Forum Discussion

PabloSalvadorM_'s avatar
PabloSalvadorM_
Icon for Altostratus rankAltostratus
Oct 14, 2014

Check active admin user sessions

Hello,

 

so far I've been unable to find a way to see the active sessions in the webgui. The "w" command on shell only shows connections through cli (ssh) and not connections through the gui.

 

I've tried the tmsh command "show sys connection", and filtering the self address used to access the webgui, but it gives no output.

 

Surely there must be an easy way to do it, would some good guy be able to shed some light on this?

 

Thanks in advance, and best regards,

 

Pablo

 

  • Paulius's avatar
    Paulius
    Feb 07, 2023

    Irre_Levant I believe the only option here is to correlate the data from multiple sources rather than one command that provides everything. The following should allow you to pull the audit logs but I don't believe a command exists to look at the output of netstat.

    https://support.f5.com/csp/article/K41550738

  • Thanks, indeed it works as I can see who logged in and when he did it. But still I can't see which users have an active session, I'd be looking for some sort of "w" but for the httpd, don't even know if such thing even exists.

     

    BR,

     

    Pablo

     

  • Interesting question. No easy answer from what I can see. This will help you find out what IPs are connected to the GUI;

     

    netstat -tanpee | grep "\:443" | grep -v 127
    

     

    but beyond that there is no obvious way to gather the related Apache usernames used other than by checking and correlating information found in the various log files.

     

  • Hi Pablo.

     

    You could use netstat -na | grep 192.168.0.11 | grep ESTABLISHED

     

    This will show you the active sessions regardless of the user currently logged in. You could also get more info from the /var/log/audit logs. Below is an example of what you would tipically see when a user logs in:

     

    AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.0.11 attempts=1 start="Mon Oct 30 14:22:13 2017" end="Mon Oct 30 14:47:58 2017"

     

    Having these two pieces, you could cross match the IP address.

     

    Hope this helps.

     

    • Paulius's avatar
      Paulius
      Icon for MVP rankMVP

      Irre_Levant I believe the only option here is to correlate the data from multiple sources rather than one command that provides everything. The following should allow you to pull the audit logs but I don't believe a command exists to look at the output of netstat.

      https://support.f5.com/csp/article/K41550738

      • Irre_Levant - I'm going to tag Paulius's reply as the solution, even though it's rather a work-around? But it still seems to address the core of the issue (as far as it can go). If you disagree - let me know. Most of the rest of the members on this thread are no longer active on the community.