Forum Discussion
Christoph_Lange
Altostratus
Altostratusradius authentication alert logging
I get a log entry, even though the user is properly authenticated - it's the same for ssh and http:
May 15 09:22:40 f5devicename alert httpd[12843]: pam_unix(httpd:account): could not identify user (from getpwnam(chris))
May 15 09:22:40 f5devicename notice httpd[12843]: pam_bigip_authz: authenticated user chris with role 0 (Administrator) in partition [All]
May 15 09:22:40 f5devicename notice httpd[12843]: 01070417:5: AUDIT - user chris - RAW: httpd(mod_auth_pam): user=chris(chris) partition=[All] level=Administrator tty=/usr/bin/tmsh host=10.10.10.5 attempts=1 start="Wed May 15 09:22:40 2013".
May 15 09:22:43 f5devicename notice httpd[12843]: 01070417:5: AUDIT - user chris - RAW: httpd(mod_auth_pam): user=chris(chris) partition=[All] level=Administrator tty=/usr/bin/tmsh host=10.10.10.5 attempts=1 start="Wed May 15 09:22:40 2013" end="Wed May 15 09:22:43 2013".
May 15 10:15:32 f5devicename alert sshd[7325]: pam_unix(sshd:account): could not identify user (from getpwnam(chris))
May 15 10:15:32 f5devicename notice sshd[7325]: pam_bigip_authz: authenticated user chris with role 0 (Administrator) in partition [All]
May 15 10:15:32 f5devicename info sshd(pam_audit)[7322]: user=chris(chris) partition=[All] level=Administrator tty=ssh host=10.10.10.24 attempts=1 start="Wed May 15 10:15:32 2013".
May 15 10:15:32 f5devicename info sshd(pam_audit)[7322]: 01070417:6: AUDIT - user chris - RAW: sshd(pam_audit): user=chris(chris) partition=[All] level=Administrator tty=ssh host=10.10.10.24 attempts=1 start="Wed May 15 10:15:32 2013".
May 15 10:15:37 f5devicename info sshd(pam_audit)[7322]: user=chris(chris) partition=[All] level=Administrator tty=ssh host=10.10.10.24 attempts=1 start="Wed May 15 10:15:32 2013" end="Wed May 15 10:15:37 2013".
May 15 10:15:37 f5devicename info sshd(pam_audit)[7322]: 01070417:6: AUDIT - user chris - RAW: sshd(pam_audit): user=chris(chris) partition=[All] level=Administrator tty=ssh host=10.10.10.24 attempts=1 start="Wed May 15 10:15:32 2013" end="Wed May 15 10:15:37 2013".
Is there any chance to avoid this?
br, chris
7 Replies
What_Lies_Bene1Cirrostratus
It looks like someone has enabled audit logging perhaps. Take a look at System > Logs > Configuration > Audit Logging
Christoph_LangeI tried to disable audit logging, but the problem still there.
Any other ideas?
btw: I am using version 11.3.0
- nitass
Employee
can you try this?root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list sys syslog all-properties sys syslog { auth-priv-from notice auth-priv-to emerg console-log enabled cron-from warning cron-to emerg daemon-from notice daemon-to emerg description none include none iso-date disabled kern-from notice kern-to emerg local6-from notice local6-to emerg mail-from notice mail-to emerg messages-from notice messages-to warning remote-servers none user-log-from notice user-log-to emerg } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) modify sys syslog auth-priv-from err root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) - Christoph_Lange
I tried to change both values for auth-priv-from and user-log-from to emerg, but it doesn't solve the problem. Here you can see:
root@(f5devicename)(cfg-sync Changes Pending)(Active)(/Common)(tmos) modify sys syslog auth-priv-from emerg
root@(f5devicename)(cfg-sync Changes Pending)(Active)(/Common)(tmos) modify sys syslog user-log-from emerg
root@(f5devicename)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list sys syslog all-properties
sys syslog {
auth-priv-from emerg
auth-priv-to emerg
console-log enabled
cron-from warning
cron-to emerg
daemon-from notice
daemon-to emerg
description none
include none
iso-date disabled
kern-from notice
kern-to emerg
local6-from notice
local6-to emerg
mail-from notice
mail-to emerg
messages-from notice
messages-to warning
remote-servers {
remotesyslog1 {
description none
host 10.10.10.8
remote-port 514
}
remotesyslog2 {
description none
host 10.10.10.9
remote-port 514
}
}
user-log-from emerg
user-log-to emerg
} - nitassI tried to change both values for auth-priv-from and user-log-from to emerg, but it doesn't solve the problem.where is the log? is it /var/log/secure? those settings affect only local log.
- Christoph_Lange
yes, it's /var/log/secure
- nitassafter you change auth-priv-from (modify sys syslog...) and save (i.e. tmsh save sys config), can you check /etc/syslog-ng/syslog-ng.conf? is syslog-ng configuration changed accordingly?
this is mine.authpriv.* /var/log/secure filter f_authpriv { (facility(auth, authpriv) and level(err..emerg)) or program(sshd) or (facility(auth,authpriv) and (program(httpd) or program(tamd))) or match("pam_audit") ; }; destination d_secure { file("/var/log/secure" create_dirs(yes)); }; log { source(s_syslog_pipe); filter(f_authpriv); destination(d_secure); };
by the way, have you customized syslog-ng configuration?
