There are two Audit Logging settings - one for MCP (logs configuration changes made via the GUI) and one for TMSH (logs configuration changes made via tmsh). With both enabled, I used the GUI to add an HTTP profile to a virtual server, and then used tmsh to replace all profiles with just a TCP profile (effectively removing the HTTP profile), and the following Audit Log messages were produced (quite a few, as you can see - and I think I got them all!):
Wed Nov 2 09:51:52 PDT 2016 0-0 pid=24955 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=modify ltm virtual dvwa_virtual profiles replace-all-with { tcp }:
Wed Nov 2 09:51:52 PDT 2016 0-0 client tmsh, tmsh-pid-24955, user root - transaction 26490628-3 - object 0 - create_if { virtual_server_profile { virtual_server_profile_vs_name "/Common/dvwa_virtual" virtual_server_profile_profile_name "/Common/tcp" } } [Status=Command OK]:
Wed Nov 2 09:51:52 PDT 2016 0-0 client tmsh, tmsh-pid-24955, user root - transaction 26490628-2 - object 0 - obj_delete { virtual_server_profile { virtual_server_profile_vs_name "/Common/dvwa_virtual" } } [Status=Command OK]:
Wed Nov 2 09:51:21 PDT 2016 root 0-0 sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=192.168.4.30 attempts=1 start="Wed Nov 2 09:51:21 2016".:
Wed Nov 2 09:51:21 PDT 2016 root 0-0 sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=192.168.4.30 attempts=1 start="Wed Nov 2 09:51:20 2016" end="Wed Nov 2 09:51:21 2016".:
Wed Nov 2 09:51:02 PDT 2016 0-0 pid=24889 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=list sys db:
Wed Nov 2 09:51:02 PDT 2016 0-0 pid=24885 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=show sys mcp-state field-fmt:
Wed Nov 2 09:50:46 PDT 2016 0-0 pid=24830 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=save / sys config partitions all:
Wed Nov 2 09:50:42 PDT 2016 0-0 client tmui, user admin - transaction 26485555-6 - object 0 - create { virtual_server_profile { virtual_server_profile_vs_name "/Common/dvwa_virtual" virtual_server_profile_profile_name "/Common/tcp" virtual_server_profile_profile_type 5 virtual_server_profile_profile_context 0 } } [Status=Command OK]:
Wed Nov 2 09:50:42 PDT 2016 0-0 client tmui, user admin - transaction 26485555-5 - object 0 - create { virtual_server_profile { virtual_server_profile_vs_name "/Common/dvwa_virtual" virtual_server_profile_profile_name "/Common/http" virtual_server_profile_profile_type 1 virtual_server_profile_profile_context 0 } } [Status=Command OK]:
Wed Nov 2 09:50:42 PDT 2016 0-0 client tmui, user admin - transaction 26485555-4 - object 0 - obj_delete { virtual_server_profile { virtual_server_profile_vs_name "/Common/dvwa_virtual" virtual_server_profile_profile_name "/Common/tcp" virtual_server_profile_profile_type 5 } } [Status=Command OK]:
Wed Nov 2 09:50:42 PDT 2016 0-0 client tmui, user admin - transaction 26485555-3 - object 0 - modify { virtual_server { virtual_server_name "/Common/dvwa_virtual" virtual_server_description "" virtual_server_enabled 1 virtual_server_conn_limit 0 virtual_server_eviction_policy "" virtual_server_rate_limit 0 virtual_server_rate_limit_mode 0 virtual_server_rclass "" virtual_server_bwcclass "" virtual_server_translate_addr 1 virtual_server_translate_port 0 virtual_server_nat64 0 virtual_server_srcport 0 virtual_server_auto_lasthop 0 virtual_server_type 0 virtual_server_source_address_translation_type 0 virtual_server_source_address_translation_pool "" virtual_server_lasthop_pool_name "" virtual_server_gtm_score 0 virtual_server_update_status 1 virtual_server_src_addr 0.0.0.0 virtual_server_addr 10.10.4.111 virtual_server_contribute_to_va_status 1 virtual_server_action_on_service_down 0 virtual_server_va_name "/Common/10.10.4.111" virtual_server_wildmask 255.255.255.255 virtual_server_port any virtual_server_ip_proto 6 virtual_server_listed_enabled_vlans 0 } } [Status=Command OK]:
In versions prior to BIG-IP 11/6/0, audit logging was disabled by default. Since 11.6.0, it's enabled by default. Per SOL16304, "Generally, you should experience minimal impact on system resources. However, audit logging intensity increases with the increase in the frequency and intensity of configuration changes; this may affect system resource usage."