:15
    • mm/dd/yyyy hh:mm:ss. Example: 1/1/2014 12:14:15
    Node Type the node name in the filter.
    User Type the user account name in the filter.
    Action: Operation Type the operation action name in the filter. Operation actions include: New, Delete, and Modify.
    Action: Task Status Type the task status action name in the filter. Task status actions include: Start, Finish, Cancelled, and Failed.
    Object Name Type the full or partial name of the object in the filter. If a partition name is displayed, do not include it in the filter. For example, Common/AddressList_4 would be entered as AddressList_4. Because the device-specific object name includes the BIG-IP® host name, you can enter a full or partial device name to get all objects for a specific BIG-IP device.
    Object Type Type the object type in the filter.
    Parent Type the parent name in the filter. Only appears for rules to show the rule list, firewall, or policy that contains the rule.
    Parent Type Type the Parent Type name in the filter. Only appears when the Parent field contains a value.
    Contains Specifies that the filter text is contained within the object specified. When you select Contains:
    • If the filter text is a string, the filter text matches an entire string or only a part of a string.
    • If the filter text is an IP address, the filter text matches an IPV4 or IPV6 address that is the same as the filter text, or matches an IPV4 address range or subnet that includes the filter text. IPV6 addresses can not be found within a range or subnet.
    • If the filter text is a port number, the filter text matches a port number that is the same as the filter text, or matches a port number range that includes the filter text.
    Exact Specifies that the filter text is exactly contained within the object specified. When Exact is selected:
    • If the filter text is a string, the filter text matches only the entire string.
    • If the filter text is an IP address, the filter text matches only an IPV4 or IPV6 address that is the same as the filter text.
    • If the filter text is a port number, the filter text matches only a port number that is the same as the filter text.
The result of a search filter operation is a set of entries that match the filter criteria, sorted by time.

Customizing the audit log display

You can customize the audit log display to assist you in locating information faster.

  • To customize the order of columns displayed, click any column header and drag the column to the location you want.
  • To sort by column, click the name of the column you want to sort. Not all columns can be sorted. When sorting items in the Object Name column, partition names are ignored. For example, the object name Common/rule1 would be sorted without the common partition name, as if it were named rule1.
  • To resize columns, click the column side and drag it to the preferred location.
  • To select what columns are displayed, click the gear icon in the upper right of the Audit Logging screen. In the popup screen, select columns you want to display and clear columns you do not want to display. Move your cursor away from the screen to dismiss it.

Managing audit log archive settings

You can view or change the audit archive settings. The archived audit log files are stored in the /var/config/rest/auditArchive/ directory on the BIG-IQ® Centralized Management system.
Note:
Note: Changing the audit archive settings while an archive is in progress could interrupt the current archive process. A subsequent archive operation will continue where the previous operation left off.
  1. At the top of the screen, click Monitoring.
  2. On the left, expand LOGS, then expand Audit Logs, and then , click the component that you want to view audit entries for.
  3. Click the Archive Settings button in the upper left of the Audit Logging screen to display the audit log settings.
  4. Complete or review the properties and status settings, and click Save.
    Property Description
    Retain Entries Specifies the number of days to keep audit log entries. The field must contain an integer between 1 and 366. The default is 30.
    Weekly Update Specifies which days of the week to update the audit log. Select the check box to the left of each day that you want the audit log to be updated. The default is every day.
    Start Time Specifies when the audit archiving should begin. The default is 12:00 am.
    Items Expired Displays the read-only number of entries that have expired.
    Last Error If an error has occurred, displays the read-only error text for any errors found.
    Last Error Time If an error has occurred, displays a read-only value that contains the time the last error was found. The time in the field is the BIG-IQ Centralized Management system local time and is expressed in the format: ddd mmm dd yyyy hh:mm:ss, for example, Fri Jan 17 2014 23:50:00.

About archived audit logs

You can view or change how audit logs are archived by clicking the Archive Settings button on the Audit Logging screen.

Archived audit log files are stored in the archive-audit.n.txt file in the appropriate subdirectory of the /var/config/rest/auditArchive directory on the BIG-IQ® Centralized Management system:

  • Network Security audit log: /var/config/rest/auditArchive/networkSecurity/
  • Web Application Security audit log: /var/config/rest/auditArchive/webAppSecurity/
  • Fraud Protection Service audit log: /var/config/rest/auditArchive/websafe/
  • Local Traffic and Network audit log: /var/config/rest/auditArchive/adc/
  • Device Management audit log: /var/config/rest/auditArchive/device/
  • Access audit log:/var/config/rest/auditArchive/access/

Audit entries are appended to the archive-audit.0.txt file. When the archive-audit.0.txt file reaches approximately 800 MB, the contents are copied to archive-audit.1.txt, compressed into the archive-audit.1.txt.gz file, and a new empty archive-audit.0.txt file is created, which then has new audit entries appended to it.

Up to five compressed archived audit files can be created before those files begin to be overwritten to conserve space. The compressed audit log archive is named archive-audit.n.txt.gz, where n is a number from 1 to 5. As the audit log archives are created and updated, the content of the archives is rotated so that the newest archive is always archive-audit.1.txt.gz and the oldest is always the highest numbered archive, typically, archive-audit.5.txt.gz.

The file content rotation occurs whenever archive-audit.0.txt is full. At that time, the content of each rchive-audit.n.txt.gz file is copied into the file with the next higher number, and the content of archive-audit.0.txt is copied into archive-audit.1.txt and then compressed to create archive-audit.1.txt.gz. If all five archive-audit.n.txt.gzfiles exist, during the rotation the contents of archive-audit.5.txt.gz are overwritten, and are no longer available.

About audit logs in high-availability configurations

In high-availability (HA) configurations, there is a primary and secondary BIG-IQ® system. During failover, the audit log entries and the audit archive settings are copied from the primary to the secondary system before the secondary system becomes the new primary system.

However, archived audit logs are not copied from the primary to the secondary BIG-IQ system.

About the REST API audit log

The REST API audit log records all API traffic on the BIG-IQ® system. It logs every REST service command for all licensed modules in a central audit log (restjavad-audit.n.log) located on the system.

Note: The current iteration of the log is named restjavad-audit.0.log. When the log reaches a certain user-configured size, a new log is created and the number is incremented. You can configure and edit settings in /etc/restjavad.log.conf.

Any user who can access the BIG-IQ system console (shell) has access to this file.

Managing the REST API audit log

The REST API audit log contains an entry for every REST API command processed by the BIG-IQ® system, and is an essential source of information about the modules licensed under the BIG-IQ system. It can provide assistance in compliance, troubleshooting, and record-keeping. With it, you can review log contents periodically, and save contents locally for off-device processing and archiving.
  1. Using SSH, log in to the BIG-IQ Network Security system with administrator credentials.
  2. Navigate to the restjavad log location: /var/log.
  3. Examine files with the naming convention: restjavad-audit.n.log.
    The letter n represents the log number.
  4. Once you have located it, you can view or save the log locally through a method of your choice.