Manual Chapter : Access Reporting and Statistics

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.4.0
Manual Chapter

About Access and SWG reports

Access reports focus on session and logging data from Access devices (managed devices with APM licensed and provisioned). F5® Secure Web Gateway Services reports focus on user requests (for URLs or applications, for example) from Access devices with Secure Web Gateway Services provisioned. BIG-IQ® Centralized Management Access also supports high availability. Thus, users can view both Access and SWG reports on a secondary BIG-IQ system.

Access reports and SWG reports provide the following features.

  • Reports on any combination of discovered devices, Access groups, and clusters
  • Graphs for typical areas of concern and interest, such as cross-geographical comparisons or top 10 issues
  • Tabular data to support the graphs
  • Ability in some screens to drill down from summarized data to details
  • Ability to save data to CSV files

Setup requirements for Access and SWG reports

Before you can produce Access reports and SWG reports, you must ensure that these tasks are already complete.

  • Set up the BIG-IQ® Centralized Management data collection devices.
  • Add the BIG-IP® devices to BIG-IQ inventory.
  • Discover the devices. (Devices with the Access service configuration are what you need.)
  • Run the data collection device configuration setup on the devices from the Access Reporting screen.

What data goes into Access reports for the All Devices option?

The All Devices option for Access reports includes data from the devices that are currently managed (discovered) in the BIG-IQ® system. This is in addition to data from devices that were managed at some point during the report timeframe, but that are not currently managed. With All Devices selected, if data from unmanaged devices exists, it displays in reports.

An unmanaged device might be unmanaged temporarily or permanently. Any time a configuration management change causes APM® to be undiscovered, the device and its data are moved to All Devices until APM is re-discovered on the device.

You cannot generate a report for an unmanaged device. However, you can generate a report for the timeframe when the device was managed, and then search the report for the unmanaged device name. In the Summary report, All Active Sessions includes the number of sessions that were active on the device when it became unmanaged. Those sessions stay in the Summary and in the Active sessions reports until the next session status update, which occurs every 15 minutes.

About upgrades affecting reports

When you upgrade a BIG-IQ® Centralized Management system without taking a snapshot, it deletes all reporting data, including both Access and SWG reports. After upgrading, users cannot obtain these reports from the BIG-IP® devices. To prevent the lost of reports, users should take an Elasticsearch snapshot before upgrading, and restore the snapshot after upgrading. For more information on elasticsnapshots, refer to F5 BIG-IQ Centralized Management: Upgrading Logging Nodes to Version x.x.

About the application dashboard

The Application Summary dashboard is your starting point to view and download general reports for BIG-IQ Access.

View the Application Summary dashboard

The BIG-IQ® Centralized Management Application Summary dashboard displays information regarding the applications linked to the system.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Application Summary .
The Application Summary screen opens, showing detailed information and charts for specific applications.

About application visibility

You can monitor your applications by viewing the BIG-IQ® Centralized Management Access user dashboard for data on which applications are linked to the BIG-IQ Access component. The system displays the top applications used and the application usage time. Administrators can expand the GUI for a specific application and view the following information:

  • The application access history
  • The users who use the application the most
  • The access history
  • The world map, showing where the user is access the application

About user visibility

You can monitor your user base by viewing the BIG-IQ® Centralized Management Access user dashboard for data on specific users. The system displays which users created the most sessions, were denied the most sessions, and had the longest total session duration. The administrator can enter a specific user name to get the following details for the user:

  • User login locations on a world map.
  • Total sessions, denied sessions, and session duration.
  • Denied sessions.
  • Top authentication failures, including AD Auth and LDAP only.
  • Device type users used to log into the system.
  • Reason the system terminated the session.
  • Login history showing the success and failures over time.
  • Most accessed applications.
  • Most accessed URLs.
  • Login failure attempts over time, sorted by the reason.
  • Client session duration over time.
  • Endpoint software.
  • Network access reconnect, errors, and usage rates.

Managing a specific user in Access reporting

You can use the BIG-IQ® Centralized Management Access reporting tools to view the user dashboard for data on a specific user.
  1. Log in to the BIG-IQ system with your user name and password.
  2. Click Monitoring > DASHBOARDS > Access > User Summary .
    The User Summary screen displays, showing detailed information for specific users.

