For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Vikram_23_27012's avatar
Vikram_23_27012
Icon for Nimbostratus rankNimbostratus
Apr 04, 2018

admin activity logs for load balancer

Hi Guys,   Is there any log that show what admin is doing ? ie execute what command.   One of my customer is facing issue where suddenly their cert all removed/deleted, so we want to know if th...
application delivery
BIG-IP
jaikumar_f5's avatar
jaikumar_f5
Icon for Noctilucent rankNoctilucent
Apr 04, 2018

Every thing gets logged as long as proper logging is turned on. By default the CLI logging gets logged as per default settings. But if the change was done through GUI, you may need to have the db config.auditting value enabled to see the GUI made changes.

  • In versions prior to BIG-IP 11.6.0, audit logging for BIG-IP configuration changes is disabled by default.
  • In version above 11.6, the db config.auditting is enabled by default.

To know if your BIGIP is configured to capture the GUI changes, run the below command,

tmsh list /sys db config.auditing value

To check your logs,

  • less /var/log/audit | grep 
  • less /var/log/audit | grep

In case the logs have been rotated, you may need to check on the other audit files,

ls -ltrh /var/log/audit*

This would list out the number of audit files thats present on your box with dates. You can use zcat/zless to open the gz files.

  • zcat /var/log/audit* | grep 
  • zcat /var/log/audit* | grep