Cowboy Denny Posted August 15, 2022 Share Posted August 15, 2022 Some reason I am not seeing any of the audit logs (/var/log/audit) in Splunk. I see the ltm logs (/var/log/ltm) but that's it. Anyone know how to get the audit logs to show up in Splunk? Link to comment Share on other sites More sharing options...
Cowboy Denny Posted August 15, 2022 Author Share Posted August 15, 2022 Here is a suggestion I may try Just configure (/Common)(tmos.sys) edit /sys syslog all-properties Go to the line that says "include none" and replace that line with: include " destination remote_server { udp(\"IP-OF-SYSLOG-SERVER\" port (514)); }; filter f_ltm { facility(local0) and level(emerg..info); }; log { source(local); filter(f_ltm); destination(remote_server); }; " If I do a tmsh list /sys syslog all-properties I get this before making the above change [root@usmifnt01:/S1-green-P::Active:In Sync] log # tmsh list /sys syslog all-properties sys syslog { auth-priv-from notice auth-priv-to emerg clustered-host-slot enabled clustered-message-slot disabled console-log enabled cron-from warning cron-to emerg daemon-from notice daemon-to emerg description none include "filter f_local0 {facility(local0) and not match(\"user=svc_f5_splunk_d, method=\");};" iso-date disabled kern-from debug kern-to emerg local6-from notice local6-to emerg mail-from notice mail-to emerg messages-from notice messages-to warning remote-servers none user-log-from notice user-log-to emerg } I may try this change and see if it makes a difference Link to comment Share on other sites More sharing options...
Recommended Posts