Running Access reports

For Access to have report data for a device, the device must have been added to the BIG-IQ® Centralized Management system, discovered, and had the Access remote logging configuration run for it.
You can create Access reports for any device with the APM® service configuration on it that has been discovered on the BIG-IQ system, whether or not the device is a member of an Access group. To create a report, you can select any combination of Access groups, clusters, and devices.
  1. At the top of the screen, click Monitoring.
  2. On the left, select DASHBOARDS > Access .
    A Summary report (for all devices and a default timeframe) starts to generate and display.
  3. From the left, select any report that you want to run.
  4. At the top left of the screen, from the ACCESS GROUP/DEVICES list, either select one of the first two options (All Devices and All Managed Devices) or, select one or more of the other options (<Access group name>, <Cluster display name>, and <Device name>).
    • All Devices Includes Access devices that are currently managed, and Access devices that were managed at one time but are not managed now. (A managed device is one that has been discovered with the APM service configuration.)
    • All Managed Devices Includes all Access devices that are currently discovered.
    • <Access group name> - Select to include all devices in the Access group.
    • <Cluster display name> - Select to include the devices in the cluster.
    • <Device name> - Select to include the device. You can select any device from Managed Devices, <Access group name>, or <Cluster display name>.
  5. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  6. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.

Getting the details that underlie an Access report

For Access to have report data for a device, the device must have been added to the BIG-IQ® Centralized Management system, discovered, and had the Access remote logging configuration run for it.
From the Summary report, and from most session reports, the initial display includes graphs that summarize the report data. You can get successively more detailed information by clicking a bar or a point on a graph or clicking a link if one is displayed on the screen.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access .
    The Summary report is an example of the type of report that presents high-level data, and provides access to underlying data.
    A Summary report (for all devices and a default timeframe) starts to generate and display.
  4. Click anywhere in a summary to get more information.
    To get details from a summary, click the brightly colored number or the brightly colored bar.

    Top left portion of the Summary report display

    Additional graphs display, and supporting data displays in a table at the bottom of the screen.
  5. If more details are available, click the bars in the graphs to display more details.
  6. Scroll down to the table to view the supporting data.
  7. If the table includes a Session ID field, click the link in that field to open the session details.
    Session details report displays local time, hostname, log level, message, and a Session Variables tab.

    Session details popup screen (with addresses and host names blurred)

  8. To change which records display on this screen, select a log level from the LOG LEVEL list at the top of the screen.

About the maximum number records for Access and SWG reports

When you run an Access report or an SWG report, Access can get up to 10,000 records to display to you. After you scroll to the end of those 10,000 records, Access displays a message. At that point, all you can do is select fewer devices or select a shorter timeframe.

Setting the timeframe for your Access or SWG report

For Access to have report data for a device, the device must have been added to the BIG-IQ® Centralized Management system, discovered, and had the Access remote logging configuration run for it.
Use the TIMEFRAME list at the top of any Access or SWG report to change the report time period.
  1. Log in to BIG-IQ Centralized Management with your admin user name and password.
  2. At the top of the screen, click Monitoring.
  3. To set a predefined timeframe, select one of these from the TIMEFRAME list: Last hour, Last day, Last week, Last 30 days, Last 3 months.
  4. To set a custom timeframe, select one of these from theTIMEFRAME list:
    • Between: Click each of the additional fields that display to select dates and times. The report displays the records between those dates and times.
    • Before: Click the additional fields that display to select a date and a time. The report displays the records before that date and time.
    • After: Click the additional fields that display to select a date and a time. The report displays the records after that date and time.

Access report problems: causes and resolutions

Problem Resolution
A session is over, but it continues to display in the Active sessions report. If a session starts when logging nodes are up and working, but terminates during a period when logging modes are unavailable, the session remains in the Active sessions report for 15 minutes. After 15 minutes, the session status is updated and the session is dropped from the report.
Active sessions are included in the Summary and Active sessions reports for a device that is no longer managed. Sessions were active on a device when it was removed from an Access group and became unmanaged. Sessions that were active when the device became unmanaged remain counted in All Active Sessions on the Summary screen and stay in the Active sessions report until the next session status update, which occurs every 15 minutes.
A session is over, but Session Termination and Session Duration are blank in a session report. If a session starts when logging nodes are up and working but terminates during a period when logging nodes are unavailable, the session termination is not recorded and the session duration cannot be calculated.

