Forum Discussion
fmartos_30060
Nimbostratus
NimbostratusAudit logging
Hihttpd[12864]: 01070417:0: AUDIT - user admin - RAW: httpd(mod_auth_pam):
user=admin(admin) partition=[All] level=Administrator tty=/bin/false
host=selfip-bip1 attempts=1 start="Wed May 5 09:49:01 2010"
end="Wed May 5 10:09:30 2010".httpd[8945]: 01070417:0: AUDIT - user admin - RAW: httpd(mod_auth_pam):
user=admin(admin) partition=[All] level=Administrator tty=/bin/false
host=selfip-bip2 attempts=1 start="Wed May 5 09:49:26 2010"
end="Wed May 5 10:09:56 2010".
I've configured an external syslog, and I'm getting the syslog full of messages like this:
Looks like it's due to configsync nofication being active. Audit logging is disabled.
Anyway to get rid of this?
Thanks
10 Replies
hoolioCirrostratus
That looks like audit logging from the admin GUI's httpd. You could create a filter on syslog-ng to not send the audit logs remotely. For 9.4.2 or higher, you can check this article and recent post for details:
Customizing syslog-ng f_local0 filter
http://devcentral.f5.com/tabid/1082223/aff/32/afv/topic/aft/1172264/afc/1172992/Default.aspx
Custom Syslog Config
http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/155/LTM-942-Custom-Syslog-Configuration.aspx
Aaron
smp_86112I was just about to post almost exactly the same message when I came across your post. In my case, I have a customized /etc/alertd/alert.conf to send me email notifications. And when I upgraded to v10, I suddenly started getting these notifications which I wasn't expecting. There is something more happening with alertd that I'd like to understand better.
As I dug into this, I confirmed (by commenting and uncommenting) the statement that is catching the event (and generating emails in my case) in "/etc/alertd/alert.conf" is this:alert BIGIP_LOG_EMERG "^[0-9]{8}:0: (.*)" {
And I guess this makes based only on the regex, since the event starts with the string "01070417:0". But if you look for the error code "01070417" in /var/run/bigip_error_maps.dat, you'll see this:0 LOG_NOTICE 01070417 BIGIP_MCPD_MCPDERR_AUDIT "AUDIT - user %s - transaction %u-%u - object %u - %s"So /etc/alertd/alert.conf considers the alert EMER status, while /var/run/bigip_error_maps.dat considers it NOTICE. That is a disconnect that I just can't wrap my head around.
fmartos_30060We have been able to filter the message on the syslog, but is quite annoying to have this message appearing in the GUI log... Any idea to avoid this message from appear on the GUI log?
jba3126I'm getting similar messages as the one listed above. Is there a way to only send the following messages to a single syslog server?
/var/log/messages
/var/log/audit
/var/log/ltm
I followed the instructions in the article link above; however it didn't do a very good job of explaining what the filters are doing :(- hoolioHi Jeff,
I think this should work, but I'd test it on a test unit first.
Add this to a temp file named syslog.incsyslog include " destination d_messages { file("/var/log/messages" create_dirs(yes)); udp(\"10.0.0.1\" port (514)); }; destination d_audit { file("/var/log/audit" create_dirs(yes)); program("/usr/bin/audit_forwarder"); udp(\"10.0.0.1\" port (514)); }; destination d_ltm { file("/var/log/ltm" create_dirs(yes)); udp(\"10.0.0.1\" port (514)); };"
Then load it into memory:
bpsh < syslog.inc
Test to verify the configuration is working.
If it does, then run:
b save all
If it does not, run:
b syslog include none
b save all
Aaron - jba3126Aaron, I recieved several errors. I'm doing my best to review as to why. See if the example below is correct. I made these adjustments based on examples I see in syslog-ng.conf as well as what is provided above.
