Forum Discussion

bsb's avatar
bsb
Icon for Nimbostratus rankNimbostratus
Dec 29, 2017

iRule to trigger email for captured logs

team, have an iRule for capturing logs which works as expected. now i would like to send the log which was captured with commment.   irule used when CLIENT_ACCEPTED { if { not [class match [IP::cl...
BIG-IP
iRules
security
nitass's avatar
nitass
Icon for Employee rankEmployee
Dec 29, 2017

yes, its already configured and works well for all VIP (up/down/disable/enabled), also other device parameters.

 

can you post the /config/user_alert.conf?

 

  • bsb's avatar
    bsb
    Icon for Nimbostratus rankNimbostratus
    Dec 29, 2017

    alert BIGIP_SYSTEM_CHECK_E_CPU_TEMP_HIGH { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.4"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device CPU Temp too high Alert" } alert BIGIP_SYSTEM_CHECK_E_CPU_FAN_SPEED_LOW { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.5"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device CPU fan too slow Alert" } alert BIGIP_SYSTEM_CHECK_E_CPU_FAN_SPEED_BAD { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.6"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device CPU fan bad Alert" } alert BIGIP_SYSTEM_CHECK_E_CHASSIS_TEMP_HIGH { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.7"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device detected Chassis temperature too high Alert" } alert BIGIP_SYSTEM_CHECK_E_CHASSIS_FAN_BAD { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.8"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device detected Chassis fan failure Alert" } alert BIGIP_SYSTEM_CHECK_E_CHASSIS_POWER_BAD { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.9"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device detected Chassis power supply failure Alert" } alert BIGIP_SOD_SODERR_SOD_STANDBY { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.14"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Unit going standby Alert" } alert BIGIP_SOD_SODERR_SOD_ACTIVE { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.15"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Unit going Active Alert" } alert BIGIP_AUTH_FAIL { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.27"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Login Failure Alert" } alert BIGIP_SYSTEM_CHECK_E_AOM_CPU_TEMP_HIGH { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.93"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Air temperature near host F5_LTM_Device CPU is too high Alert" } alert BIGIP_SYSTEM_CHECK_E_TEMP_HIGH { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.113"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Temperature too high Alert" } alert BIGIP_SYSTEM_CHECK_E_VOLT_HIGH { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.114"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Voltage too high Alert" } alert BIGIP_SYSTEM_CHECK_E_FAN_SPEED_LOW { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.115"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Fan speed too low Alert" } alert BIGIP_SYSTEM_CHECK_E_VOLT_LOW { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.123"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Voltage too low Alert" } alert BIGIP_SYSTEM_CHECK_E_MILLI_VOLT_HIGH { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.124"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Milli-voltage too high Alert" } alert BIGIP_SYSTEM_CHECK_E_CURRENT_HIGH { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.125"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Current too high Alert" } alert BIGIP_SYSTEM_CHECK_E_POWER_HIGH { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.126"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Power too high Alert" } alert BIGIP_SYSTEM_CHECK_E_MILLI_VOLT_LOW { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.127"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Milli-voltage too low Alert" } alert BIGIP_SYSTEM_CHECK_E_CURRENT_LOW { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.128"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Current too low Alert" } alert BIGIP_SYSTEM_CHECK_E_POWER_LOW { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.129"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Power too low Alert" } alert BIGIP_MCPD_MCPDERR_VIRTUAL_AVAIL { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.135"; email toaddress="xxx@xxx.com,pnmoorthy@infosys.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Alert" } alert BIGIP_MCPD_MCPDERR_VIRTUAL_UNAVAIL { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.136"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Alert" } alert BIGIP_MCPD_MCPDERR_VIRTUAL_ENABLED { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.137"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Alert" } alert BIGIP_MCPD_MCPDERR_VIRTUAL_DISABLED { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.138"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Alert" } alert BIGIP_LIBHAL_CHASSIS_PS_IS_POWERED_ON { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.147"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Power supply powered on Alert" } alert BIGIP_LIBHAL_CHASSIS_PS_IS_POWERED_OFF { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.148"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Power supply powered off Alert" } alert BIGIP_SYS_SHUTDOWN { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.151"; email toaddress="xxx@xxx.com" fromaddress="yyy@yyy.com" body="Device F5_LTM_Device Shutting down Alert" }

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 29, 2017

    where is the alert definition for the reject log (Rejecting this request [IP::client_addr])? did i misunderstand something?

     

  • jaikumar_f5's avatar
    jaikumar_f5
    Icon for MVP rankMVP
    Dec 29, 2017

    @Saravanan,

    You are required to add new snmp trap in the alert conf file. Refer this article and configure your log string. something like below, but i'm not sure of the ip:port logic, does it need regex.

    alert Reject_request_alert "Rejecting this request (%s:%d) " {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.301";
email toaddress="xxx@xxx.com"
fromaddress="yyy@yyy.com"
body="Rejecting this request (%s:%d)"
}

    I referred the /etc/httpd/run/bigip_error_maps.dat file, so the above should be okay.

  • bsb's avatar
    bsb
    Icon for Nimbostratus rankNimbostratus
    Dec 29, 2017

    tried this, but didnt succeed, not exactly sure how (%s:%d) fetches the error from log file, because in below case i am saving it to log local.

     

    when CLIENT_ACCEPTED { if { not [class match [IP::client_addr] equals datagrid] } { log local0. "Rejecting this request [IP::client_addr] " reject } }

     

    but i could see the system -- > logs -- > local traffic rejecting my traffic