What can cause logging nodes to become unavailable?

Logging nodes are highly available, but it is still possible for them to become unavailable. This could occur, for example, if all logging nodes are on devices in the same rack in a lab, and the power to the lab shuts down.

Sessions

Running Session reports

For Access to have report data for a device, the device must have been added to the BIG-IQ® Centralized Management system, discovered, and had the Access remote logging configuration run for it.
You can create Session reports for any device with the APM® service configuration on it that has been discovered on the BIG-IQ system, whether or not the device is a member of an Access group. To create a report, you can select any combination of Access groups, clusters, and devices.
  1. At the top of the screen, click Monitoring.
  2. On the left, select DASHBOARDS > Access > Sessions .
    A Summary report (for all devices and a default timeframe) starts to generate and display.
  3. From the left, select any report that you want to run.
  4. At the top left of the screen, from the ACCESS GROUP/DEVICES list, either select one of the first two options (All Devices and All Managed Devices) or select one or more of the other options (<Access group name>, <Cluster display name>, and <Device name>).
    • All Devices Includes Access devices that are currently managed, and Access devices that were managed at one time but are not managed now. (A managed device is one that has been discovered with the APM service configuration.)
    • All Managed Devices Includes all Access devices that are currently discovered.
    • <Access group name> - Select to include all devices in the Access group.
    • <Cluster display name> - Select to include the devices in the cluster.
    • <Device name> - Select to include the device. You can select any device from Managed Devices, <Access group name>, or <Cluster display name>.
  5. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  6. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.

Stopping sessions on BIG-IP devices from Access

For Access to have report data for a device, the device must have been added to the BIG-IQ® Centralized Management system, discovered, and had the Access remote logging configuration run for it.
You can stop currently active sessions on BIG-IP® devices, using the Active sessions report on the BIG-IQ system.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access .
    A Summary report (for all devices and a default timeframe) starts to generate and display.
  4. On the left, from Sessions, select Active.
    The screen displays a list of active sessions for all devices.
  5. To display sessions for particular devices, groups, or clusters only, select them from the ACCESS GROUP/DEVICE list at upper left.
    The screen displays the active sessions for the selected devices.
  6. To stop specific sessions only, select the sessions that you want to end and click Kill Selected Sessions.
  7. To stop all sessions, click Kill All Sessions.

Running Secure Web Gateway reports

For Access to have report data for a device, the device must have been added to the BIG-IQ® Centralized Management system, discovered, and had the Access remote logging configuration run for it.Only a device with SWG provisioned on it can provide data for Secure Web Gateway reports.
You can create SWG reports for Access groups, clusters (in Access groups), or devices that you select from the Access groups and clusters (in Access groups) on the BIG-IQ system.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Secure Web Gateway .
    A Summary report (for all devices and a default timeframe) starts to generate and display.
  4. From the left, select any report that you want to run.
  5. From the ACCESS GROUP/DEVICE list at upper left, select Managed Devices or select one or more of these options:
    • <Access group name> - Select to include all devices in the Access group.
    • <Cluster display name> - Select to include the devices in the cluster.
    • <Device name> - Select to include the device. You can select any device from Managed Devices, <Access group name>, or <Cluster display name>.
  6. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  7. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.

