For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Christoph_Lange's avatar
Christoph_Lange
Icon for Altostratus rankAltostratus
May 15, 2013

radius authentication alert logging

I get a log entry, even though the user is properly authenticated - it's the same for ssh and http:   May 15 09:22:40 f5devicename alert httpd[12843]: pam_unix(httpd:account): could not identify u...
management
monitoring
nitass's avatar
nitass
Icon for Employee rankEmployee
May 23, 2013
after you change auth-priv-from (modify sys syslog...) and save (i.e. tmsh save sys config), can you check /etc/syslog-ng/syslog-ng.conf? is syslog-ng configuration changed accordingly?

this is mine. 

 authpriv.*                                    /var/log/secure
filter f_authpriv {
    (facility(auth, authpriv) and level(err..emerg))
    or program(sshd)
    or (facility(auth,authpriv) and (program(httpd) or program(tamd)))
    or match("pam_audit")
    ;
};

destination d_secure {
   file("/var/log/secure" create_dirs(yes));
};

log {
   source(s_syslog_pipe);
   filter(f_authpriv);
   destination(d_secure);
};

by the way, have you customized syslog-ng configuration?