Forum Discussion
Christoph_Lange
Altostratus
May 15, 2013radius authentication alert logging
I get a log entry, even though the user is properly authenticated - it's the same for ssh and http:
May 15 09:22:40 f5devicename alert httpd[12843]: pam_unix(httpd:account): could not identify user (from getpwnam(chris))
May 15 09:22:40 f5devicename notice httpd[12843]: pam_bigip_authz: authenticated user chris with role 0 (Administrator) in partition [All]
May 15 09:22:40 f5devicename notice httpd[12843]: 01070417:5: AUDIT - user chris - RAW: httpd(mod_auth_pam): user=chris(chris) partition=[All] level=Administrator tty=/usr/bin/tmsh host=10.10.10.5 attempts=1 start="Wed May 15 09:22:40 2013".
May 15 09:22:43 f5devicename notice httpd[12843]: 01070417:5: AUDIT - user chris - RAW: httpd(mod_auth_pam): user=chris(chris) partition=[All] level=Administrator tty=/usr/bin/tmsh host=10.10.10.5 attempts=1 start="Wed May 15 09:22:40 2013" end="Wed May 15 09:22:43 2013".
May 15 10:15:32 f5devicename alert sshd[7325]: pam_unix(sshd:account): could not identify user (from getpwnam(chris))
May 15 10:15:32 f5devicename notice sshd[7325]: pam_bigip_authz: authenticated user chris with role 0 (Administrator) in partition [All]
May 15 10:15:32 f5devicename info sshd(pam_audit)[7322]: user=chris(chris) partition=[All] level=Administrator tty=ssh host=10.10.10.24 attempts=1 start="Wed May 15 10:15:32 2013".
May 15 10:15:32 f5devicename info sshd(pam_audit)[7322]: 01070417:6: AUDIT - user chris - RAW: sshd(pam_audit): user=chris(chris) partition=[All] level=Administrator tty=ssh host=10.10.10.24 attempts=1 start="Wed May 15 10:15:32 2013".
May 15 10:15:37 f5devicename info sshd(pam_audit)[7322]: user=chris(chris) partition=[All] level=Administrator tty=ssh host=10.10.10.24 attempts=1 start="Wed May 15 10:15:32 2013" end="Wed May 15 10:15:37 2013".
May 15 10:15:37 f5devicename info sshd(pam_audit)[7322]: 01070417:6: AUDIT - user chris - RAW: sshd(pam_audit): user=chris(chris) partition=[All] level=Administrator tty=ssh host=10.10.10.24 attempts=1 start="Wed May 15 10:15:32 2013" end="Wed May 15 10:15:37 2013".
Is there any chance to avoid this?
br, chris
7 Replies
- What_Lies_Bene1
Cirrostratus
It looks like someone has enabled audit logging perhaps. Take a look at System > Logs > Configuration > Audit Logging - Christoph_Lange
Altostratus
I tried to disable audit logging, but the problem still there.
Any other ideas?
btw: I am using version 11.3.0
- can you try this?
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list sys syslog all-properties sys syslog { auth-priv-from notice auth-priv-to emerg console-log enabled cron-from warning cron-to emerg daemon-from notice daemon-to emerg description none include none iso-date disabled kern-from notice kern-to emerg local6-from notice local6-to emerg mail-from notice mail-to emerg messages-from notice messages-to warning remote-servers none user-log-from notice user-log-to emerg } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) modify sys syslog auth-priv-from err root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos)
- Christoph_Lange
Altostratus
I tried to change both values for auth-priv-from and user-log-from to emerg, but it doesn't solve the problem. Here you can see:
root@(f5devicename)(cfg-sync Changes Pending)(Active)(/Common)(tmos) modify sys syslog auth-priv-from emerg
- I tried to change both values for auth-priv-from and user-log-from to emerg, but it doesn't solve the problem.where is the log? is it /var/log/secure? those settings affect only local log.
- Christoph_Lange
Altostratus
yes, it's /var/log/secure
- after you change auth-priv-from (modify sys syslog...) and save (i.e. tmsh save sys config), can you check /etc/syslog-ng/syslog-ng.conf? is syslog-ng configuration changed accordingly?
authpriv.* /var/log/secure filter f_authpriv { (facility(auth, authpriv) and level(err..emerg)) or program(sshd) or (facility(auth,authpriv) and (program(httpd) or program(tamd))) or match("pam_audit") ; }; destination d_secure { file("/var/log/secure" create_dirs(yes)); }; log { source(s_syslog_pipe); filter(f_authpriv); destination(d_secure); };