About denied sessions

You can monitor the sessions that BIG-IQ® Centralized Management denies. By using the Access Monitoring option, you can view the following information:

  • The history of denied sessions
  • The reasons why sessions were denied
  • The top denied users, sorted by session count
  • The top authentication failures
  • The top denied policies
  • The top denied sessions by country of origin
  • The top denied session by the virtual server
  • The denied sessions, sorted by the client platform

Viewing denied sessions

You can use the BIG-IQ® Centralized Management Access reporting features to see which sessions were denied by the system, as well to create a report.
  1. Log in to the BIG-IQ system with your user name and password.
  2. Click Monitoring > DASHBOARDS > Access > Sessions > Denied .
  3. From the ACCESS GROUP/DEVICE list at upper left, select Managed Devices or select one or more of these options:
    • <Access group name> - Select to include all devices in the Access group.
    • <Cluster display name> - Select to include the devices in the cluster.
    • <Device name> - Select to include the device. You can select any device from Managed Devices, <Access group name>, or <Cluster display name>.
  4. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  5. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.
From here, you can view details regarding denied sessions and create a report.

Getting the details that underlie an SWG report

For Access to have report data for a device, the device must have been added to the BIG-IQ® Centralized Management system, discovered, and had the Access remote logging configuration run for it.Only a device with SWG provisioned on it can provide data for SWG reports.
From the Summary report, the initial display includes graphs that summarize the report data. You can get more detailed information by clicking a bar or a point on a graph to see additional graphs and tables with supporting entries.
  1. Log in to BIG-IQ Centralized Management with your admin user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Secure Web Gateway .
    The Summary starts to generate and display. A timeline and some summaries display across the top of the screen. Graphs display under the summaries. Each graph provide different views of the data.
  4. Click any bar in a graph on the display to get more information.
    Additional graphs provide different views of the data, and supporting data displays in a table at the bottom of the screen.
  5. If more details are available, click the bars in the graphs to display them.
  6. Scroll down to the table to view the supporting data.

About VDI reports

You can monitor your virtual desktop infrastructure (VDI) by viewing the BIG-IQ® Centralized Management Access user dashboard for VDI applications, and creating a VDI report. The system displays the top VDI applications used and the application usage time. Administrators can expand the UI for a specific application, and view the following information:
  • The top 10 VDI applications
  • The top users for the VDI applications
  • The application usage history

About network access reporting

You can use F5® BIG-IQ® Centralized Management to monitor the health of your network access connections. From the Network Access dashboard, you can view graphs and data for network access performance, reconnecting detail, errors, and usage rates. With the network access reporting feature, you gain full visibility of your network access usage information such as which users are request access, timestamps of the requests, and details of failures in their APM enviornments. All this allows you to troubleshooting your BIG-IP system deployments without logging into each BIG-IP device individually.

Note: After you set up data collection devices, the BIG-IQ system requires approximately 10 minutes to process the event logs required to display network access reporting data. This applies to new setups as well as rolling and regular upgrades from BIG-IQ version 5.2/5.3 to 5.4.

View the network access summary

View the Network Access Summary screen to see reporting details such as network sessions, connections, the number of bytes transferred.
  1. At the top of the screen, click Monitoring.
  2. On the left, select DASHBOARDS > Access > Remote Access > Network Access > Network Access Summary .
    The Network Access Dashboard screen opens.
  3. Generate a report with a different scope by making a selection from the ACCESS GROUP/DEVICE list or the TIMEFRAME list, or both, then click CSV Report.
    You can use the summary screen to select a virtual server besides making a selection from either lists.
    A Report Download Status screen opens, downloading a CSV report to your local drive.
  4. To view reporting details about the number of active users, click Active Users.
  5. To view reporting details about the number of active connections, click Active Connections.
  6. To view reporting details about the total number of reconnects, click Total Reconnects.
  7. To view reporting details about the number of connectivity errors, click Network Access Session Errors.
  8. Click the Sessions tab to display reporting details about network access sessions.
  9. Click the Connections tab to display reporting details about network access connections.
  10. Click the Bytes Transferred tab to display reporting details about the number of bytes transferred in network access connection.

About network access performance

The Network Access Performance screen gives you an overview of how your network access traffic is performing. BIG-IQ supports the following features:

  • Throughput over time - Displays a graph showing the throughput to and from the client device in bits per second.
  • Active connections over time - Displays a graph showing the average number of connections per hour.
  • New connections over time - Displays a graph showing the average number of new connections per hour.

