Forum Discussion

SIP_354925's avatar
SIP_354925
Icon for Nimbostratus rankNimbostratus
May 16, 2018

Finding Source IP in Log Files

Supposed on the firewall tcp resets are seen between a source IP x.x.x.x and the VIP y.y.y.y on a particular time and date. Which ltm logs would I view to find the related information? /var/log/ltm f...
application delivery
LTM
youssef1's avatar
youssef1
Icon for Cumulonimbus rankCumulonimbus
May 16, 2018

Hello SIP.

First you have to know that /var/log/ltm contains log messages generated by the BIG-IP system. This files can contain too logs generated by your Irule (when you use "log logal0.") https://support.f5.com/csp/article/K16197

But if you have tcp reset from F5 by default it is not logged. It can come from many different things (TCP 3WHS rejected, TCP RST from remote system, RST from BIG-IP internal Linux host, Flow expired ...).

So when you have this kind of behaviour you can configure the BIG-IP system to log the reasons for generating the TCP RST packets to the /var/log/ltm log file.

tmsh
modify /sys db tm.rstcause.log value enable
modify /sys db tm.rstcause.pkt value enable

Then you can see all reset logs in /var/log/ltm.

https://support.f5.com/csp/article/K13223

but it is not advisable to leave these logs activated all the time. they must be left only during the investigation period.for reasons of performance and log accumulation.

Let me now if it's clear for you.

Regards