Applies To:Show Versions
BIG-IQ Centralized Management
About firewall audit logs and the viewer
BIG-IQ®Network Security records all user-initiated firewall policy changes that occur on the BIG-IQ system in the firewall audit log. It does not include changes that occurred on BIG-IP® devices that were imported. A firewall policy change occurs in the working configuration when certain objects change, when certain tasks change state, or when certain user actions are performed.
Each change logged in the audit log can be viewed using the firewall audit log viewer. You access the audit log viewer by selecting. You can also view or change the firewall audit archive settings from the audit log viewer. The Network Security archived audit log files are stored in the /var/config/rest/auditArchive/networkSecurity directory on the BIG-IQ system.
All API traffic on the BIG-IQ system and every REST service command for all licensed modules, is logged in a separate, central audit log (restjavad-audit.n.log).
Web Application Security audit information is viewed by selecting.
About firewall audit log entry generation
The following firewall policy changes generate firewall audit log entries:
- Changes to the following working configuration objects when they are created, modified, or
- Rule lists
- Address lists
- Port lists
- Notification rules
- DoS profiles
- Logging profiles
- Route domains
- Virtual servers
- Self IPs
- Changes in the following tasks and user actions, including tasks changing state to Start,
Finish, Fail, Cancel, or Cancel Request:
- Creating or deleting a user account.
- Users logging in and logging out, including when the user is logged out due to inactivity.
- Creating or cancelling a device discovery or a device reimport.
- Creating a Change Verifications action to verify the changes to a specific BIG-IP® device or group.
- Deleting a previously discovered device.
- Creating or deleting a deployment task.
- Creating a difference task.
- Creating, restoring, or deleting a snapshot.
- Editing some system information (such as editing a hostname, a root password, a DNS entry, or an SNMP entry).
About firewall audit logs and high-availability
In high-availability (HA) configurations, each node maintains its own audit log. Audit log entries are not synchronized after the HA configuration is established from the primary to the standby system.
Archives are configured separately on each node.
About archived firewall audit logs
You can view or change the firewall audit archive settings from the audit log viewer. The Network Security archived audit log files are stored in the /var/config/rest/auditArchive/networkSecurity directory on the BIG-IQ system.
Audit entries are appended to the archive-audit.0.txt file. When the archive-audit.0.txt file reaches approximately 800 MB, the contents are copied to archive-audit.1.txt, compressed into the archive-audit.1.txt.gz file, and a new empty archive-audit.0.txt is created, which then has new audit entries appended to it.
Up to 5 compressed archived audit files can be created before those files begin to be overwritten to conserve space. The compressed audit log archive is named archive-audit.n.txt.gz, where n is a number from 1 to 5. As the audit log archives are created and updated, the content of the archives are rotated so that the newest archive is always archive-audit.1.txt.gz and the oldest is always the highest numbered archive, typically, archive-audit.5.txt.gz.
The file content rotation occurs whenever archive-audit.0.txt is full. At that time, the content of each archive-audit.n.txt.gz file is copied into the file with the next higher number, and the content of archive-audit.0.txt is copied into archive-audit.1.txt and then compressed to create archive-audit.1.txt.gz. If all 5 archive-audit.n.txt.gz files exist, during the rotation the contents of archive-audit.5.txt.gz is overwritten and is no longer available.
Firewall audit log entry properties
The firewall audit log viewer displays the following properties for each log entry.
|Client IP||IP address of the client machine that made the change.
This is blank for actions that were initiated by an internal process. For example, when a user invokes a deployment action, the deployment action then invokes a difference task to find the differences between the current configuration and the one to be deployed. The difference task has no Client IP.
