For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

henry_kay_36032's avatar
henry_kay_36032
Icon for Nimbostratus rankNimbostratus
Sep 22, 2011

interpreting logs

hi guys, i am wondering how do i interpret the following logs? the obvious ones i understand such as date, time, etc but the others such as "Local6.info" , i am having difficulties understanding them.

 

 

Is there a syntax manual for reading the logs available??

 

 

would appreicate any help given.

 

 

thanks in advance.

 

 

2011-08-30 00:00:56Local6.Info192.168.145.41Aug 30 00:00:58 local/SGDC2SE1LB01 info logger: [ssl_req][30/Aug/2011:00:00:58 +0800] 146.215.56.58 TLSv1 DHE-RSA-AES256-SHA "POST /iControl/iControlPortal.cgi HTTP/1.1" 437

 

2011-08-30 00:00:59Cron.Info192.168.145.41Aug 30 00:01:01 local/SGDC2SE1LB01 info crond[11759]: (root) CMD (run-parts /etc/cron.hourly)

 

2011-08-30 00:01:59Cron.Info192.168.145.41Aug 30 00:02:01 local/SGDC2SE1LB01 info crond[11854]: (syscheck) CMD (/usr/bin/system_check -q)

 

2011-08-30 00:29:56System0.Debug192.168.145.41Aug 30 00:29:59 local/SGDC2SE1LB01 debug httpd[9372]: pam_bigip_authz: pam_sm_authenticate returning status SUCCESS
management
monitoring

6 Replies

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Sep 23, 2011
    Local6.info is the facility (Local6) and level (Info) of the log message (Google syslog for info on facilities and levels for syslog)

     

     

    The rest of that line seems to be the client IP (146.215.56.58), ecryption standard (TLSv1), encryptino level (AES256 using SHA hashing and an RSA key with diffie helman I think), and the "POST ..." tells you the method, URI and HTTP version requested via iControl returning 437 Bytes...

     

     

    The crond lines are from crond (Google crond for an indepth explanation, but it runs processes at regular intervals. This one is crunning cron.hourly and doing a system check. The number in brackets after crond is the processID that was running.

     

     

    The last one is a message from httpd (Apache). Telling you a user was authenitcated via PAM (Pluggable Authentication module) successfully...

     

     

    Probably not a single manual for all that... Not that i've seen anyway, but syslog is your first port of call it'll explain the general syslog line format. And from that you can find which app/program is logging and find out its log format separately.

     

     

    H
  • Devdas_14877's avatar
    Devdas_14877
    Icon for Nimbostratus rankNimbostratus
    Nov 29, 2011
    Hi

     

     

    How can i disable this kind of notifications?i mean icontrol DHE-RSA .......

     

    I have a lot of lines on my syslog.

     

     

    Best regards

     

    DEvdas.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 29, 2011
    Here you go:

     

     

    sol9442: Suppressing peer iControl access message logging

     

    http://support.f5.com/kb/en-us/solutions/public/9000/400/sol9442.html

     

     

    Aaron
  • Devdas_14877's avatar
    Devdas_14877
    Icon for Nimbostratus rankNimbostratus
    Dec 01, 2011
    Hi

     

     

    I stil have the messages:

     

     

    info logger: [ssl_acc] 1.1.1.245 - admin [01/Dec/2011:14:32:43 +0100] "POST /iControl/iControlPortal.cgi HTTP/1.1" 200 437

     

     

    from my both F5

     

     

    any ideas please?

     

     

    Devdas

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 01, 2011
    have you done sol9442 but the message is still generated?

     

     

    if yes, can you post output of "b syslog include" command?