Forum Discussion
fmiroux_28794
Nimbostratus
NimbostratusAudit Logging still active ?
Hello,
We have upgraded 4 Big IP LTM 1600 from version 9.4.8 to version 10.0.1 HF2. Since this upgrade, we receive a lot of snmp traps like this :
TRAP V2C INDEFINIE OID: .1.3.6.1.4.1.3375.2.4.0.29 AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=1 host=10.0.0.1 attempts=1 start=\'Mon Nov 2 17:47:00 2009\' end=\'Mon Nov 2 18:07:29 2009\'.
The message in /var/log/audit :
Nov 2 18:07:29 local/ notice httpd[4682]: 01070417:0: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=1 host=10.0.0.1 attempts=1 start="Mon Nov 2 17:47:00 2009" end="Mon Nov 2 18:07:29 2009"
It seems that we have a snmp trap message for each connection on the big ip.
I searched on ask F5 and tried to disable this messages by disabling bigpipe audit logging (in System -> Logs -> Options) which was enable after the upgrade.
But we still receive the traps...
- Do you know how to disable traps for this king of messages ?
- Do you know why there is https connection between two boxes of a redundant pair ?
Thanks in advance,
Fabien
fmiroux_104788Hello,
Some news about my problem : there is some SOL about my audit log messages : https://support.f5.com/kb/en-us/solutions/public/10000/200/sol10261.html. This SOL explain how to enable this messages, but I want to disable that and putting "disable" to audit logging doesn't work…
I've seen some difference between version 9.4.8 and 10.0.1 in directory /etc/alertd/ :
version 10.0.1 :
bigip_shell_error_maps.h:0 LOG_NOTICE 012e0045 BIGIP_SHELL_BP_AUDIT "AUDIT - user %s - %s"
version 9.4.8 :
./bigip_shell_error_maps.h:0 LOG_ERR 012e0045 BIGIP_SHELL_BP_AUDIT "AUDIT - user %s - %s"
Maybe it's this parameter (LOG_NOTICE or LOG_ERR) which I should change, but how we can do that without change the file itself, but by the GUI or some bigpipe command ?
Thanks !
Fabien