About network access reconnect

The Network Access Reconnect screen gives you an overview of your network access reconnects. BIG-IQ supports the following features:

  • Local Time - Displays the local timestamp when the user reconnected to the network access connection.
  • Hostname - Displays the BIG-IP system from which the network access connection originates.
  • Cluster - Displays the BIG-IP APM cluster.
  • Session ID - Click the session ID to open the Session Details screen, displaying session details and session variables.
  • User Name - Displays the username of the reconnecting user.
  • Client IP - Displays the IP address of the client device used for the reconnect.
  • Client OS - Displays the operating system of the client device used for the reconnect.
  • Country - Displays the country where the reconnect originates.
  • State - Displays the geographical state where the reconnect originates.
  • Continent - Displays the continent where the reconnect originates.
  • Client Application - Displays the client application associated with the network access.

About network access errors

The Network Access Errors screen gives you an overview of your errors that occur during your active network access connections. BIG-IQ supports the following features:

  • Local Time - Displays the local timestamp when error occurred.
  • Hostname - Displays the BIG-IP system from which the network access error occurred.
  • Session ID - Click the session ID to open the Session Details screen, displaying session details and session variables.
  • Error Message - Displays the error message.
  • User Name - Displays the username of the the user associated with the error.
  • Client IP - Displays the IP address of the client device where the error occurred.
  • Client OS - Displays the operating system of the client device where the error occurred.
  • Country - Displays the country where the error occurred.
  • Virtual Server - Displays the virtual server associated with the network access resource.

About network access usage

The Network Access Usage screen gives you an overview of your network access connection usage rates. BIG-IQ supports the following features:

View network access usage for the top 1000 users in the table:

  • User Name - Displays the usernames of the top users by usage.
  • Total Connections - Displays the total number of network access connections.
  • Total Bytes In - Displays the total number of bytes received by the network access.
  • Total Bytes Out - Displays the total number of bytes sent out by the network access.
  • Total Bytes Transferred - Displays the total number of sent and received bytes.
  • Total Duration - Displays the total duration when the network access connections for a user were active. When the user has multiple active connections at the same time, the total duration is the sum of the duration of those two connections.
  • Distinct Locations - Displays the number of unique locations from where the network access usage originates.

View network access usage for the top 1000 locations in the table:

  • Country - Displays the countries from where the network access usage originates.
  • State - Displays the states in the countries from where the network access usage originates.
  • Total Connections - Displays the total number of network access connections.
  • Total Bytes In - Displays the total number of bytes received by the network access.
  • Total Bytes Out -Displays the total number of bytes sent out by the network access.
  • Total Bytes Transferred - Displays the total number of sent and received bytes.
  • Total Duration - Displays the total duration when the network access connections for a user were active. When the user has multiple active connections at the same time, the total duration is the sum of the duration of those two connections.

About endpoint security check

You can use F5® BIG-IQ® Centralized Management to monitor the your endpoint security checks. From the Endpoint Software Summary dashboard, you can view graphs and tables showing how your system collects and verifies system information. With the endpoint software reporting feature, you gain full visibility of your software checks, products, and vendors. All this allows you to troubleshooting your BIG-IP system deployments without logging into each BIG-IP device individually.

About endpoint software summary

The Endpoint Software Summary screen gives you an overview of your endpoint checks. BIG-IQ supports the following features:

  • SOFTWARE CHECKS TYPES - Displays the types of software checks.
  • TOP 10 USED PRODUCTS - Displays the top ten products used.
  • TOP 10 USED VENDORS - Displays the top ten vendors used.
  • Top 100 Products, Vendors Types by used count - Displays the top 100 products and the type of vendors used.

About endpoint software details

The Endpoint Software Details screen a detailed table of your endpoint software checks. BIG-IQ supports the following features:

  • Local Time - Displays the local timestamp when the endpoint check took place.
  • Hostname - Displays the BIG-IP system from which the endpoint check originates.
  • Cluster - Displays the BIG-IP APM cluster.
  • Session ID - Click the session ID to open the Session Details screen, displaying session details and session variables.
  • Product Name - Displays the name of the product with endpoint software.
  • Vendor Name - Displays name of the vendor who supplies the product.
  • Version - Displays the product version.
  • User Name - Displays the logon name used to perform the endpoint check.
  • Client OS - Displays the operating system where the endpoint check originates.
  • Continent - Displays the continent where the endpoint check originates.
  • Country - Displays the country where the endpoint check originates.
  • State - Displays the state or province where the endpoint check originates.

