Forum Discussion

Icon for Nimbostratus rank

Nimbostratus

Dec 29, 2017

iRule to trigger email for captured logs

team, have an iRule for capturing logs which works as expected. now i would like to send the log which was captured with commment. irule used when CLIENT_ACCEPTED { if { not [class match [IP::cl...

Icon for Employee rank

Employee

Dec 29, 2017

yes, its already configured and works well for all VIP (up/down/disable/enabled), also other device parameters.

can you post the /config/user_alert.conf?

bsb
Nimbostratus
Dec 29, 2017
alert BIGIP_SYSTEM_CHECK_E_CPU_TEMP_HIGH { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.4"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device CPU Temp too high Alert" } alert BIGIP_SYSTEM_CHECK_E_CPU_FAN_SPEED_LOW { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.5"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device CPU fan too slow Alert" } alert BIGIP_SYSTEM_CHECK_E_CPU_FAN_SPEED_BAD { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.6"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device CPU fan bad Alert" } alert BIGIP_SYSTEM_CHECK_E_CHASSIS_TEMP_HIGH { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.7"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device detected Chassis temperature too high Alert" } alert BIGIP_SYSTEM_CHECK_E_CHASSIS_FAN_BAD { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.8"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device detected Chassis fan failure Alert" } alert BIGIP_SYSTEM_CHECK_E_CHASSIS_POWER_BAD { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.9"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device detected Chassis power supply failure Alert" } alert BIGIP_SOD_SODERR_SOD_STANDBY { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.14"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Unit going standby Alert" } alert BIGIP_SOD_SODERR_SOD_ACTIVE { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.15"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Unit going Active Alert" } alert BIGIP_AUTH_FAIL { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.27"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Login Failure Alert" } alert BIGIP_SYSTEM_CHECK_E_AOM_CPU_TEMP_HIGH { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.93"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Air temperature near host F5_LTM_Device CPU is too high Alert" } alert BIGIP_SYSTEM_CHECK_E_TEMP_HIGH { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.113"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Temperature too high Alert" } alert BIGIP_SYSTEM_CHECK_E_VOLT_HIGH { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.114"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Voltage too high Alert" } alert BIGIP_SYSTEM_CHECK_E_FAN_SPEED_LOW { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.115"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Fan speed too low Alert" } alert BIGIP_SYSTEM_CHECK_E_VOLT_LOW { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.123"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Voltage too low Alert" } alert BIGIP_SYSTEM_CHECK_E_MILLI_VOLT_HIGH { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.124"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Milli-voltage too high Alert" } alert BIGIP_SYSTEM_CHECK_E_CURRENT_HIGH { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.125"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Current too high Alert" } alert BIGIP_SYSTEM_CHECK_E_POWER_HIGH { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.126"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Power too high Alert" } alert BIGIP_SYSTEM_CHECK_E_MILLI_VOLT_LOW { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.127"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Milli-voltage too low Alert" } alert BIGIP_SYSTEM_CHECK_E_CURRENT_LOW { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.128"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Current too low Alert" } alert BIGIP_SYSTEM_CHECK_E_POWER_LOW { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.129"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Power too low Alert" } alert BIGIP_MCPD_MCPDERR_VIRTUAL_AVAIL { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.135"; email toaddress="xxx@xxx.com,pnmoorthy@infosys.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Alert" } alert BIGIP_MCPD_MCPDERR_VIRTUAL_UNAVAIL { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.136"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Alert" } alert BIGIP_MCPD_MCPDERR_VIRTUAL_ENABLED { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.137"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Alert" } alert BIGIP_MCPD_MCPDERR_VIRTUAL_DISABLED { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.138"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Alert" } alert BIGIP_LIBHAL_CHASSIS_PS_IS_POWERED_ON { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.147"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Power supply powered on Alert" } alert BIGIP_LIBHAL_CHASSIS_PS_IS_POWERED_OFF { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.148"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Power supply powered off Alert" } alert BIGIP_SYS_SHUTDOWN { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.151"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Shutting down Alert" }
nitass
Employee
Dec 29, 2017
where is the alert definition for the reject log (Rejecting this request [IP::client_addr])? did i misunderstand something?
jaikumar_f5
MVP
Dec 29, 2017
@Saravanan,

You are required to add new snmp trap in the alert conf file. Refer this article and configure your log string. something like below, but i'm not sure of the ip:port logic, does it need regex.

alert Reject_request_alert "Rejecting this request (%s:%d) " { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.301"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Rejecting this request (%s:%d)" }

I referred the /etc/httpd/run/bigip_error_maps.dat file, so the above should be okay.
bsb
Nimbostratus
Dec 29, 2017
tried this, but didnt succeed, not exactly sure how (%s:%d) fetches the error from log file, because in below case i am saving it to log local.

when CLIENT_ACCEPTED { if { not [class match [IP::client_addr] equals datagrid] } { log local0. "Rejecting this request [IP::client_addr] " reject } }

but i could see the system -- > logs -- > local traffic rejecting my traffic

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming