For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

fmartos_30060's avatar
fmartos_30060
Icon for Nimbostratus rankNimbostratus
May 05, 2010

Audit logging

Hi     I've configured an external syslog, and I'm getting the syslog full of messages like this:     httpd[12864]: 01070417:0: AUDIT - user admin - RAW: httpd(mod_auth_pa...
management
monitoring
smp_86112's avatar
smp_86112
Icon for Cirrostratus rankCirrostratus
May 11, 2010

I was just about to post almost exactly the same message when I came across your post. In my case, I have a customized /etc/alertd/alert.conf to send me email notifications. And when I upgraded to v10, I suddenly started getting these notifications which I wasn't expecting. There is something more happening with alertd that I'd like to understand better.

 

 

As I dug into this, I confirmed (by commenting and uncommenting) the statement that is catching the event (and generating emails in my case) in "/etc/alertd/alert.conf" is this:

 

 


alert BIGIP_LOG_EMERG "^[0-9]{8}:0: (.*)" {

 

 

And I guess this makes based only on the regex, since the event starts with the string "01070417:0". But if you look for the error code "01070417" in /var/run/bigip_error_maps.dat, you'll see this:

 


0 LOG_NOTICE 01070417 BIGIP_MCPD_MCPDERR_AUDIT "AUDIT - user %s - transaction %u-%u - object %u - %s"

 

So /etc/alertd/alert.conf considers the alert EMER status, while /var/run/bigip_error_maps.dat considers it NOTICE. That is a disconnect that I just can't wrap my head around.