Forum Discussion

Christoph_Lange's avatar
Christoph_Lange
Icon for Altostratus rankAltostratus
May 15, 2013

radius authentication alert logging

I get a log entry, even though the user is properly authenticated - it's the same for ssh and http:

 

May 15 09:22:40 f5devicename alert httpd[12843]: pam_unix(httpd:account): could not identify user (from getpwnam(chris))

 

May 15 09:22:40 f5devicename notice httpd[12843]: pam_bigip_authz: authenticated user chris with role 0 (Administrator) in partition [All]

 

May 15 09:22:40 f5devicename notice httpd[12843]: 01070417:5: AUDIT - user chris - RAW: httpd(mod_auth_pam): user=chris(chris) partition=[All] level=Administrator tty=/usr/bin/tmsh host=10.10.10.5 attempts=1 start="Wed May 15 09:22:40 2013".

 

May 15 09:22:43 f5devicename notice httpd[12843]: 01070417:5: AUDIT - user chris - RAW: httpd(mod_auth_pam): user=chris(chris) partition=[All] level=Administrator tty=/usr/bin/tmsh host=10.10.10.5 attempts=1 start="Wed May 15 09:22:40 2013" end="Wed May 15 09:22:43 2013".

 

 

May 15 10:15:32 f5devicename alert sshd[7325]: pam_unix(sshd:account): could not identify user (from getpwnam(chris))

 

May 15 10:15:32 f5devicename notice sshd[7325]: pam_bigip_authz: authenticated user chris with role 0 (Administrator) in partition [All]

 

May 15 10:15:32 f5devicename info sshd(pam_audit)[7322]: user=chris(chris) partition=[All] level=Administrator tty=ssh host=10.10.10.24 attempts=1 start="Wed May 15 10:15:32 2013".

 

May 15 10:15:32 f5devicename info sshd(pam_audit)[7322]: 01070417:6: AUDIT - user chris - RAW: sshd(pam_audit): user=chris(chris) partition=[All] level=Administrator tty=ssh host=10.10.10.24 attempts=1 start="Wed May 15 10:15:32 2013".

 

May 15 10:15:37 f5devicename info sshd(pam_audit)[7322]: user=chris(chris) partition=[All] level=Administrator tty=ssh host=10.10.10.24 attempts=1 start="Wed May 15 10:15:32 2013" end="Wed May 15 10:15:37 2013".

 

May 15 10:15:37 f5devicename info sshd(pam_audit)[7322]: 01070417:6: AUDIT - user chris - RAW: sshd(pam_audit): user=chris(chris) partition=[All] level=Administrator tty=ssh host=10.10.10.24 attempts=1 start="Wed May 15 10:15:32 2013" end="Wed May 15 10:15:37 2013".

 

Is there any chance to avoid this?

 

br, chris

 

7 Replies

  • It looks like someone has enabled audit logging perhaps. Take a look at System > Logs > Configuration > Audit Logging
  • I tried to disable audit logging, but the problem still there.

     

    Any other ideas?

     

    btw: I am using version 11.3.0

     

  • can you try this?

    root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list sys syslog all-properties
    sys syslog {
        auth-priv-from notice
        auth-priv-to emerg
        console-log enabled
        cron-from warning
        cron-to emerg
        daemon-from notice
        daemon-to emerg
        description none
        include none
        iso-date disabled
        kern-from notice
        kern-to emerg
        local6-from notice
        local6-to emerg
        mail-from notice
        mail-to emerg
        messages-from notice
        messages-to warning
        remote-servers none
        user-log-from notice
        user-log-to emerg
    }
    root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) modify sys syslog auth-priv-from err
    root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) 
    
  • I tried to change both values for auth-priv-from and user-log-from to emerg, but it doesn't solve the problem. Here you can see:

     

    root@(f5devicename)(cfg-sync Changes Pending)(Active)(/Common)(tmos) modify sys syslog auth-priv-from emerg

     

    root@(f5devicename)(cfg-sync Changes Pending)(Active)(/Common)(tmos) modify sys syslog user-log-from emerg

     

    root@(f5devicename)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list sys syslog all-properties

     

    sys syslog {

     

    auth-priv-from emerg

     

    auth-priv-to emerg

     

    console-log enabled

     

    cron-from warning

     

    cron-to emerg

     

    daemon-from notice

     

    daemon-to emerg

     

    description none

     

    include none

     

    iso-date disabled

     

    kern-from notice

     

    kern-to emerg

     

    local6-from notice

     

    local6-to emerg

     

    mail-from notice

     

    mail-to emerg

     

    messages-from notice

     

    messages-to warning

     

    remote-servers {

     

    remotesyslog1 {

     

    description none

     

    host 10.10.10.8

     

    remote-port 514

     

    }

     

    remotesyslog2 {

     

    description none

     

    host 10.10.10.9

     

    remote-port 514

     

    }

     

    }

     

    user-log-from emerg

     

    user-log-to emerg

     

    }

     

  • I tried to change both values for auth-priv-from and user-log-from to emerg, but it doesn't solve the problem.where is the log? is it /var/log/secure? those settings affect only local log.
  • after you change auth-priv-from (modify sys syslog...) and save (i.e. tmsh save sys config), can you check /etc/syslog-ng/syslog-ng.conf? is syslog-ng configuration changed accordingly?

    this is mine.

     authpriv.*                                    /var/log/secure
    filter f_authpriv {
        (facility(auth, authpriv) and level(err..emerg))
        or program(sshd)
        or (facility(auth,authpriv) and (program(httpd) or program(tamd)))
        or match("pam_audit")
        ;
    };
    
    destination d_secure {
       file("/var/log/secure" create_dirs(yes));
    };
    
    log {
       source(s_syslog_pipe);
       filter(f_authpriv);
       destination(d_secure);
    };
    

    by the way, have you customized syslog-ng configuration?