The BIG-IP® system generates a log message whenever a user or an application attempts to log in to or log out of the system. The system logs both successful and unsuccessful login attempts. The system stores these log messages in the /var/log/secure file.
When the system logs an authentication message in the /var/log/secure file, the message can contain the following types of information:
This is an example of log messages for both successful and failed login attempts made by user jsmith:
May 10 16:25:25 jsmith-dev sshd: pam_audit: user: jsmith(jsmith) from: /dev/pts/10 at jsmith-dev attempts: 1 in: [Thu May 10 16:25:23 2007 ] out: [Thu May 10 16:25:25 2007 ] May 10 16:14:56 jsmith-dev sshd: pam_audit: User jsmith from ssh at jsmith-dev failed to login after 1 attempts (start: [Thu May 10 16:14:53 2007 ] end: [Thu May 10 16:14:56 2007 ]).
Audit logging is an optional feature that logs messages whenever a BIG-IP® system object, such as a virtual server or a load balancing pool, is configured (that is, created, modified, or deleted). The BIG-IP system logs the messages for these auditing events in the file /var/log/audit.
There are three ways that objects can be configured:
Whenever an object is configured in one of these ways, the BIG-IP system logs a message to the audit log.
An optional type of logging that you can enable is audit logging. Audit logging logs messages that pertain to actions that users or services take with respect to the BIG-IP® system configuration. This type of audit logging is known as MCP audit logging. Optionally, you can set up audit logging for any tmsh commands that users type on the command line.
For both MCP and tmsh audit logging, you can choose a log level. In this case, the log levels do not affect the severity of the log messages; instead, they affect the initiator of the audit event.
The log levels for MCP logging are:
The log levels for tmsh logging are: