Product Documentation

Auditing policies

Auditing policies determine the messages that are generated and logged during an Web App Firewall session. These messages are logged in SYSLOG format to the local NSLOG server or to an external logging server. Different types of messages are logged on the basis of the level of logging selected.

To create an auditing policy, you must first create either an NSLOG server or a SYSLOG server. After specifying the server, you create the policy and specify the type of log and the server to which logs are sent.

To create an auditing server by using the command line interface

You can create two different types of auditing server: an NSLOG server or a SYSLOG server. The command names are different, but the parameters for the commands are the same.

To create an auditing server, at the command prompt, type the following commands:

  • add audit syslogAction <name> <serverIP> [-serverPort <port>] -logLevel <logLevel> ... [-dateFormat ( **MMDDYYYY** | **DDMMYYYY** )] [-logFacility <logFacility>] [-tcp ( **NONE** | **ALL** )] [-acl ( **ENABLED** | **DISABLED** )] [-timeZone ( **GMT_TIME** | **LOCAL_TIME** )] [-userDefinedAuditlog ( **YES** | **NO** )] [-appflowExport ( **ENABLED** | **DISABLED** )]
  • save ns config

Example

The following example creates a syslog server named syslog1 at IP 10.124.67.91, with loglevels of emergency, critical, and warning, log facility set to LOCAL1, that logs all TCP connections:

add audit syslogAction syslog1 10.124.67.91 -logLevel emergency critical warning -logFacility
LOCAL1 -tcp ALL
save ns config

To modify or remove an auditing server by using the command line interface

  • To modify an auditing server, type the set audit <type> command, the name of the auditing server, and the parameters to be changed, with their new values.
  • To remove an auditing server, type the rm audit <type> command and the name of the auditing server.

Example

The following example modifies the syslog server named syslog1 to add errors and alerts to the log level:

set audit syslogAction syslog1 10.124.67.91 -logLevel emergency critical warning alert error
-logFacility LOCAL1 -tcp ALL
save ns config

To create or configure an auditing server by using the GUI

  1. Navigate to Security > Firewall > Policies > Auditing.
  2. In the details pane, clickApplication the Server tab.
  3. Do one of the following:
    • To add a new auditing server, click Add.
    • To modify an existing auditing server, select the server, and then click Edit.
  4. In the Create Auditing Server or Configure Auditing Server dialog box, set the following parameters:
    • Name
    • Auditing Type
    • IP Address
    • Port
    • Log Levels
    • Log Facility
    • TCP Logging
    • ACL Logging
    • User-Configurable Log Messages
    • AppFlow Logging
    • Date Format
    • Time Zone
  5. Click Create or OK.

To create an auditing policy by using the command line interface

You can create an NSLOG policy or a SYSLOG policy. The type of policy must match the type of server. The command names for the two types of policy are different, but the parameters for the commands are the same.

At the command prompt, type the following commands:

  • add audit syslogPolicy <name> <-rule > <action>
  • save ns config

Example

The following example creates a policy named syslogP1 that logs Web App Firewall traffic to a syslog server named syslog1.

add audit syslogPolicy syslogP1 rule "ns_true" action syslog1
save ns config

To configure an auditing policy by using the command line interface

At the command prompt, type the following commands:

  • set audit syslogPolicy <name> [-rule <expression>] [-action <string>]
  • save ns config

Example

The following example modifies the policy named syslogP1 to log Web App Firewall traffic to a syslog server named syslog2.

set audit syslogPolicy syslogP1 rule "ns_true" action syslog2
save ns config

To configure an auditing policy by using the GUI

  1. Navigate to Security > Application Firewall > Policies > Auditing.
  2. In the details pane, do one of the following:
    • To add a new policy, click Add.
    • To modify an existing policy, select the policy, and then click Edit.
  3. In the Create Auditing Policy or Configure Auditing Policy dialog box, set the following parameters:
    • Name
    • Auditing Type
    • Server
  4. Click Create or OK.