Forum Discussion

heskez_36146's avatar
heskez_36146
Icon for Nimbostratus rankNimbostratus
Aug 17, 2015

F5 APM retrieve information for a specific username from archived audit tracks

Hi,

 

I'm currently facing a nice challenge. One wants to know whether a specific user has logged on to our remote portal, within a month or even longer ago.. Our remote portal is to be accessed by a F5 APM appliance.

 

Two weeks ago we've upgraded our appliances, so the last audit log is from two weeks ago. I can tell, when I choose in the menu "Access Policy" , "Reports" and I fill in 60 days or more, the last line shows a date which is two weeks ago. I'd like the report data from a month ago (and older).

 

Before the upgrade a UCS file was made. So what I Did is extract the UCS file. searched with Windows Grep, typed the username as string, in all directories and files, off course, nothing with that username is found.

 

Several questions has popped up right now:

 

  • audit track of user logon onto a remote portal is actually kept within /var/log/audit?* The UCS file of previous APM state doesn't show a /var/log dir. Where are the logs stored?
  • How am I able to fetch the data I need without returning to a previous state? I haven't got a spare appliance to restore the UCS to.

Best, Erik

 

2 Replies

  • Hi Erik,

     

    Your best bet for the future is to configure remote syslog on the bigip and have the logs sent off box to the syslog server. We have some integrations with SPLUNK.

     

    For the issue you have now, the information will be stored in /var/log/apm. The audit log shows logins for the bigip admin UI or CLI. It doesn't look like the UCS contains the logs files as the UCS is a configuration backup.

     

    Seth

     

  • Thanks Seth, I already had something in mind regarding syslog forwarding but sad enough no time and resources to get it done. Looks like this is worth the investment! Thanks for explaining.

     

    regards, Erik