For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sani's avatar
Sani
Icon for Nimbostratus rankNimbostratus
Dec 06, 2016

What could be the reason for the APM log "user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=list sys db"

Hello Everyone,

 

I see the following entry in APM logs every 10 minutes. Is this Normal? Can someone give some info about why this message appear in the logs.

 

Nov 28 12:11:02 F5-APM notice tmsh[24299]: 01420002:5: AUDIT - pid=24299 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=show sys mcp-state field-fmt

 

Nov 28 12:11:02 F5-APM notice tmsh[24303]: 01420002:5: AUDIT - pid=24303 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=list sys db

 

Nov 28 12:21:02 F5-APM notice tmsh[24741]: 01420002:5: AUDIT - pid=24741 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=show sys mcp-state field-fmt

 

Nov 28 12:21:03 F5-APM notice tmsh[24745]: 01420002:5: AUDIT - pid=24745 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=list sys db

 

Nov 28 12:31:01 F5-APM notice tmsh[25181]: 01420002:5: AUDIT - pid=25181 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=show sys mcp-state field-fmt Nov 28 12:31:02 F5-APM notice tmsh[25185]: 01420002:5: AUDIT - pid=25185 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=list sys db

 

Nov 28 12:41:02 F5-APM notice tmsh[25623]: 01420002:5: AUDIT - pid=25623 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=show sys mcp-state field-fmt

 

Nov 28 12:41:02 F5-APM notice tmsh[25627]: 01420002:5: AUDIT - pid=25627 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=list sys db Nov 28 12:51:02 F5-APM notice tmsh[26065]: 01420002:5: AUDIT - pid=26065 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=show sys mcp-state field-fmt

 

Nov 28 12:51:03 F5-APM notice tmsh[26069]: 01420002:5: AUDIT - pid=26069 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=list sys db

 

The following BugID was fixed in 11.4.x TMOS version

 

ID 387803 Users will no longer see the following message every minute in /var/log/audit (when config.auditing is enabled): notice tmsh[13814]: 01420002:5: AUDIT - pid=13814 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=list sys db ucs.loadtime one-line

 

We are running version 12.1.1 HF1. So please suggest if this normal or something to worry.

 

Cheers, Saneesh

 

application delivery
BIG-IP Access Policy Manager (APM)
LTM

1 Reply

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Dec 06, 2016

    These are normal. Example from a lab box:

    Dec  6 08:31:02 current-3 notice tmsh[6922]: 01420002:5: AUDIT - pid=6922 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=show sys mcp-state field-fmt
Dec  6 08:31:02 current-3 notice tmsh[6933]: 01420002:5: AUDIT - pid=6933 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=list sys db
Dec  6 08:41:01 current-3 notice tmsh[7372]: 01420002:5: AUDIT - pid=7372 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=show sys mcp-state field-fmt
Dec  6 08:41:02 current-3 notice tmsh[7383]: 01420002:5: AUDIT - pid=7383 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=list sys db
Dec  6 08:51:01 current-3 notice tmsh[7818]: 01420002:5: AUDIT - pid=7818 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=show sys mcp-state field-fmt
Dec  6 08:51:02 current-3 notice tmsh[7829]: 01420002:5: AUDIT - pid=7829 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=list sys db

    If you'd rather not see these, I'd suggest to submit a ticket to Support to make a request to remove/hide them.