I work for the DoD and during a DISA inspection, the auditor asked if the BIGIP LTM could generate an immediate alert to the screen or to an email address showing a successful login attempt or a failed attempt. Can the BiG-IQ do this if the LTM cannot? We use AAA to manage the authentication requests, but I have not seen one actually send an alert for a successful login attempt. It will, however, send an unsuccessful alert while the account is locked after three failed attempts. If I use SSH, I see where a successful login attempt and the source IP is given on the session screen, and that would be ideal if it could be sent to an email address or a BiG-IQ alert capture.
I haven't personally worked on the Big-IQ, but on the LTM modules its doable. You'll have to set up snmp trap alerts. Find the log format, define it in user_alert.conf, once the log is found, alert will trigger and action is performed.
Without reinventing the wheel, follow these 2 links, you'll be able to achieve your task.
Refer post in Email alert for failed and successful login
Keep us posted on the progress !