Forum Discussion

sci605's avatar
sci605
Icon for Nimbostratus rankNimbostratus
Mar 18, 2024

F5 alarms

We received some alarms from our F5 load balancers, we clear it manually but it will always repear time to time. How to solve it rightly?

These F5 boxes are monitored via RestAPI, can push alarms to our monitor system.

 

  • What is the product which is showing this information, where you get the table from? I assume some kind of SIEM / monitoring product. It takes logs and based on something creates those alerts, you gotta find out based on which logs which alerts. Hopefully the owner / technical support for that product can help.

     

    On the F5 side you can log into the systems and look into the logs, see for example this article: https://my.f5.com/manage/s/article/K16197

    It is probably a good idea to ask around internally who can help with looking at the F5s.

     

  • Too little information in those messages. You gotta find out more details. It could be a scanner or such which is configured with the wrong credentials.

    • sci605's avatar
      sci605
      Icon for Nimbostratus rankNimbostratus

      Thanks, but how to check more information and associate the alarm with other information? (sorry, we are just the beginner for using this product)

      • What is the product which is showing this information, where you get the table from? I assume some kind of SIEM / monitoring product. It takes logs and based on something creates those alerts, you gotta find out based on which logs which alerts. Hopefully the owner / technical support for that product can help.

         

        On the F5 side you can log into the systems and look into the logs, see for example this article: https://my.f5.com/manage/s/article/K16197

        It is probably a good idea to ask around internally who can help with looking at the F5s.

         

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus

    My immediate answer would be to stop making unauthorised requests

    It looks like you have something that either never has authed, or auths, does some stuff and then has the auth timed out accessing your F5 somewhere. 
    It's something only you can find and solve. I'd suggest

    * Looking in the logs to determine what's failing.

    * If not in the logs you might be having to tcpdump, but that's only useful if you know the service and can reliably prune out the good traffic from the bad.