Node UP and Node Down messages do not get written

what is your log.tmm.level?

 

 

this is mine.

 

 

[root@ve1023:Active] config b db log.tmm.level

 

Log.Tmm.Level = Notice

Mine is the same as your.

 

 

[root@c9lb01:Active] config b db log.tmm.level

 

Log.Tmm.Level = Notice

 

did you customize syslog-ng?

Not on purpose but previous sysadmins may have. We did change the syslog-ng.conf file to get things sent to a remote syslog server. However this issue preexisted that change. This was added to the end of the file.

 

 

destination remote_server {

 

udp("10.x.x.x" port (514));

 

};

 

filter f_alllogs {

 

level (debug...emerg);

 

};

 

log {

 

source(local);

 

filter(f_alllogs);

 

destination(remote_server);

 

};

 

 

 

It's likely related that we were unable to get remote syslog working through the proper commands, we followed the directions in the threads for properly setting it up - all changes had no effect until we added the above and restarted syslog-ng

 

 

I appreciate your attention to this matter! Thanks.

That is also set to "notice"

 

We understand about the remote syslog, but since it was the only way to get it working we know we need to change it when we cycle.

 

 

It's not been rebooted, I suppose we should plan a reboot over the holidays but it's heavily used 24/7 - before it went to prod we tested this and say only a 7 second outage when the secondary took over but it's still nerve racking to do this at anytime!

 

 

Ideally we can figure out what's wrong without needing the reboot? :)

Ideally we can figure out what's wrong without needing the reboot? :)i have no idea yet. anyway, have you ever opened a support case and provide them qkview? support engineer might be able to find something suspicious in qkview.

Unfortunately I do not have active support. The intention is to replace these with the F5 virtual offering sometime in the near future but for now we are just ensuring the F5 solution fits our customer requirements.

 

 

I'll let this sit until the new year then we'll try doing some of the same configurations on the backup system, if it works we'll plan a failover and reboot the primary.

 

 

I'll post those results.

 

 

I'm confident now this is not a simple configuration issue I've overlooked thanks to your inquiry's. So a reboot does seem to be the logical next step.

Unfortunately I do not have active support.every unit serial number has one free support case even there is no active contract. anyway, it will be treated as standard support i.e monday to friday daytime.

I have not yet rebooted but I have found the issue with my syslog-ng config not being set through the b command, a previous sysadmin had renamed the syslog-ng.conf link in the etc/syslog-ng/ directory. Setting that back the way it's supposed to be has put me to the same functionality as before without the risk of a reboot reset.

 

 

Since the previous sysadmin was making changes I'm wondering if the alert.conf file is correct.

 

 

The end of mine shows:

 

 

alert BIGIP_LOG_EMERG "^[0-9]{8}:0: (.*)" {

 

snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.29"

 

}

 

alert BIGIP_LOG_ALERT "^[0-9]{8}:1: (.*)" {

 

snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.30"

 

}

 

alert BIGIP_LOG_CRIT "^[0-9]{8}:2: (.*)" {

 

snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.31"

 

}

 

 

/* we not alert those two until we make sure the log level for

 

each message is accurate.

 

alert BIGIP_LOG_ERR "^[0-9]{8}:3: (.*)" {

 

snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.32"

 

}

 

alert BIGIP_LOG_WARNING "^[0-9]{8}:4: (.*)" {

 

snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.33"

 

}

 

 

 

How does this determine what traps are logged?

 

 

Could someone post a clean alert.conf for me to compare with?

 

 

Thanks in advance.