For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_FP's avatar
Chris_FP
Icon for Cirrus rankCirrus
Aug 04, 2014

Different syslog level between WebGUI and SSH login

We need to send syslog to Qradar for Security Event logging. One of the biggest things they need to know about are logon's the the F5's, either via the WebGUI or via SSH. However to reduce the amou...
nitass's avatar
nitass
Icon for Employee rankEmployee
Aug 06, 2014

what about this?

 config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog
sys syslog {
    include "
destination d_loghost {
   udp(\"172.28.24.1\" port(514));
};
log {
   source(s_syslog_pipe);
   filter(f_authpriv);
   destination(d_loghost);
};
"
}

 syslog

[root@centos1 ~] nc -l -u 514
<86>Aug  6 05:48:22 ve11a info sshd(pam_audit)[8667]: user=root(root) partition=[All] level=Administrator tty=ssh host=192.168.207.46 attempts=1 start="Wed Aug  6 05:48:22 2014".
<134>Aug  6 05:48:22 ve11a info sshd(pam_audit)[8667]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=192.168.207.46 attempts=1 start="Wed Aug  6 05:48:22 2014".

<85>Aug  6 05:48:33 ve11a notice httpd[3763]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.207.46 attempts=1 start="Wed Aug  6 05:48:33 2014".
Chris_FP's avatar
Chris_FP
Icon for Cirrus rankCirrus
Aug 07, 2014
Hi Nitass, That looks good. Anyway to "combine" my filter and that filter as we don't want the qradar boxes to receive "INFO" from any other processes (just authpriv as it appears they are INFO level for SSH but NOTICE level for WebGUI...) Your expertise here is greatly appreciated. Chris