Forum Discussion

Cory_Blankenshi's avatar
Cory_Blankenshi
Icon for Altostratus rankAltostratus
Mar 21, 2018

How to Find User Account Changes

Hi all,

 

I am trying to research why a user's account on our F5 was set to no access. I looked through the user.log and secure logs via the CLI but I could find anything for that user's account.

 

Any thoughts on where else I should look and/or suggestions no how to figure out when the change was made?

 

Thanks!

 

  • If Audit Logging is enabled (Default in Versions >= 11.6) you will find a corresponding Log entry in the Audit Log /var/log/audit.

     

    When searching in the file is not comfortable enough you could upload a QKVIEW to IHealth and check out Security -> Overview. Here you are able to select Audit Log Entries based on a Time-Line.

     

    If you want to enable Audit Logging for TMSH / WebUI on a Big IP prior 11.6 execute the following: tmsh modify sys daemon-log-settings mcpd audit enabled tmsh modify sys db config.auditing value enable