Forum Discussion

seilemor's avatar
seilemor
Icon for Nimbostratus rankNimbostratus
Aug 23, 2019

System authentication logging

Hi,

for some SIEM scenarios I need to have the BigIP login events within our remote log management. Within the GUI I can see the following event if an login failed:

Fri Aug 23 09:51:59 CEST 2019  USERNAME  0-0  httpd(pam_audit): User=USERNAME tty=(unknown) host=192.168.178.2 failed to login after 1 attempts (start="Fri Aug 23 09:51:57 2019" end="Fri Aug 23 09:51:59 2019").: 

For remote logging I've configured the log destination, publisher and a filter. The log destination based on HSL. Within the filter I've severity "information" and source "all". The problem is that the authentication events will not be sended to the remote syslog. All other messages will be sended. If I activate the "remote logging" feature where I receive all messages and where I don`t have any possibility to change the stuff which will be sended I`ll receive the log message regarding successfully and failed logon.

Is it possible to receive the authentication events also with only the usage of HSL!? The logs are available at /var/log/secure and /var/log/audit, but they will not be transferred to the remote syslog. I`ve already tested around with some different settings. Within the options for logging I've enabled the audit (tmm / mcp) logging.

Any Ideas!? Within the documentation I can only find some informations that the authentication logs are available within /var/log/secure and/or /var/log/audit, but there are no informations how to transfer them.

Thanks and Regards

seilemor