How to: Access the BIG-IP Next Central Manager audit logs¶
Summary¶
As a central management system, the BIG-IP Next Central Manager tracks the operations performed on the system. The audit log is a system feature that tracks which users accessed the system, when they accessed it, and what operations they performed.
Audit log entries are written to persistent storage, so they survive system failures and restarts. You can access these audit logs through the BIG-IP Next Central Manager GUI and API.
The BIG-IP Next Central Manager also aggregates application log entries. These log entries are generated by the various microservices that make up the application. For information on how to access these logs refer to Access the BIG-IP Next Central Manager application logs.
Prerequisites¶
You need to know the management IP address used to access the BIG-IP Next Central Manager for which you want to view log entries.
You need to know the admin user name and password configured for the BIG-IP Next Central Manager on which you want to examine log entries.
Audit log events¶
The following is a list of events that trigger an audit log entry. You can retrieve these events using the correct, REST API call.
Login to the BIG-IP Next Central Manager
Logout of the BIG-IP Next Central Manager
Any REST request that creates, modifies, or deletes data: (including POST, PUT, and DELETE requests).
Any request that fails due to authentication or authorization problems. That is, the request resulted in either an unauthorized (401) or forbidden (403) response code.
Most Audit log entries include the identity of the user who performed the request. An exception to this can occur if a request fails because the user identity was not provided.
Access the BIG-IP Next Central Manager audit logs¶
Each row of the audit logs specifies the Timestamp of the audit logs, User Name, Roles, Instance Name, and Action.
Note: The Instance Name in each row will only be shown for actions performed on the Instance when the respective instance ID is available in the API path for the action.
Use the following procedure to access audit logs through BIG-IP Next Central Manager GUI:
Log in to BIG-IP Next Central Manager.
Click the Workspace icon next to the F5 logo, click Observability > Logs & Events to view audit logs.
To filter logs by roles, click the All Roles dropdown and then select the role as per your requirement.
To filter logs by instances, click All Instances dropdown and then select the instance as per your requirement.
To filter logs by applications, click All Applications dropdown and then select the application as per your requirement.
In search field, enter text to filter the logs as per your requirement.
For example, to filter logs by the action user login, enter user login text in the search field.To filter logs based on time, click date filter dropdown and then select the number of hours or days as per your requirement.
Note: You can select up to 90 days of audit logs.
To enable advance filter, Click Show Filter. The advance filter supports three additional fields:
All Fields - allows you to search all audit log fields using containing or not containing options in the next dropdown selections.
HTTP Method - filter logs based on HTTP methods like POST, GET, or DELETE.
Result Code - filter logs by result codes like 200, 400, or 500. For example, to view audit logs where the HTTP method is POST and response code is 200, follow these steps:
Click + Add Filter and select HTTP method.
Select Is from the next dropdown and then select POST method from the next dropdown list.
Click + Add Filter again and select Result Code.
Select Is from the next dropdown and then select 200 - Ok from the dropdown list.
Click Export to download the filtered audit logs in CSV format.
Note: You can export a maximum of 100,000 rows of audit logs to the sheet.
Click the refresh icon to refresh the audit logs list.
Click the dropdown next to the refresh icon to enable Auto Refresh on or off. When enabled, the list refreshes automatically every 30 seconds.Click any of the action items from the Action column to view the properties of that specific log.
Access BIG-IP Next Central Manager audit logs using API
For the full list of API endpoints for audit logs, see Logs.
Prerequisite
Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API
Use the following procedure to access audit logs through BIG-IP Next Central Manager API:
To retrieve audit logs, send the GET request to
spaces/default/analytics/log/audit
endpoint.GET https://{{cm_mgmt_ip}}/api/v1/spaces/default/analytics/log/audit
For example, to filter logs based on the following conditions:
Last 30 minutes
Limit of 1000 entires
Instance Manager role
Specific Instance ID
Specific Application ID
Use the following request:
GET https://{{cm_mgmt_ip}}/api/v1/spaces/default/analytics/log/audit?start=now-30m&end=now&limit=1000&page=1&filter=(user_role%20has%20%27Instance%20Manager%27)%20and%20(instance_id%20eq%20%27221082e7-8fb8-4c02-b629-22d630718e31%27)%20and%20(application_id%20eq%20%27ce86a6cd-e18c-4591-8bd8-b15fc117ff00%27)
Click for sample successful response ▶
{ "_links": { "self": { "href": "string" }, "prev": { "href": "string" }, "next": { "href": "string" }, "first": { "href": "string" }, "last": { "href": "string" } }, "audit_logs": [ { "audit_id": "string", "user": "string", "user_id": "string", "user_role": "string", "timestamp": "string", "source_address": "string", "source_port": 0, "result_code": 0, "response": "string", "resource_reference": "string", "request": "string", "product_version": "string", "latency": 0, "http_method": "string", "host": "string", "feature": "string", "application_id": "string", "application_name": "string", "instance_id": "string", "instance_name": "string", "action": "string", "property": "string", "namespace": "string" } ], "total": 0, "count": 0 }
For more information about retrieving audit logs using BIG-IP Next Central Manager APIs, see OpenAPI documentation.
