Forum Discussion

rolltidega_7890's avatar
Icon for Nimbostratus rankNimbostratus
Oct 21, 2011

F5 Big-IP Monitor Inbound IPs?

I am using a virtual F5 appliance to gather Syslog from multiple sources and balance that traffic to multiple syslog servers on my LAN. I am wondering if there is a way to set up a connection monitor so that I can get alerted if one of my syslog sources stops making connections to the F5? I am having some issues with my syslog sources where they stop sending syslog for some reason. While I work with the vendor to figure it out I am trying to find a way to alert me when it happens. Any help on this would be awesome! Thanks...


3 Replies

  • Hi Roltidega,


    You could create a custom monitor which checks the connection count on the virtual and then triggers an alert based on the expected connection count.



    I have never done this before but i suppose you can start with the following commands to get the connection counts of the virtual server.



    b conn | grep | awk '{print $1 }'| cut -d: -f1 | uniq -c | sort



    I hope this helps


  • Using an external monitor is a good idea, as this will be part of the configuration and thus survive any upgrades.




    b conn | grep | awk '{print $1 }'| cut -d: -f1 | uniq -c | sort



    "b conn" is a good starting point, however I do see two problems:



    1.) If the connection table is very large, it can take serveral seconds to get the whole table. And it might put some load on the system. I also had situations where "b conn" just hung and never


    returned anything.



    2.) with "b conn" you will only see those connections that are active while the monitor script is running. If a connection was closed just a few second before your monitor script was started, you won't see that connection.



    I suggest to use a session table to add an entry for each syslog source ip. Create an iRule similar to this.



    WARNING: Totally UNTESTED code. Not even checked for syntax. Just the basic idea!!!




    when RULE_INIT {
       set ::syslog_table_timeout 60
       set ::syslog_sources { "" "" "" } 
        set table_entries [table keys -count -subtable syslog_sources]
        if {$table_entries < [llength $::syslog_sources]} {
            if we have less than the number of syslog sources in the table, one must have stopped sending
            lets find those servers. We have to loop over the list of syslog sources
           foreach source_ip $::syslog_sources {
                if { not [table lookup -notouch -subtable syslog_sources $source_ip] } { 
                          log local0. "SYSLOG::WARNING: no message from $source_ip for $::syslog_timeout seconds"
                          update the table entry, otherwise we will loop forever here
                          table set -subtable syslog_sources $source_ip "inactive" $::syslog_timeout              
        } else {
            update the table entry and it's timeout value
           table set -subtable syslog_sources [IP::client_addr] "active" $::syslog_timeout  


    This iRule will be triggered if any of the syslog sources sends some data. However, there is still one problem. If ALL syslog sources stop sending messages, the iRule will no longer be triggered and thus it will not detect anything. SOLUTION: Add a monitor that monitors the virtual server ip (the LB monitos itself!) with a simple TCP/UDP monitor. The monitor will just help to trigger the iRule every few seconds 🙂



    Now you have the WARNING messages in the log (/var/log/ltm). If you want to receive an email or an smtp trap, please configure alertd to react on messages that start with "SYSLOG::WARNING".



    Here is some information about "table" and alertd.







    Hope that helps.





    Kurt Knochner


  • Kurt, it's interesting.



    for rule_init, i think we may use static global variable.





    when RULE_INIT {


    set static::syslog_timeout 60


    set static::syslog_sources { }