Applies To:

Show Versions Show Versions

Manual Chapter: Auditing User Access
Manual Chapter
Table of Contents   |   << Previous Chapter

About auditing of user access to the BIG-IP system

The BIG-IP system generates a log message whenever a user or an application attempts to log in to or log out of the system. The system logs both successful and unsuccessful login attempts. The system stores these log messages in the /var/log/secure file.

When the system logs an authentication message in the /var/log/secure file, the message can contain the following types of information:

  • The connecting user's ID
  • The IP address or host name of the user's interface
  • The time of each login attempt
  • Successful login attempts for command line interface sessions only
  • Failed login attempts for command line interface, BIG-IP Configuration utility, and iControl sessions
  • The time of the logout for command line interface sessions only

This is an example of log messages for both successful and failed login attempts made by user jsmith:

May 10 16:25:25 jsmith-dev sshd[13272]: pam_audit: user: jsmith(jsmith) from: /dev/pts/10 at jsmith-dev attempts: 1 in: [Thu May 10 16:25:23 2007 ] out: [Thu May 10 16:25:25 2007 ] May 10 16:14:56 jsmith-dev sshd[716]: pam_audit: User jsmith from ssh at jsmith-dev failed to login after 1 attempts (start: [Thu May 10 16:14:53 2007 ] end: [Thu May 10 16:14:56 2007 ]).

About audit logging

Audit logging is an optional feature that logs messages whenever a BIG-IP system object, such as a virtual server or a load balancing pool, is configured (that is, created, modified, or deleted). The BIG-IP system logs the messages for these auditing events in the file /var/log/audit.

There are three ways that objects can be configured:

  • By user action
  • By system action
  • By loading configuration data

Whenever an object is configured in one of these ways, the BIG-IP system logs a message to the audit log.

About enabling and disabling auditing logging

An optional type of logging that you can enable is audit logging. Audit logging logs messages that pertain to configuration changes that users or services make to the BIG-IP system configuration. This type of audit logging is known as MCP audit logging. Optionally, you can set up audit logging for any tmsh commands that users type on the command line.

For both MCP and tmsh audit logging, you can choose a log level. In this case, the log levels do not affect the severity of the log messages; instead, they affect the initiator of the audit event.

The log levels for MCP logging are:

Disable
This turns audit logging off. This is the default value.
Enable
This causes the system to log messages for user-initiated configuration changes only.
Verbose
This causes the system to log messages for user-initiated configuration changes and any loading of configuration data.
Debug
This causes the system to log messages for all user-initiated and system-initiated configuration changes.

The log levels for tmsh logging are:

Disable
This turns audit logging off. This is the default value.
Enable
This causes the system to log messages for user-initiated configuration changes only.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)