Forum Discussion

THE_BLUE's avatar
THE_BLUE
Icon for Cirrostratus rankCirrostratus
Sep 05, 2022

Audit WAF changes

I have many users accessing WAF and i need to audit all what they are doing example if any one make change in learning and blocking settings or in virtual server configration. Is there any way to do this?

  • Hi, 

    Have you seen the ASM Audit log? (Security ›› Application Security : Audit : Log - This is the path in v16.1, in earlier versions, I believe you can find it under the History section)

    This will contain the changes made, their username etc. 

    See here an example of one of my policies; 

    Hope this helps. 

  • You can find Audit logs for WAF policies in Security > Application Security > Policy > Audit > Log file. This is enabled by default if I recall correctly. You should also be able to see these logs in /var/log/asm file searching for USER_ACTIVITY. 

    For LTM module, you can configure logging in System > Logs > Configuration > Options, I believe tmsh and MCP audit logs are enabled by default and you can enable GUI audit logging as well. You'll find the logs in the /var/log/audit file or in System > Logs > Audit > List. 

  • Hello,

     

    You can check the settings in  System > Logs : Configuration : Options, and then check for the MCP option as per the below artice for the audit logs in general and check whether they are being logged or not.

    (audit logging for BIG-IP configuration changes is enabled by default)

    https://support.f5.com/csp/article/K58343253

    And as Alex mentioned you can view it from the audit logs by accessing the GUI.

     

  • you can enable gui-audit log at System  ››  Logs : Configuration : Options 

     

    after change OS this option default value is disable

  • Hi, 

    Have you seen the ASM Audit log? (Security ›› Application Security : Audit : Log - This is the path in v16.1, in earlier versions, I believe you can find it under the History section)

    This will contain the changes made, their username etc. 

    See here an example of one of my policies; 

    Hope this helps. 

    • arnora's avatar
      arnora
      Icon for Nimbostratus rankNimbostratus

      Hi - I have benn using these logs alot - but have recently upgraded to 17.1 - does anyone know where those logs are now - I can't find them anymore ?

      • AlexBCT's avatar
        AlexBCT
        Icon for Cumulonimbus rankCumulonimbus

        They've indeed moved it around a bit in v17.1. You can now find it under the Security Policy section, see the screenshot below; 

        Hope this helps. 

         

  • You can find Audit logs for WAF policies in Security > Application Security > Policy > Audit > Log file. This is enabled by default if I recall correctly. You should also be able to see these logs in /var/log/asm file searching for USER_ACTIVITY. 

    For LTM module, you can configure logging in System > Logs > Configuration > Options, I believe tmsh and MCP audit logs are enabled by default and you can enable GUI audit logging as well. You'll find the logs in the /var/log/audit file or in System > Logs > Audit > List. 

  • Hello,

     

    You can check the settings in  System > Logs : Configuration : Options, and then check for the MCP option as per the below artice for the audit logs in general and check whether they are being logged or not.

    (audit logging for BIG-IP configuration changes is enabled by default)

    https://support.f5.com/csp/article/K58343253

    And as Alex mentioned you can view it from the audit logs by accessing the GUI.

     

  • you can enable gui-audit log at System  ››  Logs : Configuration : Options 

     

    after change OS this option default value is disable

  • Thank you very much for your guidenace ,highly appreciated