Forum Discussion
CirrusI am getting 2 to 3 emails alerts on 1 pool member down.
I have configured custom alerts on pool member down. I have configured them for each pool separately. The problem is that I get 2 sometime 3 emails for 1 pool member down. This is because mails are generated on the basis of logs and those logs are generated 2 and some time 3 times.
How can I configure it that I get only 2 mails one from each F5 LTM as they are in HA. As two LTM are in HA so combinely I get 4 to 6 emails which is totally unacceptable.
22 Replies
Torti_93733Nimbostratus
you need to select only one tmm process, because every process is generating an alert. And you only have to select one system for alerting not both.
The best way to do is a syslog system. There you can configure these things and can send only one mail.
Muhammad_Irfan1By syslog system you means remote syslog server? We don't have remote syslog server. Actualy when one member goes down i get 2 logs one from each LTM system and when they come up i get 1 mail from each device again that pool member is down although it just came up. When i see in the logs it shows something like pool member is down [up for 0hour 0 min 3 sec] this log is generating second alert
Tortiyou need to select only one tmm process, because every process is generating an alert. And you only have to select one system for alerting not both.
The best way to do is a syslog system. There you can configure these things and can send only one mail.- Muhammad_Irfan1By syslog system you means remote syslog server? We don't have remote syslog server. Actualy when one member goes down i get 2 logs one from each LTM system and when they come up i get 1 mail from each device again that pool member is down although it just came up. When i see in the logs it shows something like pool member is down [up for 0hour 0 min 3 sec] this log is generating second alert
nitass_89166Noctilucent
you need to select only one tmm process, because every process is generating an alert. And you only have to select one system for alerting not both.
i think pool member up/down is reported by mcpd. so, shouldn't it be only one log?
e.g.
[root@ve11a:Active:In Sync] config tail -f /var/log/ltm Dec 12 01:30:13 ve11a notice mcpd[7229]: 01070727:5: Pool /Common/foo member /Common/200.200.200.101:80 monitor status up. [ /Common/http: up ] [ was unchecked for 0hr:0min:35sec ] Dec 12 01:30:13 ve11a notice mcpd[7229]: 01071681:5: SNMP_TRAP: Virtual /Common/norf has become availableActualy when one member goes down i get 2 logs one from each LTM system and when they come up i get 1 mail from each device again that pool member is down although it just came up.
i think 1 email from each device is correct, isn't it? email is sent based on log. if you do see log, you should have received email.
- Muhammad_Irfan1Yes nitass 1 mail from each device is right and acceptable but i get 2 emails from each device for 1 pool member down. I was watching closely i shut one member and recieved 2 emails one from each LTM then after 5 minutes when i up the member i recieved 2 emails one from each LTM and when i looked into logs with pool member up i also recieved pool member down log as well. I don't understand why F5 logs member down after so much time for the 2nd time when member came back up.
- TortiI'm sry. its not the tmm process. A message / LTM is a normal behavior. If the message arrives much later than the log entry on the system, you should check your mail server log. Then you can see, if the message was send later to the mail server or if you mail server is the reason for the delay. if the log entry on the f5 is also with delay, then the reason should be your monitor for the pool
- Muhammad_Irfan1First log for pool member down is received straightaway in local logs. But sometimes I get one log straightaway and i get another log member down after 5 to 10 minutes later. Now during checking this time i received one email but last time i received two mails caz i got 2 logs. Lets hope i don't get 2 logs more often. I receive email from root[host name of my LTM] although i have configured fromaddress as f5admin@mobilink.net but from address is always root[host name of my LTM]
- nitass
Employee
you need to select only one tmm process, because every process is generating an alert. And you only have to select one system for alerting not both.
i think pool member up/down is reported by mcpd. so, shouldn't it be only one log?
e.g.
[root@ve11a:Active:In Sync] config tail -f /var/log/ltm Dec 12 01:30:13 ve11a notice mcpd[7229]: 01070727:5: Pool /Common/foo member /Common/200.200.200.101:80 monitor status up. [ /Common/http: up ] [ was unchecked for 0hr:0min:35sec ] Dec 12 01:30:13 ve11a notice mcpd[7229]: 01071681:5: SNMP_TRAP: Virtual /Common/norf has become availableActualy when one member goes down i get 2 logs one from each LTM system and when they come up i get 1 mail from each device again that pool member is down although it just came up.
i think 1 email from each device is correct, isn't it? email is sent based on log. if you do see log, you should have received email.
