Forum Discussion

mike_rootvik_15's avatar
mike_rootvik_15
Icon for Nimbostratus rankNimbostratus
May 06, 2014

Security Event logs - local locations

This seems like a really stupid question to have to ask, but I can't seem to find an answer in the documentation.

 

I am running Big-IP 11.5 with AFM provisioned. I am running a Security Network Firewall rule (global) with logging enabled.

 

For various reasons I want to look at the local log file on the Big-IP from the command line, but can not locate them.

 

Where are the Network Firewall logs located? If the different contexts have logs in different locations, I'd appreciate knowing where the firewall logs are for Global, Virtual Servers and Self-IP.

 

Thanks

 

advanced firewall manager
management
security
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    May 07, 2014

    It seems you have to specifically configure logging, no doubt because the logs could be considerable. See here for full details: http://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-11-3-0/6.html.

     

    It seems logging can only be applied per virtual server.

     

  • mike_rootvik_15's avatar
    mike_rootvik_15
    Icon for Nimbostratus rankNimbostratus
    May 07, 2014

    Thanks for the response. As indicated in the original post, I do have logging enabled (it is using the local-db-publisher) and configured to log Network Firewall events. Which I can sucessfully view via the GUI.

     

    What I am having issues with, is locating where these log entries are stored on Big-IP system, and how I can view them from the CLI.

     

    • What_Lies_Bene1's avatar
      What_Lies_Bene1
      Icon for Cirrostratus rankCirrostratus
      May 07, 2014
      Ahhh, I see, sorry. I see if I can find out, will probably be tomorrow.
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    May 08, 2014

    So, I've had a bit of a play. I think you'll find local syslog entries here: /shared/avr_afm.

     

    However, unless you configure the local-db-publisher to also use the local syslog facility I doubt you'll see anything. You can configure this under System > Logs > Configuration > Log Publishers.

     

    Let me know if this helps.

     

  • mike_rootvik_15's avatar
    mike_rootvik_15
    Icon for Nimbostratus rankNimbostratus
    May 14, 2014

    After crawling around the Big-IP for a while I discovered that the AFM rule loggin is written into the LTM log in /var/log/.

     

    At least when loggin was configured to use the local-db-publisher.

     

  • brahim94_11525's avatar
    brahim94_11525
    Icon for Nimbostratus rankNimbostratus
    May 15, 2014

    Hi mike,

     

    In wich file on /var/log/ AFM is logging ?

     

    Thank you,

     

    Best regards

     

    • What_Lies_Bene1's avatar
      What_Lies_Bene1
      Icon for Cirrostratus rankCirrostratus
      May 15, 2014
      See above. In particular note that you need to enable syslog logging otherwise log entries are written to a database that can only be view via the GUI.
  • brahim94_11525's avatar
    brahim94_11525
    Icon for Nimbostratus rankNimbostratus
    May 15, 2014

    Sorry I posted my question too quickly,

     

    It's located on /var/log/ltm

     

    Thk you