Manual Chapter : Logging Events in BIG-IQ Web Application Security

Applies To:

Show Versions Show Versions

BIG-IQ Security

  • 4.4.0
Manual Chapter

About event logs

Viewing the event logs with BIG-IQ Web Application Security makes browsing of system event logs easier, and provides a way to obtain useful insights regarding the activity on applications and/or servers. It also enables the viewing of logs from multiple BIG-IP devices.

You can also view logs through the BIG-IP system interface. However, the BIG-IP system interface shows logs for one BIG-IP device only, and the current presentation has many nested views and complex filters. Thus, it is difficult to obtain a complete picture. The presentation on Web Application Security provides a single view of all the filters, log entries, and details for each entry. This provides a more intuitive navigation path through the log items.

To determine which events are logged, you must set up a logging profile on the BIG-IP system. The logging profile directs the security events to a BIG-IQ Logging Node, and the BIG-IQ system retrieves them from that node.

About installing the BIG-IQ Logging Node

A BIG-IQ Logging Node (also known as an ASM Logging Node) is a specially-provisioned BIG-IQ system, running the same software build as the BIG-IQ device where you manage your security policies. One or more BIG-IP systems send their logging events to a Logging Node, and the BIG-IQ system can retrieve logging events from one or more Logging Nodes.

To install a BIG-IQ Logging Node, you provision a standard BIG-IQ system as a Logging Node (by allowing a particular service on a self IP port and expanding the size of the file system that holds log files), and then upgrade the Logging Node Software to the same build that is running on its BIG-IQ partner.

Provisioning the Logging Node

You use the Config utility and tmsh commands to provision the Logging Node with a management IP address, a self IP address, and various network parameters.
  1. The BIG-IQ VE or BIG-IQ 7000 device is shipped with a default management IP address of 192.168.1.245. To change this, connect to the console of the device and invoke the Config utility. For example: [root@bigiq1:Active] config # config The Config utility is a GUI-like interface on the command line. It guides you through the process of setting these parameters:
    • Management IP Address
    • Netmask for that address
    • Default Route for the Management IP Address
  2. Test the management IP address by connecting to it with SSH. Use the root admin account and its default password, default. For example:juser@bench2:~/$ ssh root@192.168.25.61 The authenticity of host '192.168.25.61 (192.168.25.61)' can't be established. RSA key fingerprint is 8c:0a:28:e9:7a:8d:5a:1a:7a:d1:2d:c2:8a:c8:e5:83. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.25.61' (RSA) to the list of known hosts. Password: default [root@bigiq1:NO LICENSE] config # Currently, the system is running BIG-IQ software, and its prompt, bigiq1, is the default for a BIG-IQ system.
  3. Invoke tmsh, where you can perform some initial provisioning of the Logging Node. For example:[root@bigiq1:NO LICENSE] config # tmsh root@(bigiq1)(NO LICENSE)(/Common)(tmos)#
  4. Expand the /var directory, which holds all the event logs. Use the modify sys disk directory command to schedule the directory for resizing, then use the reboot command to reboot the Logging Node and expand the directory. For example, this command sequence expands the /var directory to 15G and reboots the Logging Node:root@(lognode1)(NO LICENSE)(/Common)(tmos)# modify sys disk directory /var new-size 15000000 root@(lognode1)(NO LICENSE)(/Common)(tmos)# reboot The system will be rebooted momentarily Broadcast message from root (pts/0) (Thu Aug 14 09:04:44 2014): The system is going down for reboot NOW! root@(lognode1)(NO LICENSE)(/Common)(tmos)# Connection to 192.168.25.61 closed by remote host. Connection to 192.168.25.61 closed. juser@bench2:~/$
  5. Wait for the Logging Node to finish the boot process, then reconnect and reopen tmsh. For example:juser@bench2:~/$ ssh root@192.168.25.61 Password: default [root@bigiq1:NO LICENSE] config # tmsh root@(bigiq1)(NO LICENSE)(/Common)(tmos)#
  6. Use the modify sys global-settings hostname command to create an appropriate host name for the Logging Node. For example:root@(bigiq1)(NO LICENSE)(/Common)(tmos)# modify sys global-settings hostname lognode1.myco.com root@(lognode1)(NO LICENSE)(/Common)(tmos)#
  7. Use the modify sys ntp commands to set up the Network Time Protocol (NTP) for this Logging Node. Set the timezone and add one or more NTP servers. For example, these commands set the time zone for New York in the U.S., and add one NTP server: root@(lognode1)(NO LICENSE)(/Common)(tmos)# modify sys ntp timezone America/New_York root@(lognode1)(NO LICENSE)(/Common)(tmos)# modify sys ntp servers add { 192.168.96.95 } root@(lognode1)(NO LICENSE)(/Common)(tmos)#
  8. Use the create net vlan command to create a VLAN named internal. Then use the modify net vlan command to assign it to the 1.1 interface. For example: root@(lognode1)(NO LICENSE)(/Common)(tmos)# create net vlan internal root@(lognode1)(NO LICENSE)(/Common)(tmos)# modify net vlan internal interfaces add { 1.1 } root@(lognode1)(NO LICENSE)(/Common)(tmos)#
  9. Use the create net self command to assign a self IP address to the internal VLAN. Also, allow service on TCP port 8514. For example, this assigns 10.57.140.135/16 as a self IP address:root@(lognode1)(NO LICENSE)(/Common)(tmos)# create net self 10.57.140.135/16 vlan internal address 10.57.140.135/16 allow-service add { default tcp:8514 } root@(lognode1)(NO LICENSE)(/Common)(tmos)#
  10. Use the create net route command to establish a default gateway for the VLAN. For example:root@(lognode1)(NO LICENSE)(/Common)(tmos)# create net route internal_default_gateway gw 10.57.140.1 network default root@(lognode1)(NO LICENSE)(/Common)(tmos)#
  11. Use the modify sys dns name-servers command to add your local DNS servers and your DNS-search parameters. For example:root@(lognode1)(NO LICENSE)(/Common)(tmos)# modify sys dns name-servers add { 10.57.1.28 } search add { myco.com localhost } root@(lognode1)(NO LICENSE)(/Common)(tmos)#
The Logging Node is ready to process network traffic, but it likely requires a software upgrade to bring it to the same build as its partner BIG-IQ system.

