Root user saving command with no log of host IP info

Hi,

Usually is the configuration synchronization process (ConfigSync) that save the configurations on a high availability (HA) peer.

BR,

I don't think so, as the command save / sys config partitions all is to locally save it, besides data-group is configured so without specifying the data group, config sync is not possible to the peer unit.

Host IP addresses only appear on the audit log entries that are generated when someone logs onto or off of the BIG-IP system. That gives you the association between the IP address of the user and the account they logged into. From there on, any log entries generated by that user identify the user, not the IP address of the host.

Having said that, this looks like the audit log message produced when the BIG-IP system automatically saves the configuration after someone makes a change using the Configuration utility. (Unless I can see the Audit log entries that immediately precede it, I can't be sure. But the spacing of the slash in the command ---

save / sys config partitions all

--- is not what one would normally type in when manually saving the configuration from TMSH - save /sys config. But is what appears when the system automatically saves the config on behalf of a Configuration utility user.

For example, in the log messages below, I logged onto the GUI (Configuration utility) and created a virtual server. The first log entry shows the host IP I connected from - 192.168.4.30 and the account I logged into - admin. The second and third entries show the configuration changes I made. The last entry shows the system automatically issuing a save / sys config partitions all after I clicked the Finished button on the virtual server configuration. Notice the automatic save is issued from the root user. This is normal.

Oct 12 09:07:01 bigip4 notice httpd[11265]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/usr/bin/tmsh host=192.168.4.30 attempts=1 start="Fri Oct 12 09:07:01 2018".
Oct 12 09:07:49 bigip4 notice mcpd[5085]: 01070417:5: AUDIT - client tmui, user admin - transaction 931432-3 - object 0 - create { virtual_server { virtual_server_name "/Common/http_vs" virtual_server_description "" virtual_server_enabled 1 virtual_server_conn_limit 0 virtual_server_eviction_policy "" virtual_server_rate_limit 0 virtual_server_rate_limit_mode 0 virtual_server_rclass "" virtual_server_bwcclass "" virtual_server_translate_addr 1 virtual_server_translate_port 1 virtual_server_nat64 0 virtual_server_srcport 0 virtual_server_auto_lasthop 0 virtual_server_type 0 virtual_server_source_address_translation_type 0 virtual_server_source_address_translation_pool "" virtual_server_lasthop_pool_name "" virtual_server_default_pool "/Common/mysql_pool" virtual_server_gtm_score 0 virtual_server_update_status 1 virtual_server_addr 10.10.4.100 virtual_server_contribute_to_va_status 1 virtual_server_action_on_service_down 0 virtual_server_va_name "10.10.4.100" virtual_server_wildmask 255.255.255.255 virtual_server_port 80 virtual_server_ip_proto 6 virtual_server_listed_enabled_vlans 0 } } [Status=Command OK]
Oct 12 09:07:49 bigip4 notice mcpd[5085]: 01070417:5: AUDIT - client tmui, user admin - transaction 931432-4 - object 0 - create { virtual_server_profile { virtual_server_profile_vs_name "/Common/http_vs" virtual_server_profile_profile_name "/Common/tcp" virtual_server_profile_profile_type 5 virtual_server_profile_profile_context 0 } } [Status=Command OK]
Oct 12 09:07:59 bigip4 notice tmsh[19690]: 01420002:5: AUDIT - pid=19690 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=**save / sys config partitions all**

So I would look in your audit log for the entries that immediately precede the automatically generated save / sys config to find out what the change was and who made it.