Forum Discussion

Ben_Weber_25404's avatar
Ben_Weber_25404
Icon for Nimbostratus rankNimbostratus
Apr 18, 2016
Solved

Where can I find logs that a user was created?

Where in the F5 console (or the syslog) can I find logs of a user being created? Does the log show who created the user?

 

Thanks in advance!

 

  • Hello Ben,

     

    Creating a user with the GUI will make log entries in the following places. In this example a admin named "admin" created an admin user named "Fishstick" with a weak password.

     

    /var/log/audit

     

    audit:Apr 18 12:20:39 RC1_1354 notice mcpd[7174]: 01070417:5: AUDIT - client tmui, user admin - transaction 2193575-4 - object 0 - create { userdb_entry { userdb_entry_name "Fishstick" userdb_entry_passwd "***" userdb_entry_is_crypted 0 userdb_entry_gecos "Fishstick" userdb_entry_shell "/sbin/nologin" } } [Status=Command OK] audit:Apr 18 12:20:39 RC1_1354 notice mcpd[7174]: 01070417:5: AUDIT - client tmui, user admin - transaction 2193575-3 - object 0 - create { user_role_partition { user_role_partition_user "Fishstick" user_role_partition_partition "[All]" user_role_partition_role 0 } } [Status=Command OK] audit:Apr 18 12:20:41 RC1_1354 notice mcpd[7174]: 01070417:5: AUDIT - client Unknown, user admin - transaction 2194818-2 - object 0 - modify { user_role_partition { user_role_partition_user "Fishstick" user_role_partition_partition "[All]" user_role_partition_role 700 } } [Status=Command OK]

     

    /var/log/ltm

     

    ltm:Apr 18 12:20:40 RC1_1354 err mcpd[7174]: 01070366:3: Bad password (Fishstick): BAD PASSWORD: it is based on a dictionary word

     

    /var/log/secure

     

    secure:Apr 18 12:20:40 RC1_1354 notice mcpd[7174]: pam_unix(system-auth:chauthtok): password changed for Fishstick

     

1 Reply

  • Seth_81884's avatar
    Seth_81884
    Historic F5 Account

    Hello Ben,

     

    Creating a user with the GUI will make log entries in the following places. In this example a admin named "admin" created an admin user named "Fishstick" with a weak password.

     

    /var/log/audit

     

    audit:Apr 18 12:20:39 RC1_1354 notice mcpd[7174]: 01070417:5: AUDIT - client tmui, user admin - transaction 2193575-4 - object 0 - create { userdb_entry { userdb_entry_name "Fishstick" userdb_entry_passwd "***" userdb_entry_is_crypted 0 userdb_entry_gecos "Fishstick" userdb_entry_shell "/sbin/nologin" } } [Status=Command OK] audit:Apr 18 12:20:39 RC1_1354 notice mcpd[7174]: 01070417:5: AUDIT - client tmui, user admin - transaction 2193575-3 - object 0 - create { user_role_partition { user_role_partition_user "Fishstick" user_role_partition_partition "[All]" user_role_partition_role 0 } } [Status=Command OK] audit:Apr 18 12:20:41 RC1_1354 notice mcpd[7174]: 01070417:5: AUDIT - client Unknown, user admin - transaction 2194818-2 - object 0 - modify { user_role_partition { user_role_partition_user "Fishstick" user_role_partition_partition "[All]" user_role_partition_role 700 } } [Status=Command OK]

     

    /var/log/ltm

     

    ltm:Apr 18 12:20:40 RC1_1354 err mcpd[7174]: 01070366:3: Bad password (Fishstick): BAD PASSWORD: it is based on a dictionary word

     

    /var/log/secure

     

    secure:Apr 18 12:20:40 RC1_1354 notice mcpd[7174]: pam_unix(system-auth:chauthtok): password changed for Fishstick