About upgrading the Logging Node to the BIG-IQ build

This product ships with a software build that was current at the time of the software release. Typically, a later build is available. The build on the Logging Node must be the same as the build on its partner BIG-IQ system. If you need to upgrade the Logging Node, follow the instructions in Upgrading BIG-IQ Systems.

Configuring the logging profile

Each BIG-IP system sends its events to a Logging Node. You create an event logging profile to define the contents of these events, and to identify the Logging Node to which the events are sent.
  1. On the Main tab, click Security > Event Logs > Logging Profiles > +. The Create New Logging Profile screen opens.
  2. In the Profile Name field, type the name that you choose for this new profile.
  3. Select the Application Security check box. Application Security settings display.
  4. From the Configuration list, select Advanced. Some new fields appear, including the Remote Storage check box.
  5. Select the Remote Storage check box. Several new fields appear, including the Protocol list.
  6. From the Protocol list, select TCP.
  7. In the Server Addresses settings, specify the address you want to use:
    1. In the IP Address field, type one of the Logging Node's self IP addresses.
    2. In the Port field, type 8514.
    3. Click the Add button to add the address/port to the list of servers.
  8. In the Storage Format setting, specify how you want to store this data:
    1. Select User-Defined from the list at the top.
    2. Then enter this exact format (without any line breaks) for the event logs in the Selected Items field:
    unit_hostname="%unit_hostname%",management_ip_address="%management_ip_address%", http_class_name="%http_class_name%",web_application_name="%http_class_name%",policy_name="%policy_name%", policy_apply_date="%policy_apply_date%",violations="%violations%",support_id="%support_id%", request_status="%request_status%",response_code="%response_code%",ip_client="%ip_client%", route_domain="%route_domain%",method="%method%",protocol="%protocol%",query_string="%query_string%", x_forwarded_for_header_value="%x_forwarded_for_header_value%",sig_ids="%sig_ids%",sig_names="%sig_names%", date_time="%date_time%",severity="%severity%",attack_type="%attack_type%",geo_location="%geo_location%", ip_address_intelligence="%ip_address_intelligence%",username="%username%",session_id="%session_id%", src_port="%src_port%",dest_port="%dest_port%",dest_ip="%dest_ip%",sub_violations="%sub_violations%", virus_name="%virus_name%",uri="%uri%",request="%request%",violation_details="%violation_details%", header="%headers%",response="%response% The line breaks in the example above were necessary due to screen width; remove all of them after you paste this data. It should be a single string with no white space.
  9. From the Maximum Entry Length list, select 64K.
  10. In the Storage Filter area, from the Request Type list, select All Requests.
  11. Click the Finished button to save the new profile.