Managing federation reports

Running OAuth reports

For Access to have report data for a device, the device must have been added to the BIG-IQ® Centralized Management system, discovered, and had the Access remote logging configuration run for it.Only a device with OAuth provisioned on it can provide data for OAuth reports.
You can create OAuth reports for Access groups, clusters (in Access groups), or devices that you select from the Access groups and clusters (in Access groups) on the BIG-IQ® Centralized Management system.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Federation > OAuth .
  4. Select Authorization Server, Client, or Resource.
    A Summary report (for all devices and a default timeframe) starts to generate and display.
  5. From the left, select any report that you want to run.
  6. From the ACCESS GROUP/DEVICE list at upper left, select Managed Devices or select one or more of these options:
    • <Access group name> - Select to include all devices in the Access group.
    • <Cluster display name> - Select to include the devices in the cluster.
    • <Device name> - Select to include the device. You can select any device from Managed Devices, <Access group name>, or <Cluster display name>.
  7. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  8. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.

Monitoring the OAuth server performance

The Authentication Server Summary screen shows several charts that you can use to track the health of your authorization server role. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.

  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Federation > OAuth > Authorization Server > Server Performance .
    The Authorization Server Peformance screen opens.
  4. From the ACCESS GROUP/DEVICE list at upper left, select All Managed Devices or or one of the session-specific options.
  5. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  6. From the AUTHORIZATION SERVER list, select an OAuth authorization server.
  7. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.

Monitoring the OAuth token summary

The Token Summary screen shows several charts that you can use to track the health of your OAuth tokens. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.

  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Federation > OAuth > Authorization Server > Tokens .
    The Authorization Server Peformance screen opens.
  4. From the ACCESS GROUP/DEVICE list at upper left, select All Managed Devices or or one of the session-specific options.
  5. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  6. From the AUTHORIZATION SERVER list, select an OAuth authorization server.
  7. From the GRANT TYPE list, select an OAuth2 grant type.
  8. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.

Running SAML reports

For Access to have report data for a device, the device must have been added to the BIG-IQ® Centralized Management system, discovered, and had the Access remote logging configuration run for it.Only a device with SAML provisioned on it can provide data for SAML reports.
You can create SAML reports for Access groups, clusters (in Access groups), or devices that you select from the Access groups and clusters (in Access groups) on the BIG-IQ® Centralized Management system.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Federation > SAML .
  4. Select SP Summary or IdP Summary.
    A Summary report (for all devices and a default timeframe) opens, displaying chart data for assertions over time, the top SPs or IdPs with successful assertions, the top client IP addresses, the top subject values with successful assertions, and the top SP or IdPs with failed assertions.
  5. From the ACCESS GROUP/DEVICE list at upper left, select All Managed Devices or or one of the session-specific options.
  6. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  7. From the SP list, select a service provider.
  8. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.
  9. To view the successful SP assertions, click Assertions Success.
    The Successful Assertions screen opens, displaying data and statistics for the top 10 client IP's, platform distribution, geolocation distribution, subject values and SPs with successful assertions.
  10. To view the failed SP assertions, click Assertions Failed.
    The Failed Assertions screen opens, displaying data and statistics for the top 10 client IP's, platform distribution, geolocation distribution, subject values and SPs with failed assertions.

Running SP assertion reports

For Access to have report data for a device, the device must have been added to the BIG-IQ® Centralized Management system, discovered, and had the Access remote logging configuration run for it.Only a device with SAML provisioned on it can provide data for SAML reports.

The SP Assertions screen shows several charts that you can use to track the health of your SAML SP assertions. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.

  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Federation > SAML .
  4. Select SP Summary > SP Assertions Report .
    The SP Assertions screen opens, displaying a table with assertion information.
  5. From the ACCESS GROUP/DEVICE list at upper left, select All Managed Devices or or one of the session-specific options.
  6. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  7. From the SP list, select a service provider.
  8. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.