|Time||Time that the event occurred. The time is the BIG-IQ system local time and is expressed in the format: ddd mmm yyyy hh:mm:ss; for example: Fri Jan 17 2014 23:50:00 .|
|Node||FQDN for the BIG-IQ system that recorded the event. This appears as the Hostname at the top of the BIG-IQ user interface.|
|User||User who initiated the action. This is the name of the account with the Administrator or Security_Manager role that was used to log in. Users with other roles can view the audit log.|
|Action||Type of modification. For working-config (WC) changes, the action types include New, Delete, and Update. For task-type operations, the action types include Start, Finish, Fail, Cancel, and Cancel Request.|
|Object Name||Object identified by a user-friendly name; for example: newRule1, deploy-test, or Common/global. This entry is also a link; click the link to show the JSON structure for the object.|
|Object Type||Classification for this action. WC stands for a change in the working configuration, or working-config. Task is an operation performed by the BIG-IQ system, such as a snapshot or deployment operation.|
|Parent||Displayed for rules, logging profiles, and DoS profiles. For rules, the parent shows the rule list, firewall, or policy that contains the rule. This is the administrative partition and name of the parent object. A change in any rule often also affects the rule's parent object.|
|Parent Type||Class or group of the parent object. WC in this column indicates that the parent object is in the working configuration, or working-config.|
|Version||Version of the configuration object. Typically, when a configuration object changes, the version is increased by 1. However, other audit entries, such as those for finishing snapshot creation or finishing deployment, may increase the version by more than 1.|
Locating the firewall audit log using SSH
- To examine audit logs using SSH, log in to BIG-IQ Network Security with Administrator or Security_Manager credentials.
- Navigate to the audit log location: /var/config/rest/auditArchive/networkSecurity.
Examine files with the naming convention: archive-audit.n.txt.
In the file name, n represents the log number.
- Once you have located the logs, you can view or save the log locally through a method of your choice.
About the firewall audit log viewer
The firewall audit log viewer retrieves entries from the audit log for display in the BIG-IQ® Network Security system interface.
You access the audit log viewer by selecting.
The audit log viewer is not updated dynamically. To update the display and see new entries, click Refresh in the upper right. All BIG-IQ Firewall Security roles have read-only access, and can view and filter entries. Only users with the role of Administrator or Security_Manager can modify audit log configuration settings.
Customizing the audit log viewer display
The firewall audit log viewer allows you to customize the display so you can locate entries faster.
- To customize the columns displayed, hover in any column header and right-click to display the column picker. Select or clear the check boxes to display or hide columns.
- To customize the order of columns displayed, click any column header and drag-and-drop the column to the desired location.
- To sort by column, click on the column you want to sort by. The default sorting order is by time, newest to oldest.
- To resize columns, hover in the table header until the controls are visible and use them to resize the columns.
Customized displays persist for a single session. The display is reset to the default when you log out.
Viewing differences in the viewer
- Log in to BIG-IQ Network Security with Administrator or Security_Manager credentials.
- Below Network Security, click Audit Log to display the viewer.
To display differences between object generations, click an object in the
Object Name column,which open the Difference Viewer.
Areas of differences are highlighted in gold. Additions to a generation are highlighted in green. Textual JSON appears for each difference found.If a generation of an object cannot be retrieved, Generation Not Available is displayed in the column. Object information may not be available if it has been automatically purged from the system to conserve disk space or if it has been deleted.The JSON difference displayed for a delete entry in the audit log shows the JSON difference from the previous operation because the generation identifier is not incremented when an object is deleted.
- When you are finished, click Close.
Filtering entries in the viewer
- Filtering is text-based.
- Filtering is not case-sensitive.
- Wild cards, or partial text, can be used in a filter.
- To clear the filter, click the X at the end of the search string under the Filter field.
- All BIG-IQ® Network Security roles can filter entries.
- Log in to BIG-IQ Network Security.
- Below Network Security, click Audit Log
In the Filter field, type the information specific to the object you want to
filter on, and press Enter.
Option Description Client IP Type the client IP address in the filter.
Note that when a task is not initiated by a user, the entry in the Client IP column is blank.
Time Type both a date and a time. Displayed times are given in the local time of the BIG-IQ system. Supported time formats are highly Web browser-dependent. Time formats other than those listed might appear to filter successfully but are not supported. Entering a single date and time results in a filter displaying all entries from the specified date and time to the current date and time.