To retrieve audit logs by ID, send the GET request to
spaces/default/analytics/log/audit/{audit_id}
endpoint.GET https://{{cm_mgmt_ip}}/api/v1/spaces/default/analytics/log/audit/{audit_id}
Click for sample successful response ▶
{ "auditId": "string", "timestamp": "string", "sourceAddress": "string", "sourcePort": "string", "userId": "string", "userName": "string", "userRole": "string", "httpMethod": "string", "httpResponseCode": "string", "resourceReference": "string", "request": "string", "response": "string", "productResponse": "string", "auditAction": "string", "auditProperty": "string", "nodeHostname": "string" }
For more information about retrieving audit logs by ID using BIG-IP Next Central Manager APIs, see OpenAPI documentation.
To export audit logs, send the GET request to
spaces/default/analytics/log/audit/export
endpoint.GET https://{{cm_mgmt_ip}}/api/v1/spaces/default/analytics/log/audit/export
Use the following request to export the logs with filtering:
GET https://{{cm_mgmt_ip}}/api/v1/spaces/default/analytics/log/audit/export?start=now-30m&end=now&limit=1000&page=1&filter=(user_role%20has%20%27Instance%20Manager%27)%20and%20(instance_id%20eq%20%27221082e7-8fb8-4c02-b629-22d630718e31%27)%20and%20(application_id%20eq%20%27ce86a6cd-e18c-4591-8bd8-b15fc117ff00%27)
For more information about exporting audit logs using BIG-IP Next Central Manager APIs, see OpenAPI Documentation.
Access the BIG-IP Next Central Manager audit logs using curl command
The following procedure provide example API calls using the curl HTTP client. To submit your own API calls, use any HTTP client (for example, Postman), and ensure that you observe the syntax outlined in the example API calls.
To retrieve the audit logs, you use a REST API call. All API calls to the BIG-IP Next Central Manager must be authenticated using an access token (or bearer token). To get an access token, you need the IP address of the BIG-IP Next Central Manager as well as the admin login credentials. Use the syntax shown in the following example:
Send a Post to the
/api/login
endpoint.
POST https://<big-ip_next_cm_mgmt_ip>/api/login
For the API body, use the following, substituting the username and password for the BIG-IP Next Central Manager you are accessing.
{
"username": "admin",
"password": "admin"
}
Response:
{
"access_token": "+42Cvb6we9wsgqDtJLZHMHZ2lAk9LYR5/w+rMvTkPvm5KVJbe9Pvzg0Tdg+F7Vis4CRNAxsPStHP9cSn7lRONWPB+IA4HGJuJWAHtXyWfwvTeMakA36CqhlZKACfgukLEvj0u5IBzNFAL3vdniPDmvJIL9HpGkNyCIVrKGE7rrmAdiyOP6x01WjTILSlM2m26/cfheF04U8q8uzygMUXBLdAkNkVziBkTTwzMnQkTmAqTxhrSsaktS9FYbfeuul3mA602IiaWlT8noewxZ5bu3pehI18Ckyh3IXX7GpfcmCmgmWUA5r9Zif2URn5Lp57kfnWK4kzw/LVvX5dZ6VD2YN+MSTuYAAd1lflFLFmGlWK/LEA/4MaMGU2+LWBo7vyvv+ur7837pKNjwKtQ9uZBNDfaAsrz2eXAa+AXp92dxrTspTY4I8gZnUTGc7k36iDxJW5t9/Ja3Qyold8y/F/t4vzIZvPSK5u/ivkcfbfvC0JUPP2+f5OpCmVng4FC6fqOF8p+zo9",
"refresh_token": "+42Cvb6we9wsgqDtJLZHMHZ2lAk9LYR5/w+rMvTkPvm5KVJbe9Pvzg0Tdg+F7Vis4CRNAxsPStHP9cSn7lRONWPB+IA4HGJuJWAHtXyWfwvTeMakA36CplRaKDKfgvkLEvj0u5IBzNFAL3vdniPDmvJIL9HqGkNyCIVrKGE7rrmAdiyOP6x01WjTILSlM2m26/cfheF04U8q8uzygcUXBLdAkNkVziBkTTwzMnQkTmN0WCV3SMSntndFW7aCrsdZ1A602ImNc1T8iK2gxZ1hu35Kg7BsHmWl3pP57G9IZUKmgmWUA5r9Zif2URn5Lp57kfnWK4kzw/LVvX5dZ6VD2YN+MSTuYAAd1lflFLFmGlWK/LEA/4MaMGU2+LWBo7vyreeb0oEx1pCzggmoCNjuHaaWCw1J+FCPLrvrJZNfQUO7+Nb5+9NFclIxBIz1x6rS7biJxdrjeHgIgx9UlZlcz8qpF+nbE79K0ijXPorNlAMuBPyM5ti7buodAxh2BcJYNuf+IVhI"
}
Using the bearer token (or access token), submit a command similar to the following to the BIG-IP Next Central Manager BIG-IP Next Central Manager:
curl -sk -H "Authorization: Bearer <bearer token>" https://<BIG-IP Next Central Manager IP address>/api/system/v1/logs/audit
Where <bearer token>
is the random string you retrieved in the first step, and <BIG-IP Next Central Manager IP address>
is the management IP address of the BIG-IP Next Central Manager you are trying to view audit logs for.