Running SP error reports

For Access to have report data for a device, the device must have been added to the BIG-IQ® Centralized Management system, discovered, and had the Access remote logging configuration run for it.Only a device with SAML provisioned on it can provide data for SAML reports.

The SP Errors screen shows several charts that you can use to track the health of your SAML SP errors. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.

  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Federation > SAML .
  4. Select SP Summary > SP Error Report .
    The SP Errors screen opens, displaying a table with error reports.
  5. From the ACCESS GROUP/DEVICE list at upper left, select All Managed Devices or or one of the session-specific options.
  6. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  7. From the SP list, select a service provider.
  8. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.

Running IdP assertion reports

For Access to have report data for a device, the device must have been added to the BIG-IQ® Centralized Management system, discovered, and had the Access remote logging configuration run for it.Only a device with SAML provisioned on it can provide data for SAML reports.

The IdP Assertions screen shows several charts that you can use to track the health of your SAML IdPs assertions. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.

  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Federation > SAML .
  4. Select IdP Summary > IdP Assertions Report .
    The IdP Assertions screen opens, displaying a table with assertion information.
  5. From the ACCESS GROUP/DEVICE list at upper left, select All Managed Devices or or one of the session-specific options.
  6. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  7. From the IdP list, select an identity provider.
  8. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.

Running IdP error reports

For Access to have report data for a device, the device must have been added to the BIG-IQ® Centralized Management system, discovered, and had the Access remote logging configuration run for it.Only a device with SAML provisioned on it can provide data for SAML reports.

The IdP Errors screen shows several charts that you can use to track the health of your SAML IdP errors. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.

  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, click Monitoring.
  3. On the left, select DASHBOARDS > Access > Federation > SAML .
  4. Select IdP Summary > IdP Error Report .
    The IdPs Errors screen opens, displaying a table with error reports.
  5. From the ACCESS GROUP/DEVICE list at upper left, select All Managed Devices or or one of the session-specific options.
  6. From the TIMEFRAME list, specify a time frame:
    • Select a predefined time period - These range from Last hour to Last 3 months.
    • Set a custom time period - Select Between, After, or Before, and click the additional fields that display the set dates and times that support your selection.
  7. From the IdP list, select an identity provider.
  8. To save report data in a comma-separated values file, click the CSV Report button.
    A CSV file downloads.

Troubleshooting Access reporting

Overview: About troubleshooting Access reports

Access in the F5® BIG-IQ® Centralized Management monitoring dashboard displays statistics for applications and users that are managed by the BIG-IP® system. In some cases, data is missing in the dashboard. Missing data can include log message reports and session reports. You can troubleshoot this issue by doing the following tasks:

  • Make sure the Elastic Search Cluster health status is operational.
  • Active the Access service.
  • Enable remote logging.
  • Make sure the BIG-IP device is communicating to the data collection device.
  • Recover any missing user names in the Sessions report and the Log Message report.
  • Resolve unassigned cluster shards.

Check data collection device health

You can use the BIG-IQ® Data Collection Device Settings screen to review the overall health and status of the data collection devices you've configured. You can use the data displayed on this screen both before and after an upgrade to verify that your data collection device (DCD) cluster configuration is as you expect it to be.
  1. At the top of the screen, click System, and then, on the left, click BIG-IQ DATA COLLECTION and select BIG-IQ Data Collection Cluster.
    • Under Summary, you can view information detailing how much data is stored, as well as how the data is stored.
    • Under Configuration, you can access the screens that control DCD cluster performance.
  2. Inspect the DCD cluster details listed in the Summary and Configuration areas.
    Sub-screen What details are provided here?
    Status Look here for information about the current state of the cluster.
    Nodes Look here for information about the current state of the cluster nodes.
    Indexes Look here for information about the current state of the cluster indexes.
    Shards Look here for information about the current state of the cluster shards.
    Cluster Settings Displays information for the DCD cluster configured for this device.
    External Storage & Snapshots Displays summary information about the external storage location used to keep the backup snapshots you create for the DCD cluster configured for this device.
    Logging Data Collection Displays summary information for the event and alert log indices that have been configured for this DCD.
    Statistics Data Collection Displays details about the statistics data stored on this DCD.
    This information provides a fairly detailed overview that describes the DCD cluster you have created to store data. After you complete an upgrade, you can check the health to verify that the cluster restored successfully.