Adding the logging profile to a virtual server

Each BIG-IP system sends its events to a BIG-IQ Logging Node. After you create an event logging profile, you assign it to a virtual server. The virtual server (or servers) with this profile sends all of its relevant events to the Logging Node that you specified in the logging profile.
  1. On the Main tab, click Local Traffic > Virtual Servers > Virtual Server List. The Virtual Server List screen opens.
  2. Click the name of the virtual server that you want to log security events.
  3. From the Security menu at the top of the screen, choose Policies.
  4. Use the Log Profile settings to specify the log profile to use:
    1. From the Log Profilelist, select Enabled.
    2. From the Available list, select the log profile you created earlier, and move (<<) it to the Selected list.
  5. Click Update to save your changes.

Discovering a Logging Node from BIG-IQ Security

Using the BIG-IQ Security system, you discover a Logging Node and add it to the ASM Logging Group. The BIG-IQ Security application can then access all of the security events on the Logging Node, potentially from multiple BIG-IP systems.
  1. Log into BIG-IQ System GUI with your administrator user name and password.
  2. From the list at the top of the screen, choose System. Several panels appear, including the BIG-IQ Systems panel.
  3. In the BIG-IQ Systems panel, hover over ASM Logging Group, click the gear icon when it appears, and select Add Device. The panel expands to show the New Device screen.
  4. In the IP Address field, type the Management IP address of the Logging Node (for example, 192.168.25.61).
  5. In the User name and Password fields, type the credentials for an administrator on the Logging Node (for example, admin and admin).
  6. Confirm that the Group field is set to ASM Logging Group.
  7. Click the Add button at the top of the screen to add the Logging Node to the system.
All BIG-IP virtual servers that send their security events to the above Logging Node are aggregated in the event logs on the BIG-IQ system. You can repeat this task to add multiple Logging Nodes.

About the event logs interface

The Event Logs system interface consists of two filtering fields and three main panes:

  • Filtering fields:
    • Selected devices list. A horizontal list below the Event Logs heading, where you select one or more devices for event viewing.
    • Filter field. A horizontal field, below the Event Logs heading to the right of the selected devices field, where you can provide text to rapidly narrow the search scope.
  • Panes:
    • Devices panel. At the far left, used for selecting a group of events, policies, saved filters, or pre-configured tags. This specifies the set of items in the next pane.
    • Log items list. Using this pane, you can browse log items, or select one to view details on. Each log item displays:
      • URL
      • Source IP address
      • Response code
      • Date and time
      • Severity: Informational, Critical, Error
      • Status
    • Details pane. This pane displays details of the item selected in the Log items pane. You can view:
      • Raw HTTP[S] request
      • Geolocation details
      • Policy details (by clicking the expand triangle to the right of the policy name)
      • General request details (by clicking the triangle to the right of the URL)
      • Related tags

Viewing event log details

You can view request and response details for a single log item.
  1. Log in to BIG-IQ Security.
  2. Click Web Application Security, and then click Event Logs.
  3. In the Log Items pane (list of events), click a single event log. The Details pane to the right displays a variety of information about the event.
  4. In the Details pane, click Request to view request details. Details include:
    • Raw HTTP[S] request
    • General request details (by clicking the expand arrow to the right of the URL)
    • Geolocation
    • Policy details (by clicking the expand triangle to the right of the policy name)
    • List of related tags
  5. Click Response to view response details.