For time formats that use letters and numbers, enter the date time in one of the following formats:
- mmm dd yyyy hh:mm:ss. Example: Jan 7 2014 8:30:00
- ddd mmm dd yyyy hh:mm. Example: Thu Jan 16 2014 11:01
- ddd mmm dd yyyy hh:mm:ss. Example: Thu Jan 16 2014 11:13:50
You can filter on a date/time range by entering beginning and ending dates/times in one of the supported formats, separated by a hyphen. Example: jan 21 2014 11:04-jan 21 2014 11:05.
For time formats that use only numbers, enter the date time in one of the following formats:
- m/d hh:mm:ss. Example: 1/1 12:14:15
- mm/dd hh:mm:ss. Example: 01/01 12:14:15
- m/d hh:mm. Example: 1/1 12:14
- m/d h:mm. Example: 1/1 2:14
- mm/dd hh:mm. Example: 01/01 12:14
- mm/dd/yy hh:mm:ss. Example: 01/01 12:14:15
- m/d/yy hh:mm:ss. Example: 1/1/14 12:14:15
- mm/dd/yy hh:mm. Example: 01/01/14 12:14
- m/d/yy hh:mm. Example: 1/1/14 12:14
- mm/dd/yyyy hh:mm:ss. Example: 1/1/2014 12:14:15
You can filter on a date/time range by entering beginning and ending dates/times in one of the supported formats, separated by a hyphen. Example: 1/1 12:14:15-1/1 12:14:18.
Node Type the node name in the filter. User Type the user name in the filter. Action Type the action in the filter. Object Name Type the full or partial name of the object in the filter. If a partition name is displayed, do not include it in the filter. For example, Common/AddressList_4 would be entered as AddressList_4. Because the device-specific object name includes the BIG-IP® hostname, you can enter a full or partial device name to get all objects for a specific BIG-IP device.
Note that entries in the Object Name column are links to the JSON representing the object. If the object does not have a name, the system places a dash in the column. The dash is also a link to the JSON.
Object Type Type the object type in the filter. Note that WC stands for working configuration. Parent Type the parent name in the filter. Only appears for rules to show the rule list, firewall, or policy that contains the rule. Parent Type Type the Parent Type name in the filter. Only appears when the Parent field contains a value. Version Type the version number in the filter.
Setting firewall audit log archival properties in the viewer
- Log in to BIG-IQ® Network Security.
- Below Network Security, click Audit Log.
- Click Settings in the upper right of the Audit Log screen to display the audit log settings.
Complete or review the properties and status settings, and click
Property Description Days to keep entries Used to specify the number of days to keep audit log entries. The field must contain an integer between 1 and 366. The default is 30. Check expiration at this time Used to specify the hour and minute on the BIG-IQ system when the expiration of audit entries will be checked. Click in the field to view and edit the time using the Choose Time dialog box. Adjust the Hour and Minute sliders to reflect the desired hour and minute, and then click Done. Next run time Displays a read-only value that indicates the next time entries will be archived. The time is in the BIG-IQ system local time and is expressed in the format: ddd mmm dd yyyy hh:mm:ss. Example: Tue Jan 28 2014 02:50:00. Last run time Displays a read-only value that indicates the last time entries were archived. The time is in the BIG-IQ system local time and is expressed in the format: ddd mmm yyyy hh:mm:ss. Example: Tue Jan 28 2014 02:50:00. Entries expired at last run time Displays the number of entries that expired. Last Error Displays a read-only value that contains either the message No error or the error text for any errors found. Last Error Time Displays a read-only value that contains the time the last error was found. The time in the field is the BIG-IQ system local time and is expressed in the format: ddd mmm dd yyyy hh:mm:ss
Example: Fri Jan 17 2014 23:50:00.
About the REST API audit log
The REST API audit log records all API traffic on the BIG-IQ® system. It logs every REST service command for all licensed modules in a central audit log (restjavad-audit.n.log) located on the system.
Any user who can access the BIG-IQ Network Security console (shell) has access to this file.
Managing the REST API audit log
- Using SSH, log in to the BIG-IQ Network Security system with administrator credentials.
- Navigate to the restjavad log location: /var/log.
Examine files with the naming convention:
The letter n represents the log number.
- Once you have located it, you can view or save the log locally through a method of your choice.