Applies To:Show Versions
BIG-IQ Centralized Management
About audit logs
You use audit logs to review changes in the BIG-IQ® system. All BIG-IQ system roles have read-only access to the audit log, and can view and filter entries. Any user with the appropriate privileges can initiate an action.
You view audit logs by selecting Audit Logging from the BIG-IQ menu, and then selecting the appropriate service option from the list on the left.
To view or change the audit log archive settings, click the Archive Settings button on the Audit Logging screen. Archived audit log files are stored in the archive-audit.n.txt file in the appropriate subdirectory of the /var/config/rest/auditArchive directory on the BIG-IQ system:
All API traffic on the BIG-IQ system, and every REST service command for all licensed modules, is logged in a separate, central audit log (restjavad-audit.n.log) which is located in /var/log on the BIG-IQ system.
Considerations when using the audit log
When using the audit log, consider the following:
- The audit log does not record an entry for every generation of a task. It only records an entry when the task status changes.
- When an object is deleted and then recreated with the same name, partition, and other information, the difference between those objects may show the deleted object as being the previous generation of the new object.
- By default, not all columns are displayed by the audit log to conserve space. To review what columns are displayed, click the gear icon in the upper right of the Audit Logging screen.
Actions and objects that generate audit log entries
BIG-IQ® records in the audit log all user-initiated changes that occur on the BIG-IQ system. A change is defined as when certain objects are modified, when certain tasks change state, or when certain user actions are performed. For example, when the admin account is used to log in to the BIG-IQ system, the audit log records the time, the user (admin), the action (New) and the object type (Login). The log does not include changes that occurred on BIG-IP® devices that were imported.
Changes to working-configuration objects generate audit log entries. In addition, these actions generate log entries:
- Creating or deleting a user account.
- Users logging in and logging out, including when the user is logged out due to inactivity.
- Creating or cancelling a device discovery or a device reimport.
- Creating a Network Security Change Verifications action to verify the changes to a specific BIG-IP device or group.
- Deleting a previously discovered device.
- Creating or deleting a deployment task.
- Creating a difference task.
- Creating, restoring, or deleting a snapshot.
- Editing some system information (such as editing a host name, a root password, a DNS entry, or an SNMP entry).
Audit log entry properties
The audit log displays the following properties for each log entry.
|Source||IP address of the client machine that made the change.
This property is blank for actions that were initiated by an internal process. For example, when a user invokes a deployment action, the deployment action then invokes a difference task to find the differences between the current configuration and the one to be deployed. The difference task has no Source IP address.
|Service||Indicates whether the change was made by the internal object synchronization
service. This service synchronizes shared objects, such as virtual servers, from the
Local Traffic & Network service to the Network Security or Web Application
|Time||Time that the event occurred. The time is the BIG-IQ system local time and is expressed in the format: mmm dd, yyyy hh:mm:ss (time zone); for example: Apr 19, 2016 13:09:03(EDT).|
|Node||Fully qualified domain name for the BIG-IQ system that recorded the event. This appears as the Hostname at the top of the BIG-IQ user interface.|
|User||Name of the account that initiated the action, such as an account named Admin for an administrative account.|
|Action||Type of modification. For operation changes, the action types include New, Delete, and Modify. For task changes, the action types include Start, Finish, Failed, and Cancelled.|
|Object Name||Object identified by a user-friendly name; for example: newRule1, deploy-test, or Common/global. When the name RootNode is listed, that indicates that the object is associated with a BIG-IP device. RootNode is typically seen when creating, deleting or updating log profiles, service policies, or firewall policies.|
|Changes||Indicates whether there was a change in the object. If View occurs in this column, there is a change to the object. To view the detailed differences of the change, click View.|
|Object Type||Classification for this action. When the type Root Node is listed, that indicates that the object is associated with a BIG-IP device. Root Node is typically seen when creating, deleting or updating log profiles, service policies, or firewall policies.|
|Parent||The administrative partition and name of the parent object. This property is displayed for firewall rules, logging profiles, and DoS profiles. For firewall rules, the parent shows the rule list, firewall, or policy that contains the rule. A change in a firewall rule often also affects the rule's parent object.|
|Parent Type||Class or group of the parent object.|
|Version||Version of the configuration object. Typically, when a configuration object changes, the version is increased by 1. However, other audit entries, such as those for finishing snapshot creation or finishing deployment, may increase the version by more than 1.|
Viewing audit entry differences
- Log in to BIG-IQ® system with Administrator or Security Manager credentials.
