Forum Discussion

Vikram_23_27012's avatar
Vikram_23_27012
Icon for Nimbostratus rankNimbostratus
Apr 04, 2018

admin activity logs for load balancer

Hi Guys,

 

Is there any log that show what admin is doing ? ie execute what command.

 

One of my customer is facing issue where suddenly their cert all removed/deleted, so we want to know if there is anyone login to the F5 and remove it purposely.

 

Thanks,

 

1 Reply

  • Every thing gets logged as long as proper logging is turned on. By default the CLI logging gets logged as per default settings. But if the change was done through GUI, you may need to have the db config.auditting value enabled to see the GUI made changes.

    • In versions prior to BIG-IP 11.6.0, audit logging for BIG-IP configuration changes is disabled by default.
    • In version above 11.6, the db config.auditting is enabled by default.

    To know if your BIGIP is configured to capture the GUI changes, run the below command,

    tmsh list /sys db config.auditing value

    To check your logs,

    • less /var/log/audit | grep 
    • less /var/log/audit | grep 

    In case the logs have been rotated, you may need to check on the other audit files,

    ls -ltrh /var/log/audit*

    This would list out the number of audit files thats present on your box with dates. You can use zcat/zless to open the gz files.

    • zcat /var/log/audit* | grep 
    • zcat /var/log/audit* | grep