Forum Discussion
Chris_FP
Cirrus
CirrusDifferent syslog level between WebGUI and SSH login
We need to send syslog to Qradar for Security Event logging. One of the biggest things they need to know about are logon's the the F5's, either via the WebGUI or via SSH. However to reduce the amou...
nitass
Employee
Employeewhat about this?
// config
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog
sys syslog {
include "
destination remote_server {
udp(\"172.28.24.1\" port (514));
};
filter f_customlogs {
level (notice..emerg)
or program(sshd)
or (facility(auth,authpriv) and (program(httpd) or program(tamd)))
or match(pam_audit)
;
};
log {
source(s_syslog_pipe);
filter(f_customlogs);
destination(remote_server);
};
"
}
// syslog server
<86>Aug 16 21:17:57 ve11a info sshd(pam_audit)[28741]: user=root(root) partition=[All] level=Administrator tty=ssh host=192.168.207.70 attempts=1 start="Sat Aug 16 21:17:57 2014".
<134>Aug 16 21:17:57 ve11a info sshd(pam_audit)[28741]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=192.168.207.70 attempts=1 start="Sat Aug 16 21:17:57 2014".
<85>Aug 16 21:18:10 ve11a notice httpd[27282]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.207.70 attempts=1 start="Sat Aug 16 21:18:10 2014".
<133>Aug 16 21:18:10 ve11a notice httpd[27282]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.207.70 attempts=1 start="Sat Aug 16 21:18:10 2014".
Chris_FPFantastic Nitass, that worked like a charm. Thank you very much for your help. Chris