- Select Audit Logging from the BIG-IQ menu, and then from the list on the left, click the option from which to view audit entries.
To display differences for an object, click View in the
A popup screen opens, showing two columns that compare the differences between the two generations of the object in JSON. In these columns, additions to an object generation are highlighted in green, and differences are highlighted in gold.If the system cannot retrieve a generation of an object, the column displays either Generation Not Available or Generation No previous generation. Object information may not be available if it has been automatically purged from the system to conserve disk space, or if it has been deleted.The JSON difference displayed for a delete entry in the audit log shows the JSON difference from the previous operation because the generation identifier is not incremented when an object is deleted.
- When you are finished, click Close on the popup screen to return to the Audit Logging screen.
Filtering entries in the audit log
- Filtering is text-based.
- Filtering is not case-sensitive.
- You can use wild cards, or partial text.
- All BIG-IQ® roles can filter entries.
- To clear the filter, click the X to the right of the search string in the Filtered by field on the left.
- Log in to BIG-IQ system with Administrator or Security Manager credentials.
- Select Audit Logging from the BIG-IQ menu, and then, on the left, click the area from which to view audit entries.
Use the Filter field to narrow your search:
- Use the arrow key to the left of the field to select the appropriate filter options.
- Type the information specific to the object you want to filter on.
- Press Enter.
Option Description All Specifies that all objects should be filtered using the filter text. When this option is used, both the user-visible and the underlying data are searched for a match, so you may see matches to your filter text which do not appear to match it. Source Type the source IP address in the filter. When this option is used, both the user-visible and the underlying data are searched for a match, so you may see matches to your filter text which do not appear to match it. Using this option is equivalent to using the All option. Time Type both a date and a time. Displayed times are given in the local time of the BIG-IQ system. Supported time formats are highly Web browser-dependent. Time formats other than those listed might appear to filter successfully but are not supported. Entering a single date and time results in a filter displaying all entries from the specified date and time to the current date and time.
For time formats that use letters and numbers, enter the date time in one of the following formats:
- mmm dd yyyy hh:mm:ss. Example: Jan 7 2014 8:30:00
- mmm dd, yyyy hh:mm:ss (time zone). Example: Apr 28, 2016 13:09:03(EDT)
- mmm dd, yyyy. Example: Apr 28, 2016
- mmm dd, yyyy hh:mm:ss. Example: Apr 28, 2016 16:09:06
- ddd mmm dd yyyy hh:mm:ss. Example: Thu Jan 16 2014 11:13:50
For time formats that use only numbers, enter the date time in one of the following formats:
- mm/dd/yy hh:mm:ss. Example: 01/01/16 12:14:15
- m/d/yy hh:mm:ss. Example: 1/1/14 12:14:15
- mm/dd/yyyy hh:mm:ss. Example: 1/1/2014 12:14:15
Node Type the node name in the filter. User Type the user account name in the filter. Action: Operation Type the operation action name in the filter. Operation actions include: New, Delete, and Modify. Action: Task Status Type the task status action name in the filter. Task status actions include: Start, Finish, Cancelled, and Failed. Object Name Type the full or partial name of the object in the filter. If a partition name is displayed, do not include it in the filter. For example, Common/AddressList_4 would be entered as AddressList_4. Because the device-specific object name includes the BIG-IP® host name, you can enter a full or partial device name to get all objects for a specific BIG-IP device. Object Type Type the object type in the filter. Parent Type the parent name in the filter. Only appears for rules to show the rule list, firewall, or policy that contains the rule. Parent Type Type the Parent Type name in the filter. Only appears when the Parent field contains a value. Contains Specifies that the filter text is contained within the object specified. When you select Contains:
- If the filter text is a string, the filter text matches an entire string or only a part of a string.
- If the filter text is an IP address, the filter text matches an IPV4 or IPV6 address that is the same as the filter text, or matches an IPV4 address range or subnet that includes the filter text. IPV6 addresses can not be found within a range or subnet.
- If the filter text is a port number, the filter text matches a port number that is the same as the filter text, or matches a port number range that includes the filter text.
Exact Specifies that the filter text is exactly contained within the object specified. When Exact is selected:
- If the filter text is a string, the filter text matches only the entire string.