The BIG-IP Next Central Manager responds by sending the audit log entries for the BIG-IP Next Central Manager targeted in your command. Each response will contain as many fields as appropriate for that particular audit log entry.
Note: If you use an HTTP client (like Postman) to submit your audit log command, each audit log entry will be nicely parsed and formatted similar to what is shown below.
{
"action": "user login",
"duration_ms": 157,
"endpoint": "login",
"feature": "gateway",
"http_method": "GET",
"level": "info",
"msg": "",
"result_code": 200,
"source_addr": "10.10.10.10",
"timestamp": "2021-12-08T18:07:48.839858Z",
"url": "/login",
"user": "admin",
"user_id": "7aef5f9c-5af1-4ec8-a58f-6d597309ada4"
}
Otherwise, the response displays as a long chunk of content on your screen. If there are hundreds of audit events and the BIG-IP Next Central Manager returns all of the audit log entries in one response, you might find it very challenging to read the response. To avoid this issue, consider limiting the number of responses. For more information, refer to Limit the number of audit log responses (below).
To understand the meaning of the audit log responses, refer to Audit log properties and descriptions.
Limit the number of audit log responses
You might find it useful to use a switch that limits the number of audit logs that the BIG-IP Next Central Manager returns in response to your command. Without this limit, BIG-IP Next Central Manager displays the last 1000 audit log entries (or all of the entries if there are less than a 1000).
If you have a BIG-IP Next Central Manager that’s been live for a while, you probably only want to see a small subset of these entries. To use this limit, just add ?limit=<number of entries>
to your command.
For example, to limit the response in the previous example to the last 10 audit log entries, you would append ?limit=10
to the command, like this:
curl -sk -H "Authorization: Bearer <bearer token>" https://<BIG-IP Next Central Manager IP address>/api/v1/logs/audit?limit=10
In response to this command, the BIG-IP Next Central Manager returns only the last 10 audit log entries.
Audit log properties and descriptions¶
Properties that can trigger audit log entries for BIG-IP Next Central Manager are described in the following table.
Property Name | Description | Example Values |
---|---|---|
Timestamp | The time stamp (in UTC format) when the event was logged. | "2021-08-11T22:26:11.9907972Z" (if we don't set the Gateway's time zone). "2021-08-11T15:26:11.9907972-0700" (if we set Gateway's time zone). |
Username | The username of the user who initiated the request. | admin |
Role | The role of the user who initiated the request. | Instance Manager, Certificate Manager, and so on. |
Instance Name | The name of the instance on which the audit action occurs. Default value is N/A. |
cards.jpmc.com |
Application Name | The name of the application associated with the audit log. Default value is N/A. |
APP |
Namespace | Namespaces enable secure separation and isolation of configurations within Central Manager. The BIG-IP Next Central Manager will support multiple spaces in upcoming releases. Currently, there is only one namespace with the default value of "default". | default |
Action | Describes the action being performed. | Retrieve audit logs |
Feature | The target feature that handled the request. | system-feature |
Host | The server host that manages requests and responses. It is the IP address or name of the MBIQ box | mbiq.example.com |
Http_Method | The HTTP verb used in the request. | POST |
Latency | The time, in seconds or milliseconds, required to complete an operation. | 200ms |
Product Version | The product version of the BIG-IP Next Central Manager. | 1.0.0.1 |
Request | The body of the request. | Truncated to a maximum of 1024 bytes |
Resource Reference | The API request of the action being performed. | https://{{cm_mgmt_ip}}/api/system/v1/users |
Response | The body of the response. | Truncated to a maximum of 1024 bytes. |
Result Code | HTTP result code | 200 |
Source Address | The IP address of the client (for example, the user's laptop) that initiated the request. | xxxx.xxxx.xxxx.xxxx |
Note: Instance and application names are shown only for actions performed on them when the respective instance ID or application ID is available in the API path.
Property Name | Description | Example Values |
---|---|---|
action |
A brief label describing the high-level contextual action being performed. | "login" (the API is a REST GET request, but the actual action is login) |
duration_ms |
The number of milliseconds it took to complete the operation that triggered the event. | |
feature |
The target feature that handled the request. | "system-feature" |
http_method |
The HTTP verb used in the request. | "POST" |
result_code |
HTTP result code | 404 |
request |
The body of the request. | "{"username": "John Doe","password" : "******"}" |
source_address |
The IP address of the client (for example, the user's laptop) that initiated the request. | "xxxx.xxxx.xxxx.xxxx" |
timestamp |
The time stamp (in UTC format) when the event was logged. | "2021-08-11T22:26:11.9907972Z" (if we don't set the Gateway's time zone) "2021-08-11T15:26:11.9907972-0700" (if we set Gateway's time zone) |
user |
The username of the user who initiated the request. | "admin" or the user's UUID string. |
user_id |
The UUID is always present, except for login failures or unauthenticated requests. |