Enable remote logging

Before you can configure remote logging for Access, you must first:
  • Discover BIG-IP devices that are provisioned with the APM service.
  • Configure one or more BIG-IQ data collection device.
Devices that you configure for remote logging send Access reporting and SWG log report data to the BIG-IQ Data collection device for storage and management.
  1. At the top of the screen, select Monitoring.
  2. Click DASHBOARDS > Access > Remote Logging Configuration .
    The Remote Logging Configuration screen displays.
  3. From the HostName list, select the BIG-IP device for which you want to enable remote logging.
    The Configure button, once greyed out, becomes available.
  4. Click Configure.
BIG-IQ Access sets up remote logging for the selected BIG-IP device. If an error occurs during the configuration, the Status field displays a message.

Check data collection device communication with the BIG-IP system

After checking the data collection device (DCD) health, activating relevant DCD services, and enabling remote logging, your F5® BIG-IQ® Centralized Management monitoring dashboard is still missing data such as log message reports and session reports. If this happens, the DCD might have routing issues with the BIG-IP system.
  1. In your UNIX shell, type ping <Listener Address>
    Make sure BIG-IQ can communicate to the listener address on the DCD.
  2. If the ping returns successfully, make sure the BIG-IP system can communicate with the listener by typing telnet <listener address> <listener port>.
  3. If the telnet also returns successfully, use a tcpdump to check if the BIG-IP system sent out logs. Type tcpdump -nvvv -i any -c 10000 -A 'port<listener port>'.
    The tcpdump displays some log messages sent to the listener on the DCD.
  4. If the tcpdump does not display any data, restart tmm apmd on the BIG-IP devices by typing bigstart restart tmm apmd.
  5. If log messages and session reports are displaying in the dashboard reports, but the user name column is missing in the log messages, the BIG-IP system stopped sending apmd log messags. To fix this issue, type bigstart restart apmd.

Resolve unassigned cluster shards

An elastic search data cluster displays a color (red, green, or yellow) indicating the current status. A working cluster displays either a green state, or a yellow state if there is only one data collection device (DCD). A red status can indicate that one or more cluster shards are not assigned to the cluster, and can result in missing data in a report or failure to incorporate new incoming logs. Follow these steps to troubleshoot this issue.
  1. From the TMSH command line, type restcurl http://localhost:9200/_cluster/health.
    The command line displays information on the cluster health. If the status output displays "red" and the unassigned shards output displays a number greater than zero, the issue might be the unassigned shards. However, if you have only one DCD, there are always unassigned shards because of replica shards and the lone log node. In this case, the status displays "yellow" and no action is needed.
  2. If the status output is red and there are unassigned shards, the from the TMSH command line, type curl "http://localhost:9200/_cat/nodes?v&h=host,ip,node.role,disk,name".
    The command line displays node information.
  3. From the command line output, find the nodes with type d in the node.role column to identify the data nodes.
  4. From the disk column, find the data node with the largest available disk space and note the node name in the name column..
  5. Allocate the unassigned shards to the data node with the largest available disk space by saving the following code in the script file es_fix_unassignedshards.sh in your local BIG-IQ folder.
    HOST=localhost
    PORT=9200
    TO_NODE=$1
     
    curl "http://$HOST:$PORT/_cat/shards" | grep UNAS | awk '{print $1,$2}' | while read var_index var_shard; do
     curl -XPOST "http://$HOST:$PORT/_cluster/reroute" -d "
        {
          \"commands\" : [
            {
              \"allocate\" :
                {
                  \"index\" : \"$var_index\",
                  \"shard\" : \"$var_shard\",
                  \"node\" : \"$TO_NODE\",
                  \"allow_primary\" : true
                }
            }
          ]
        }";
     
       sleep 5;
    done
                      
  6. Run the script by typing in the command line ./es_fix_unassigedshards.sh <<node name>>.
The cluster status should display green.