Manual Chapter :
Auditing User Access
Applies To:
Show VersionsBIG-IP APM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0
BIG-IP Link Controller
- 17.1.2, 17.1.1, 17.1.0, 17.0.0
BIG-IP Analytics
- 17.1.2, 17.1.1, 17.1.0, 17.0.0
BIG-IP LTM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0
BIG-IP AFM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0
BIG-IP PEM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0
BIG-IP DNS
- 17.1.2, 17.1.1, 17.1.0, 17.0.0
BIG-IP ASM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0
Auditing User Access
About auditing of user
access to the BIG-IP system
The BIG-IP system generates a log
message whenever a user or an application attempts to log in to or log out of the system. The
system logs both successful and unsuccessful login attempts. The system stores these log messages
in the
/var/log/secure
file.When the system logs an authentication message in the
/var/log/secure
file, the message can contain the
following types of information:- The connecting user's ID
- The IP address or host name of the user's interface
- The time of each login attempt
- Successful login attempts for command line interface sessions only
- Failed login attempts for command line interface, BIG-IP Configuration utility, and iControl sessions
- The time of the logout for command line interface sessions only
This is an example of log messages for both successful and failed login
attempts made by user
jsmith
:May 10 16:25:25 jsmith-dev sshd[13272]: pam_audit: user: jsmith(jsmith) from: /dev/pts/10 at jsmith-dev attempts: 1 in: [Thu May 10 16:25:23 2007 ] out: [Thu May 10 16:25:25 2007 ] May 10 16:14:56 jsmith-dev sshd[716]: pam_audit: User jsmith from ssh at jsmith-dev failed to login after 1 attempts (start: [Thu May 10 16:14:53 2007 ] end: [Thu May 10 16:14:56 2007 ]).
About audit
logging
Audit logging is an optional feature that logs messages whenever a BIG-IP system object, such as a virtual server or a load
balancing pool, is configured (that is, created, modified, or deleted). The BIG-IP system logs
the messages for these auditing events in the file
/var/log/audit
.There are three ways that objects can be configured:
- By user action
- By system action
- By loading configuration data
Whenever an object is configured in one of these ways, the BIG-IP system
logs a message to the audit log.
About enabling and
disabling auditing logging
An optional type of logging that you can enable is audit logging.
Audit logging
logs messages that pertain to actions that users or
services take with respect to the BIG-IP system
configuration. This type of audit logging is known as MCP audit
logging
. Optionally, you can set up audit logging for any tmsh
commands that users type on the command line.For both MCP and
tmsh
audit logging, you can choose a log level.
In this case, the log levels do not affect the severity of the log messages; instead, they affect
the initiator of the audit event.The log levels for MCP logging are:
- Disable
- This turns audit logging off. This is the default value.
- Enable
- This causes the system to log messages for user-initiated configuration changes only.
- Verbose
- This causes the system to log messages for user-initiated configuration changes and any loading of configuration data.
- Debug
- This causes the system to log messages for all user-initiated and system-initiated configuration changes.
The log levels for
tmsh
logging are:- Disable
- This turns audit logging off.
- Enable
- This causes the system to log alltmshcommands, including commands that result in no change to the configuration. Note that the system does not generate a log entry when the user types the single commandtmshto open thetmshshell. This is the default log level.