For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Lokesh_R's avatar
Lokesh_R
Icon for Nimbostratus rankNimbostratus
Apr 11, 2019

No IP Address observe in logs

I could see someone created new user account using admin account ,but how i can track them in logs i couldn't see the IP address . is it default behavior on F5 it will not show IP address ?..   no...
LTM
security
youssef1's avatar
youssef1
Icon for Cumulonimbus rankCumulonimbus
Apr 16, 2019

Hi,

 

for information you don't have source IP user in audit logs.

 

you have the following info in this logs:

 

  • Timestamp: The time and date that the system logged the event message.
  • User Name: The name of the user who made the configuration change
  • Transaction ID: the identification number of the configuration change.
  • Event: A description of the configuration change that caused the system to log the message.

So you don't have the source IP of the user in the audit logs and you cant' set it.

 

So it's why F5 and best practice preconise us to set nominative identifiers. I advise you to change admin and root password then create a specific users for each user (you can use external auth: ldap, radius, ad, ldap...). It will allowed you to avoir this kind of problem...

 

For you problem you can check when the user was created then connect in CLI and check secure logs.

 

/var/logs/secure

 

and during this period look at the IPs of the users who are authenticating with the administrator account.

 

Hope it help you.

 

regards