Using common filters

You can use the Event Logs screen's Devices panel to update common filters for requests and security policies.
  1. Log in to BIG-IQ Security.
  2. Click Web Application Security, and then click Event Logs.
  3. In the Devices panel, click any sub-item under Requests or Policies.
The system updates log items according to the selected filter, and results appear in the Log Items pane.

Filtering (basic)

You can use the Event Logs screen's search filter to make viewing of events logs easier, even event logs from multiple BIG-IP devices.
  1. Log in to BIG-IQ Security.
  2. Click Web Application Security, and then click Event Logs.
  3. In the Event Logs Filter field, click the expand triangle to the right of the field. The Search filter popup screen opens to the basic view, which is the default.
  4. Complete the Search filter field or fields applicable to your search.
    Setting Description
    Request type From the list, select All requests or Illegal requests (log responses for illegal requests only).
    Support ID Type the last 4 digits of the support ID (unique ID given for a transaction).
    Violation This selects the policy violation that detects attacks, such as Attack Signature Detection or Illegal Cookie Length. From the list, select nothing (indicating that any violation type matches) or a violation type.
    Attack type This selects the type of service attacks (such as Denial of Service or HTTP Parser Attack) that you want to see. From the list, select nothing (indicating that any attack type matches) or choose a particular attack type.
    Time Period In the From field, click the calendar icon and select a start date. Then, in the To field, click the calendar icon and select an end date.
    Policies Type a policy name.
  5. Click the Search icon in the blue bar.
The results of the filtering process appear in the Log Items list.

Filtering (advanced)

You can use the Event Logs screen's search filter to make viewing of events logs easier, even event logs from multiple BIG-IP devices.
  1. Log in to BIG-IQ Security.
  2. Click Web Application Security, and then click Event Logs.
  3. In the Event Logs Filter field, click the expand triangle to the right of the field. The Search filter popup screen opens to the basic view, which is the default.
  4. Click Advanced
  5. Complete the Search filter field or fields applicable to your search.
    Setting Description
    Method From the list, select GET, POST, PATCH, or DELETE.
    Protocols From the list, select HTTP.
    Severity From the list, select Informational, Critical, or Error.
  6. Click the search icon in the blue bar.
The results of the filtering process appear in the Log Items list.

Filtering by entering query parameters

You can use the Filter field to enter query parameters in ODATA format. For example:

policy_name:/Common/policy1'

Note: AND/OR constructs are supported.
  1. Log in to BIG-IQ Security.
  2. Click Web Application Security, and then click Event Logs.
  3. In the Filter field, type a query in the format key operator ‘value’.
  4. Type a key from the following list:
    Key Description
    attack_type Name of the attack
    date_time Current date and time
    dest_ip Destination IP of this transaction (virtual server)
    dest_port Destination port of this transaction (virtual server) *
    geo_location Attacker geolocation *
    header List of request headers
    http_class_name Alias of policy name
    ip_address_intelligence IP Category such as proxy, phishing, and so on *
    ip_client Attacker IP address
    management_ip_address BIG-IP management IP address
    method HTTP method of the request (POST/GET, and so on)
    policy_apply_date Last apply policy operation date and time
    policy_name Name of the active policy
    protocol Transport protocol (HTTP)
    query_string URI query string
    request Full request *
    request_status  
    response_code HTTP response code
    route_domain  
    session_id *
    severity Severity of the request (Informational/Error/Critical/Warning)
    sig_ids *
    sig_names  
    src_port Source port of this transaction *
    sub_violations  
    support_id Unique ID given for a transaction
    unit_hostname BIG-IP unit host name *
    uri URI of the request *
    username *
    violations List of violations
    virus_name *
    web_application_name  
    x_forwarded_for_header_value  
  5. Type an operator from the following list:
    Operator Description
    eq Equal
    ne Not equal
    lt Less than
    le Less than or equal to
    gt Greater than
    ge Greater than or equal to
  6. Type a value in any of the following formats:
    • 'value'
    • '*alue'
    • 'alu*'
    • '*ue*'
The system updates log items according to the typed query, and results appear in the Log Items list. Clearing the Filter field clears the filter as well.