[root@LAB-Practice-LB2:Active] config bpsh < syslog.inc
BIGpipe parsing error:
012e0022:3: The requested value (/var/log/messages" create_dirs(yes));) is invalid (show | ( | none)) for 'include' in 'syslog'
BIGpipe parsing error:
012e0008:3: The requested command (udp(\"10.1.32.34\" port (514));) is invalid
BIGpipe parsing error:
012e0008:3: The requested command (} üòâ is invalid
BIGpipe parsing error:
012e0008:3: The requested command (destination d_audit {) is invalid
BIGpipe parsing error:
012e0008:3: The requested command (file("/var/log/audit" create_dirs(yes));) is invalid
BIGpipe parsing error:
012e0008:3: The requested command (program("/usr/bin/audit_forwarder");) is invalid
BIGpipe parsing error:
012e0008:3: The requested command (udp(\"10.1.32.34\" port (514));) is invalid
BIGpipe parsing error:
012e0008:3: The requested command (} üòâ is invalid
BIGpipe parsing error:
012e0008:3: The requested command (destination d_ltm {) is invalid
BIGpipe parsing error:
012e0008:3: The requested command (file("/var/log/ltm" create_dirs(yes));) is invalid
BIGpipe parsing error:
012e0008:3: The requested command (udp(\"10.1.32.34\" port (514));) is invalid
BIGpipe parsing error:
012e0008:3: The requested command (} ;") is invalid
=======================================================syslog include " destination d_messages { file(\"/var/log/messages\" create_dirs(yes)); udp(\"10.1.32.34\" port (514)); }; destination d_audit { file(\"/var/log/audit\" create_dirs(yes)); program(\"/usr/bin/audit_forwarder\"); udp(\"10.1.32.34\" port (514)); }; destination d_ltm { file(\"/var/log/ltm\" create_dirs(yes)); udp(\"10.1.32.34\" port (514)); };" - jba3126I loaded the syslog.inc above without errors. With that said this is what i have configured so far -
[root@LAB-Practice-LB2:Active] config b syslog include SYSLOG - Include Data: destination d_messages { file("/var/log/messages" create_dirs(yes)); udp("10.1.32.34" port (514)); }; destination d_audit { file("/var/log/audit" create_dirs(yes)); program("/usr/bin/audit_forwarder"); udp("10.1.32.34" port (514)); }; destination d_ltm { file("/var/log/ltm" create_dirs(yes)); udp("10.1.32.34" port (514)); };
When I checked my syslog server I'm still seeing messages as follows 5/25/11
12:21:25.000 PM May 25 12:21:25 10.1.29.55 May 25 12:21:25 LAB-Practice-LB2 logger: [ssl_req][25/May/2011:12:21:25 -0400] 10.1.29.54 TLSv1 DHE-RSA-AES256-SHA "POST /iControl/iControlPortal.cgi HTTP/1.1" 437
host=10.1.29.55 LAB - NDC-PBN-TLP-LB2 Options| sourcetype=syslog Options| source=Syslogs Options
They appear to be coming from the following:
[root@LAB-Practice-LB2:Active] httpd pwd
/var/log/httpd
[root@LAB-Practice-LB2:Active] httpd ls -lrt
total 1712
-rw-r--r-- 1 root root 0 Jul 7 2005 access_log
-rw-r--r-- 1 root root 724 May 25 11:02 httpd_errors
-rw-r--r-- 1 root root 505968 May 25 12:28 ssl_request_log
-rw-r--r-- 1 root root 469392 May 25 12:28 ssl_access_log
Also I see messages from crond:12:34:01.000 PM May 25 12:34:01 10.1.29.55 May 25 12:34:01 LAB-Practice-LB2 crond[8984]: (syscheck) CMD (/usr/bin/system_check -q)
host=10.1.29.55 LAB - NDC-PBN-TLP-LB2 Options| sourcetype=syslog Options| source=Syslogs Options
Would it be better to filter all and then allow the ones you've provided. I'm very new to the syslogging so thank you in advance for your patience. I do appreciate your time and insight. - hoolioWhich version are you testing this on?
Thanks, Aaron - jba3126I was out of pocket with the holiday weekend. I'm working with 9.4.8 HF2
- jba3126I tried this solution ( http://support.f5.com/kb/en-us/solutions/public/9000/400/sol9442.html) provided by F5 for filtering the Config Sync Detect events.
5/25/11
12:21:25.000 PM May 25 12:21:25 10.1.29.55 May 25 12:21:25 LAB-Practice-LB2 logger: [ssl_req][25/May/2011:12:21:25 -0400] 10.1.29.54 TLSv1 DHE-RSA-AES256-SHA "POST /iControl/iControlPortal.cgi HTTP/1.1" 437
host=10.1.29.55 LAB - NDC-PBN-TLP-LB2 Options| sourcetype=syslog Options| source=Syslogs Options
The problem with this solution is when you sync the configuration it overwrites the peer address being filtered.