- Muhammad_Irfan1Yes nitass 1 mail from each device is right and acceptable but i get 2 emails from each device for 1 pool member down. I was watching closely i shut one member and recieved 2 emails one from each LTM then after 5 minutes when i up the member i recieved 2 emails one from each LTM and when i looked into logs with pool member up i also recieved pool member down log as well. I don't understand why F5 logs member down after so much time for the 2nd time when member came back up.
- TortiI'm sry. its not the tmm process. A message / LTM is a normal behavior. If the message arrives much later than the log entry on the system, you should check your mail server log. Then you can see, if the message was send later to the mail server or if you mail server is the reason for the delay. if the log entry on the f5 is also with delay, then the reason should be your monitor for the pool
- Muhammad_Irfan1First log for pool member down is received straightaway in local logs. But sometimes I get one log straightaway and i get another log member down after 5 to 10 minutes later. Now during checking this time i received one email but last time i received two mails caz i got 2 logs. Lets hope i don't get 2 logs more often. I receive email from root[host name of my LTM] although i have configured fromaddress as f5admin@mobilink.net but from address is always root[host name of my LTM]
- nitass_89166
I receive email from root[host name of my LTM] although i have configured fromaddress as f5admin@mobilink.net but from address is always root[host name of my LTM]
are you using postfix or ssmtp? have you checked postfix/ssmtp configuration?
- Muhammad_Irfan1I am using smtp. But i have not configured it in gui i edited the smtp.conf file.
- nitass
I receive email from root[host name of my LTM] although i have configured fromaddress as f5admin@mobilink.net but from address is always root[host name of my LTM]
are you using postfix or ssmtp? have you checked postfix/ssmtp configuration?
- Muhammad_Irfan1I am using smtp. But i have not configured it in gui i edited the smtp.conf file.
- nitass_89166
what version are you running? to change from address, FromLineOverride has to be set to yes. however, starting from 11.5.0, /etc/ssmtp/ssmtp.conf is automatically generated. whatever modification will be gone after reboot unless you modify template file, /usr/share/defaults/config/templates/ssmtp.tmpl, but it may not be officially supported by f5 support team. there is no tmsh command available. ID465700 is filed but it is not implemented yet (as of now).
ID465700 Allow to configure SMTP RewriteDomain and FromLineOverride fields
this is notification email when manually setting FromLineOverride to yes.
sol13180: Configuring the BIG-IP system to deliver locally-generated email messages (11.x)
https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13180.htmlFrom: f5admin@mobilink.net [mailto:f5admin@mobilink.net] Sent: Saturday, December 13, 2014 5:01 PM To: Nitass Subject: 01070638:5: Pool /Common/foo member /Common/8.8.8.8:53 monitor status down. [ /Common/fake: down ] [ was unchecked for 0hr:6mins:31sec ] test- Muhammad_Irfan111.4.1 and FromLineOverride = Yes is uncommented as well in smtp.conf. I have custom alerts set in alert_config and fromaddress is f5admin@mobilink.net. But still get emails notifications from root[hostname of LB]
- nitass_89166can you run tcpdump on bigip to check?
- nitass
what version are you running? to change from address, FromLineOverride has to be set to yes. however, starting from 11.5.0, /etc/ssmtp/ssmtp.conf is automatically generated. whatever modification will be gone after reboot unless you modify template file, /usr/share/defaults/config/templates/ssmtp.tmpl, but it may not be officially supported by f5 support team. there is no tmsh command available. ID465700 is filed but it is not implemented yet (as of now).
ID465700 Allow to configure SMTP RewriteDomain and FromLineOverride fields
this is notification email when manually setting FromLineOverride to yes.
sol13180: Configuring the BIG-IP system to deliver locally-generated email messages (11.x)
https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13180.htmlFrom: f5admin@mobilink.net [mailto:f5admin@mobilink.net] Sent: Saturday, December 13, 2014 5:01 PM To: Nitass Subject: 01070638:5: Pool /Common/foo member /Common/8.8.8.8:53 monitor status down. [ /Common/fake: down ] [ was unchecked for 0hr:6mins:31sec ] test- Muhammad_Irfan111.4.1 and FromLineOverride = Yes is uncommented as well in smtp.conf. I have custom alerts set in alert_config and fromaddress is f5admin@mobilink.net. But still get emails notifications from root[hostname of LB]
- nitasscan you run tcpdump on bigip to check?
