For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

smp_86112's avatar
smp_86112
Icon for Cirrostratus rankCirrostratus
Jul 29, 2008

Custom SNMP Traps - clarify "match string" usage

Reference the article posted by deb a few days ago:   http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=256     After reading this article, I...
management
monitoring
Deb_Allen_18's avatar
Deb_Allen_18
Historic F5 Account
Jul 30, 2008
The example you give is from the pre-configured alert.conf file, and there is no need to duplicate it in the user_alert.conf. I think the different uses of the 2 conf files might be what is confusing you.

 

 

alertd receives a message from syslog-ng which contains both an alert code and a message string. alertd looks in bigip_error_maps.dat to find an alert definition which matches the alert code or message string. Once a map is found, it performs the action matching the definition in the user_alert.conf (or alertd.conf).

 

 

Is that right?

 

 

Not exactly. alertd looks in bigip_error_maps.dat to find the alert code, and if found, uses the corresponding alert name to map back to the alert definition in alert.conf. This is the way many pre-configured alerts are defined. The system will also match on any match strings explicitly defined in either conf file and execute the defined alert action.

 

 

The error map files are not intended to be modified or supplemented in any way, though, so custom traps are instead always defined in user_alert.conf, including the match string.

 

 

The message string sent by syslog-ng is the same one it received -- whatever the system sent to be logged.

 

 

hth

 

/deb