Last Modified: Oct 15, 2025
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 16.1.6, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.1.3
Opened: Feb 13, 2020 Severity: 3-Major
The system generates and logs the following message continuously every 30 seconds, in /var/log/audit: -- bigip1 notice tmsh[47755]: 01420002:5: AUDIT - pid=47755 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=cd / ; -- bigip1 notice tmsh[47755]: 01420002:5: AUDIT - pid=47755 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=list cm device recursive
Audit log file contains numerous 'cmd_data=list cm device recursive' messages.
This occurs during normal operation.
-- To prevent the two messages from being logged to /var/log/audit: 1. Edit the 'include' section of syslog configuration to suppress audit logs of 'cmd_data=cd /' and 'cmd_data=list cm device recursive': # tmsh # edit /sys syslog all-properties 2. Replace 'include none' with the following syntax: === sys syslog { - snip - include " filter f_audit { facility(local0) and message(\"AUDIT\") and not message(\"cmd_data=list cm device recursive|cmd_data=cd /\"); };" - snip - } -- To filter the messages sent to remote syslog servers only, do the following: 1. Set sys syslog remote-servers none: # tmsh modify sys syslog remote-servers none 2. Edit the 'include' section of syslog configuration to suppress audit logs of 'cmd_data=cd /' and 'cmd_data=list cm device recursive': # tmsh # edit /sys syslog all-properties 3. Add the following filter: filter f_remote_loghost { not (facility(local0) and message(\"AUDIT.*cmd_data=list cm device recursive|cmd_data=cd /\")); }; Result: The system sends all messages that match the filter to the remote syslog server. It uses the "not" operand to filter the messages out. 4. Add destination and log directives. Below is a sample configuration, with the filter in step 3: sys syslog { include " filter f_remote_loghost { not (facility(local0) and message(\"AUDIT.*cmd_data=list cm device recursive|cmd_data=cd /\")); }; destination d_remote_loghost { udp(\"10.0.0.1\" port(514)); }; log { source(s_syslog_pipe); filter(f_remote_loghost); destination(d_remote_loghost); }; " }
None