NimbostratusTrying to setup some audit for configuration changes. What type of syslog messages would be generated from F5 when there is change in configuration something like "configuration changed" etc? and do we need audit MCP to be enabled?
There are two Audit Logging settings - one for MCP (logs configuration changes made via the GUI) and one for TMSH (logs configuration changes made via tmsh). With both enabled, I used the GUI to add an HTTP profile to a virtual server, and then used tmsh to replace all profiles with just a TCP profile (effectively removing the HTTP profile), and the following Audit Log messages were produced (quite a few, as you can see - and I think I got them all!):
Wed Nov 2 09:51:52 PDT 2016 0-0 pid=24955 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=modify ltm virtual dvwa_virtual profiles replace-all-with { tcp }:
Wed Nov 2 09:51:52 PDT 2016 0-0 client tmsh, tmsh-pid-24955, user root - transaction 26490628-3 - object 0 - create_if { virtual_server_profile { virtual_server_profile_vs_name "/Common/dvwa_virtual" virtual_server_profile_profile_name "/Common/tcp" } } [Status=Command OK]:
Wed Nov 2 09:51:52 PDT 2016 0-0 client tmsh, tmsh-pid-24955, user root - transaction 26490628-2 - object 0 - obj_delete { virtual_server_profile { virtual_server_profile_vs_name "/Common/dvwa_virtual" } } [Status=Command OK]:
Wed Nov 2 09:51:21 PDT 2016 root 0-0 sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=192.168.4.30 attempts=1 start="Wed Nov 2 09:51:21 2016".:
Wed Nov 2 09:51:21 PDT 2016 root 0-0 sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=192.168.4.30 attempts=1 start="Wed Nov 2 09:51:20 2016" end="Wed Nov 2 09:51:21 2016".:
Wed Nov 2 09:51:02 PDT 2016 0-0 pid=24889 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=list sys db:
Wed Nov 2 09:51:02 PDT 2016 0-0 pid=24885 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=show sys mcp-state field-fmt:
Wed Nov 2 09:50:46 PDT 2016 0-0 pid=24830 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=save / sys config partitions all:
Wed Nov 2 09:50:42 PDT 2016 0-0 client tmui, user admin - transaction 26485555-6 - object 0 - create { virtual_server_profile { virtual_server_profile_vs_name "/Common/dvwa_virtual" virtual_server_profile_profile_name "/Common/tcp" virtual_server_profile_profile_type 5 virtual_server_profile_profile_context 0 } } [Status=Command OK]:
Wed Nov 2 09:50:42 PDT 2016 0-0 client tmui, user admin - transaction 26485555-5 - object 0 - create { virtual_server_profile { virtual_server_profile_vs_name "/Common/dvwa_virtual" virtual_server_profile_profile_name "/Common/http" virtual_server_profile_profile_type 1 virtual_server_profile_profile_context 0 } } [Status=Command OK]:
Wed Nov 2 09:50:42 PDT 2016 0-0 client tmui, user admin - transaction 26485555-4 - object 0 - obj_delete { virtual_server_profile { virtual_server_profile_vs_name "/Common/dvwa_virtual" virtual_server_profile_profile_name "/Common/tcp" virtual_server_profile_profile_type 5 } } [Status=Command OK]:
Wed Nov 2 09:50:42 PDT 2016 0-0 client tmui, user admin - transaction 26485555-3 - object 0 - modify { virtual_server { virtual_server_name "/Common/dvwa_virtual" virtual_server_description "" virtual_server_enabled 1 virtual_server_conn_limit 0 virtual_server_eviction_policy "" virtual_server_rate_limit 0 virtual_server_rate_limit_mode 0 virtual_server_rclass "" virtual_server_bwcclass "" virtual_server_translate_addr 1 virtual_server_translate_port 0 virtual_server_nat64 0 virtual_server_srcport 0 virtual_server_auto_lasthop 0 virtual_server_type 0 virtual_server_source_address_translation_type 0 virtual_server_source_address_translation_pool "" virtual_server_lasthop_pool_name "" virtual_server_gtm_score 0 virtual_server_update_status 1 virtual_server_src_addr 0.0.0.0 virtual_server_addr 10.10.4.111 virtual_server_contribute_to_va_status 1 virtual_server_action_on_service_down 0 virtual_server_va_name "/Common/10.10.4.111" virtual_server_wildmask 255.255.255.255 virtual_server_port any virtual_server_ip_proto 6 virtual_server_listed_enabled_vlans 0 } } [Status=Command OK]:
In versions prior to BIG-IP 11/6/0, audit logging was disabled by default. Since 11.6.0, it's enabled by default. Per SOL16304, "Generally, you should experience minimal impact on system resources. However, audit logging intensity increases with the increase in the frequency and intensity of configuration changes; this may affect system resource usage."
NimbostratusYes, Audit logs is by default enabled on BIGIP but if you make the changes through tmsh or webgui then you will see the logs in respective directory only like you make the changes through TMSH and you cannot find those audit logs in webgui and vice versa.
Audit logs will give you some clarity like time and date,username and password and trasn id in the logs.BIGIP store locally last 8 days audit logs.
NimbostratusI have been attempting to set this up on my Big IP v12.1.1.
For auditing reasons, i need syslog messages for login/logoff/config change to be sent to my remote syslog server. I have turned on the feature sending syslogs to my remote server and have verified it is receiving a ton of messages, including login/logoff, but am not receiving any config change messages.
Any ideas?