You can view Web Application Security event logs to obtain useful insights regarding activity on applications and servers. The BIG-IQ^® Centralized Management platform enables a single view of all filters and log entries (and details for each entry) from multiple BIG-IP^® devices.

The event log interface consists of two filter fields and three screens:

• Filter fields:
  • Selected devices filter. This filter appears below the Event Logs header. You can use it to select one or more devices for event viewing.
  • Filter field. Appears to the right of the selected devices field. You can use it to type text to rapidly narrow the search scope. You can also save filters that you use often.
• Screens:
  • Devices. At the far left, use this to select a group of requests, policies, saved filters, or pre-configured tags. The object you select determines the set of items that appears in the next screen.
  • Log items. Use this to browse log items, or select one and view log item details.
  • Details. Displays details of the item selected in the Log items screen.

1. Click Monitoring > EVENTS > Web Application Security > Events .
2. Click a single event log.
   The Details screen displays a variety of information about the event.
3. On the Details screen, click Request to view request details.
   Details include:

   • Raw HTTP[S] request
   • General request details
   • Geolocation
   • Policy details
   • List of related tags
4. Click Response to view response details.

1. Click Monitoring > EVENTS > Web Application Security > Events .
2. To update log items according to a selected filter (such as Requests or Policies), click any item under Requests or Policies.

1. Click Monitoring > EVENTS > Web Application Security > Events .
2. In the Filter field, click the triangle to the right of the field.
   The Search filter popup screen opens to the basic view, which is the default.
3. Complete the fields.

   Setting	Description
   Request type	Type a request type or select from the list All requests or Illegal requests (log responses for illegal requests only).
   Support ID	Type the complete support ID (unique ID given for a transaction), or select the Last 4 digits check box and type the last 4 digits of the support ID.
   Violation	Use this list to select the policy violation that detects attacks, such as Attack Signature Detection or Illegal Cookie Length. You can select a violation type from the list or you can select none of the violations (indicating that any violation type matches).
   Attack type	Use this list to select the type of service attacks (such as Denial of Service or HTTP Parser Attack) that you want to see. Select nothing (indicating that any attack type matches), or select a specific attack type.
   Time Period	In the From and To fields, type a date and time in the format: 2015-12-01T15:15:29-05:00. Or click the calendar icon and select dates.
   Policies	In the field, type a policy name, or click in the field and, from the list, select a policy.

4. Click the Search bar.
   The results of the filtering process appear in the Log Items list.
5. When you have configured a search that you will use repeatedly or frequently, click Save the current filter, type a filter name, and click Save.
   The saved filter appears in the left panel under Saved filter.

1. Click Monitoring > EVENTS > Web Application Security > Events .
2. Open the Filter field.
   The Search filter popup screen opens to the basic view, which is the default.
3. Click Advanced.
4. Complete the fields.

   Setting	Description
   Method	From the list, select a method.
   Protocols	From the list, select HTTP or HTTPS, depending on the security requirements.
   Severity	From the list, select Informational, Critical, or Error.

5. Click the search bar.
   The results of the filtering process appear in the Log Items list.
6. When you have configured a search that you will use repeatedly or frequently, click Save the current filter, type a filter name, and click Save.
   The saved filter appears in the left panel under Saved filter.

1. Click Monitoring > EVENTS > Web Application Security > Events .
2. In the Filter field, type a query in ODATA format.
3. Type a key from the following list:

   Key	Description
   attack_type	Name of identified attack (string). For example: Non-browser client.
   date_time	Current date and time. For example: 2016-09-19 13:52:29
   dest_ip	Requested service IP address, generally, the virtual server IP address. For example: 192.168.5.11.
   dest_port	Destination port of this transaction (non-negative integer). For example: 80.
   geo_location	Country/city location information, based on the source IP address. For example: USA/NY.
   headers	List of request headers found in request logs. For example: Host: myhost.com; Connection: close.
   http_class_name	Alias of policy name. For example: /Common/topaz4-web4.
   ip_address_intelligence	List of IP intelligence categories found for an IP category such as proxy, phishing and so on. For example: Scanners.
   ip_client	Client source (attacker) IP address. For example: 192.168.5.10.
   management_ip_address	BIG-IP® management IP address.
   method	HTTP method requested by the client. For example: GET.
   policy_apply_date	Last apply policy operation date and time.
   policy_name	Name of the active security policy. For example: ACME security policy.
   protocol	Transport protocol (string). For example: HTTP.
   query_string	URI query string. For example: /.
   request	Request string sent by the client. For example: GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n.
   request_status	Action applied to the client request. For example: Blocked.
   response_code	The HTTP response code returned by the back-end server (application). This information is relevant only for requests that are not blocked. For example: 200.
   route_domain	Route domain number (non-negative integer). For example: 0.
   session_id	ID number (hexadeicmal number) assigned to the request to allow the system administrator to track requests by session. For example: a9141b68ac7b4958.
   severity	Severity category to which the event belongs. For example: Error.
   sig_ids	Signature ID number (positive non-zero integer). For example: 200021069.
   sig_names	Signature name(s). For example: Automated client access %22wget%22.
   src_port	Client protocol source port of this transaction (non-negative integer). For example: 52974.
   sub_violations	Comma-separated list of sub-violation strings. for example: Bad HTTP version, Null in request.
   support_id	Internally-generated integer to assist with client access support. For example: 18205860747014045721.
   unit_hostname	BIG-IP system FQDN (unit host name).
   uri	URI requested by the client (string). For example: /.
   username	User name for the client session. For example: admin.
   violations	Comma-separated list of the violations that occurred during enforcement of the request or response. For example: Attack signature detected.
   virus_name	Virus name (string). For example: Melissa.
   x_forwarded_for_header_value	Value of the XFF HTTP header (string). For example: 192.168.5.10

4. Type an operator from the following list:

   Operator	Description
   eq	Equal
   ne	Not equal
   lt	Less than
   le	Less than or equal to
   gt	Greater than
   ge	Greater than or equal to

5. Type a value in any of the following formats:
   • 'value'. For example: policy_name:'/Common/policy1'
   • '*alue'. For example: policy_name:'*Common/policy1'
   • 'alu*'. For example: policy_name:'Common/policy*'
   • '*ue*'. For example: policy_name:'policy*'
6. Press Enter or click the search icon to start the search.