iControl command in audit log

Question

Hi, &nbsp;
&nbsp;When i enter a command in tmsh, i see it the audit log, and so in my remote syslog to. For example, when i load my conf with the command tmsh load sys config and I can see in the syslog the corresponding log: module=(tmos) status=[Command OK] cmd_data=load sys config&nbsp;&nbsp;How can I have the same type of log with a command asked by iControl? I want the command passed with a remote server using iControl is logged in audit as the same. Does anybody has an idea?&nbsp;
&nbsp;Thanks!&nbsp;

hooleylist · Answer

Hi Alscion, 
&nbsp;  
&nbsp; When you enable audit logging for MCP (under System | Logs | Options | MCP) and make an iControl call, the credentials passed to LTM are logged in /var/log/audit.  In this example, the iControl app is logging into LTM as icontrol_user and disabling a node address: 
&nbsp;  
&nbsp; Nov 16 11:28:41 local/ve1 notice httpd[14618]: 01070417:0: AUDIT - user icontrol_user - RAW: httpd(mod_auth_pam): user=icontrol_user(icontrol_user) partition=[All] level=Administrator tty=/bin/false host=192.168.1.177 attempts=1  tart="Wed Nov 16 11:06:39 2011" end="Wed Nov 16 11:28:41 2011". 
&nbsp;  
&nbsp; Nov 16 11:30:23 local/ve1 notice mcpd[3840]: 01070417:5: AUDIT - user icontrol_user - transaction 1544928-3 - object 0 - modify { node_address { node_address_addr 10.1.0.100 node_address_monitor_state 3 } } [Status=Command OK] 
&nbsp;  
&nbsp; Aaron

alscion_68122 · Answer

Ho thanks hoolio,  
&nbsp;  
&nbsp; It works activing MCP audit logging.

Forum Discussion

iControl command in audit log

2 Replies

Recent Discussions

Need advise to setup a policy on F5

Web acceleration

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Related Content

Auditing Security Policy Updates

Logging/Audit Binary Execution?

Power of tmsh commands using Ansible

iControl REST Authentication Token Management

Microsoft Powershell with iControl