Forum Discussion
Detecting and reporting LTM object configuration changes
From carefully reading all posts related to this subject it would appear that audit logging is the preferred way to detect configuration changes (versus diffing configs). Has anyone developed an effective syslog-ng filter to that only matches changes made by humans in tmsh or the WebUI? After having typed this, it occurs to me that the audit log will never detect changes made by directly editing /config/bigip.conf-or will it?
3 Replies
dickeypjeep_116Cirrus
As to direct changes of the bigip.conf file, you will see the file load in the audit log (and who loaded it). Since direct edits to the bigip.conf are frowned upon in general, I'd think you would know someone made an unapproved edit whenever a tmsh load was issued.
As a side note, with mcpd audit logging set to 'verbose', you'll see every line in the configuration loaded when a tmsh load sys config is issued.
I've done some experimenting with filtering and still falling short. I devised a simple compound 'or' filter based on actual output from /var/log/audit. While this is far from a complete solution, I should still see matches for adding, deleting or modifying a Virtual Server. Instead I see a regular messages about the device groups.
Here's my attempt at the filter:
include "source s_audit { file(/var/log/audit); }; destination d_filtered_audit { file(/var/log/filtered_audit); }; filter f_match { match ('create') or match ('obj_delete') or match ('modify'); }; log {source(s_audit);filter(f_match);destination(d_filtered_audit); };"
Problem solved. By replacing the source (/var/log/audit) with source (local), this works.
I will post my complete reporting solution by week end.
