The Extended Log Files screen provides options for logs relating to the ESP and WAF features.

The ESP and WAF audit logs are rotated every 30 days (older logs are removed). WAF remote logs are rotated every seven days.

Note: If debug logging is enabled, it is possible that sensitive information may appear in the logs. If you are concerned by this, clear all the logs immediately after disabling debug logging.

To get to the Extended Log Files screen – in the LoadMaster WUI, go to System Configuration > Logging Options > Extended Log Files.

Note: The WAF logs are not generated in real time – they can be up to two minutes behind what the WAF engine is actually processing.

Disk Usage - This section provides an indication of the percentage used/free of the log partition. Color-coding is used to highlight different usage levels:

  • 0% to 50%: green
  • 50% to 90%: orange
  • 90% to 100%: red

There are multiple log files relating to ESP stored on the LoadMaster. These are listed below the Disk Usage section. These logs are persistent across LoadMaster reboots.

You can select one of the View or Save Action buttons with the default filter options to apply the action to the various log files (Connection Logs, Security Logs, and so on). For the Clear button, you must first select which logs to clear using the Selection controls.

To access the Selection Controls, click one of the right caret icons at the right of the buttons. For example, clicking on the icon to the right of the Clear and Save buttons, displays these controls.

You can filter the logs to clear or save by selecting a subset of log files from the multiple pick list on the right.

  • ESP Connection Logs: logs recording each connection.
  • ESP Security Logs: logs recording all security alerts.
  • ESP User Logs: logs recording all user logins.
Note: In LoadMaster firmware version 7.2.51, ESP user logs were expanded to be more useful and applicable to enterprise customers with extensive logging infrastructure. User Authentication, Authorization, and Accounting (AAA) information is included in the logs, including the time of request, username, domain, AAA server, AAA protocol type, AAA result, and error message. For further details, refer to the ESP Logs Technical Note.
Note: In LoadMaster firmware version 7.2.53, the ESP client session logging was further enhanced. The LoadMaster logs: - The initially created ESP session - The time when the LoadMaster cleared the session from the cache. Note that if the entire cache is cleared, a single log message is recorded at the time of clearing, which notes that all existing sessions at that time were cleared form the cache. - If an ESP session is deleted (when the user logs out from the application, when the session expires, or the user enters invalid credentials). The time when the LoadMaster cleared the session is also logged.
  • WAF Audit Logs: recording WAF logs based on what has been selected for the Audit mode drop-down list in the WAF Options section of the Virtual Service modify screen. The number listed in each log entry corresponds to the ID of the Virtual Service. To get the Virtual Service ID, first ensure that the API interface is enabled (Certificates & Security > Remote Access > Enable API Interface). Then, in a web browser address bar, enter https://<LoadMasterIPAddress>/access/listvs. Check the index of the Virtual Service. This is the number that corresponds to the number on the audit log entry.

To view the logs, please select the relevant options and click the relevant View button.

One or more archived log files can be viewed by selecting the relevant file(s) from the list of file names and clicking View. You can filter the log files by entering a word(s) or regular expression in the filter field and clicking View.

Note: If you use quotes in regular expressions in the LoadMaster WUI, there are limitations. For more information, refer to the section Limitations of Using Regular Expressions in the LoadMaster WUI.

Clear Extended Logs

Log files can be deleted by filtering one or more individual log files in the log file list or selecting a specific log type (for example, connection, security, or user) in the log file list and clicking Clear. Click OK on any warning messages.

Save Extended Logs

Click the arrow to expand the options. Select a file type (for example, connection). All extended logs can be saved to a file by clicking Save. This saves a file to your machine.

Specific log files can be saved by filtering one or more individual log files in the log file list or selecting a specific log type (for example connection, security or user) in the log file list and clicking Save.

Disable Local Extended ESP Logs

If Disable Local Extended ESP Logs is disabled (the default option), messages are written to the extended ESP logs expediently and are not sent to any remote syslog servers that are defined.

If Disable Local Extended ESP Logs is enabled, no messages are written to the extended ESP logs and messages are only sent to the remote logger (if one is defined). If a remote logger is not defined, no logs are recorded.

You can no longer configure the system to both populate the local extended ESP logs and send the same messages to remote syslog servers, as it was in previous releases.

Clear Temporary WAF Remote Log Data

Clear the temporary WAF remote log data.

Save Temporary WAF Remote Logs Data

Save the temporary WAF remote log data.