- If the filter text is an IP address, the filter text matches only an IPV4 or IPV6 address that is the same as the filter text.
- If the filter text is a port number, the filter text matches only a port number that is the same as the filter text.
Customizing the audit log display
You can customize the audit log display to assist you in locating information faster.
- To customize the order of columns displayed, click any column header and drag the column to the location you want.
- To sort by column, click the name of the column you want to sort. Not all columns can be sorted. When sorting items in the Object Name column, partition names are ignored. For example, the object name Common/rule1 would be sorted without the common partition name, as if it were named rule1.
- To resize columns, click the column side and drag it to the preferred location.
- To select what columns are displayed, click the gear icon in the upper right of the Audit Logging screen. In the popup screen, select columns you want to display and clear columns you do not want to display. Move your cursor away from the screen to dismiss it.
Managing audit log archive settings
- Log in to BIG-IQ system with Administrator or Security Manager credentials.
- Select Audit Logging from the BIG-IQ menu.
- Click the Archive Settings button in the upper left of the Audit Logging screen to display the audit log settings.
Complete or review the properties and status settings, and click
Property Description Retain Entries Specifies the number of days to keep audit log entries. The field must contain an integer between 1 and 366. The default is 30. Weekly Update Specifies which days of the week to update the audit log. Select the check box to the left of each day that you want the audit log to be updated. The default is every day. Start Time Specifies when the audit archiving should begin. The default is 12:00 am. Items Expired Displays the read-only number of entries that have expired. Last Error If an error has occurred, displays the read-only error text for any errors found. Last Error Time If an error has occurred, displays a read-only value that contains the time the last error was found. The time in the field is the BIG-IQ system local time and is expressed in the format: ddd mmm dd yyyy hh:mm:ss, for example, Fri Jan 17 2014 23:50:00.
About archived audit logs
You can view or change how audit logs are archived by clicking the Archive Settings button on the Audit Logging screen.
Archived audit log files are stored in the archive-audit.n.txt file in the appropriate subdirectory of the /var/config/rest/auditArchive directory on the BIG-IQ® system:
- Network Security audit log: /var/config/rest/auditArchive/networkSecurity/
- Web Application Security audit log: /var/config/rest/auditArchive/webAppSecurity/
- Fraud Protection Service audit log: /var/config/rest/auditArchive/websafe/
- Local Traffic and Network audit log: /var/config/rest/auditArchive/adc/
- Device Management audit log: /var/config/rest/auditArchive/device/
Audit entries are appended to the archive-audit.0.txt file. When the archive-audit.0.txt file reaches approximately 800 MB, the contents are copied to archive-audit.1.txt, compressed into the archive-audit.1.txt.gz file, and a new empty archive-audit.0.txt file is created, which then has new audit entries appended to it.
Up to five compressed archived audit files can be created before those files begin to be overwritten to conserve space. The compressed audit log archive is named archive-audit.n.txt.gz, where n is a number from 1 to 5. As the audit log archives are created and updated, the content of the archives is rotated so that the newest archive is always archive-audit.1.txt.gz and the oldest is always the highest numbered archive, typically, archive-audit.5.txt.gz.
The file content rotation occurs whenever archive-audit.0.txt is full. At that time, the content of each rchive-audit.n.txt.gz file is copied into the file with the next higher number, and the content of archive-audit.0.txt is copied into archive-audit.1.txt and then compressed to create archive-audit.1.txt.gz. If all five archive-audit.n.txt.gzfiles exist, during the rotation the contents of archive-audit.5.txt.gz are overwritten, and are no longer available.
About audit logs in high-availability configurations
In high-availability (HA) configurations, there is a primary and secondary BIG-IQ® system. During failover, the audit log entries and the audit archive settings are copied from the primary to the secondary system before the secondary system becomes the new primary system.
However, archived audit logs are not copied from the primary to the secondary BIG-IQ system.
About the REST API audit log
The REST API audit log records all API traffic on the BIG-IQ® system. It logs every REST service command for all licensed modules in a central audit log (restjavad-audit.n.log) located on the system.
Any user who can access the BIG-IQ system console (shell) has access to this file.
Managing the REST API audit log
- Using SSH, log in to the BIG-IQ Network Security system with administrator credentials.
- Navigate to the restjavad log location: /var/log.
Examine files with the naming convention:
The letter n represents the log number.
- Once you have located it, you can view or save the log locally through a method of your choice.