08 November 2012

BIG-IP audit log guide for Windows admins

One thing that I am always keen to keep track of is configuration changes made to a system and by whom this is done.  For an administrator such as myself who has always worked in a Windows environment it is a bit of a daunting task to start managing log files on a F5 BIG-IP device which is of course based on Linux.

Configuration Audit Logging
There are a few places to view and configure the log files.  Since it is advisable to make all the configuration changes in the administrative GUI we will cover this first.

  • Log into the BIG-IP administration GUI
  • Select System
  • Select Logs
  • Click Configuration
  • Scroll to the Audit Logging section
  • Change MCP to Enable
  • Change tmsh to Enable
  • Click the update button

This will now log any configuration changes made to the BIG-IP.  This kind of information is always handy when it comes to troubleshooting an issue.  It is more often than not also required by some policy or other either corporate or compliance.

View the Audit Log

  • Log into the BIG-IP administration GUI
  • Select System
  • Select Logs
  • Select Audit
  • Select List

This will give you a screen with a few log entries in it.  The search feature is basic but allows you to find the changes you are probably looking for

By specifying DB_VARIABLE in the search box it will return configuration change entries.

Filtering the Audit Log
This screen allows you to filter you result based on the Username, Date Range and a Event term such as DB_VARIABLE

  • Log into the BIG-IP administration GUI
  • Select System
  • Select Logs
  • Select Audit
  • Select Search from the drop down Menu

Using the Command Line Tools


  • Use your SSH client and connect to the BIG-IP
  • Log in as root
  • tmsh
  • show sys log

This will list the available logs that you can view

  • show sys log audit

This will open the log file for viewing.  The most recent events are right at the bottom.  You can scroll through the log and exit form the log file by pressing q

Viewing the log through this method can be useful to track the most recent changes but it does not allow you to specify filter like you could in the GUI.

Filter the log from the CLI

  • Use your SSH client and connect to the BIG-IP
  • Log in as root
  • cd var/log
  • ls

This will show you the list of files, most of these are log files.  You will be able to correlate the logs to the files by looking at the show sys log from earlier

To simply view the audit log you can use

  • cat audit | more

This will again open the log and you will be able to scroll through the log line by line pressing enter to scroll through q to exit

To filter the events you can use

grep audit -e DB_VARIABLE | more

Exporting the file to Excel
If you want to really interrogate the log file there is no better way than to import it into Excel

Get the file onto your PC
To do this you need to copy the file off the BIG-IP.  I found that the easiest way is to use an app called WinSCP http://winscp.net/eng/download.php

  • Start WinSCP
  • Select SCP form the protocol
  • Specify hostname
  • Specify root and password
  • Click login

This will now bring up a familiar side by side file system view.

  • On the left browse to your folder where you want to copy the files to
  • On the right hand side browse to /var/log
  • You will now see al the log files
  • Select and drag the audit file from the BIG-IP onto the local drive

Import the file 

  • Open Excel
  • File Open
  • Select the audit file
  • Select delimited
  • Specify the delimiter as Space
  • Check Treat consecutive delimiters as one

You will now have the entire log file imported and you can filter and manipulate to your heart's content.

NOTE:  If there are multiple audit.n.gz files these need to be imported to to get more historic log data.  You can use 7zip to decompress the files so you can import them to Excel.

No comments:

Post a Comment