Forum Discussion

Cirrus

Feb 28, 2013

user_alert.conf, <matched message> and negation

I'm using user_alert.conf to send emails about VIPs exceeding their connection limit, so we have a section in /config/user_alert.conf that looks like this: alert BIGIP_IP_RE...

management

monitoring

nitass

Employee

Mar 01, 2013

can you try something like this?

[root@ve10:Active] config  cat /config/user_alert.conf
alert TEST_1 "Packet rejected remote IP (.*) port (.*) local IP (.*) port 4848 proto UDP: Connection limit exceeded." {
}
alert BIGIP_IP_REJECT_CONN_LIMIT {
        email toaddress="someone@somedomain.com"
        fromaddress="root"
        body="this is message body."
}

 contain "port 4848 proto UDP"

[root@ve10:Active] config  logger -p local0.notice "01200001:5: Packet rejected remote IP 10.10.10.10 port 4848 local IP 172.25.25.23 port 4848 proto UDP: Connection limit exceeded."

[root@ve10:Active] config  tcpdump -nni 0.0 port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes

0 packets captured
0 packets received by filter
0 packets dropped by kernel

 not contain "port 4848 proto UDP"

[root@ve10:Active] config  logger -p local0.notice "01200001:5: Packet rejected remote IP 10.10.10.10 port 4848 local IP 172.25.25.23 port 1234 proto UDP: Connection limit exceeded."

[root@ve10:Active] config  tcpdump -nni 0.0 port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
17:44:21.039226 IP 172.28.19.253.49068 > 192.168.10.13.25: S 2008166789:2008166789(0) win 5840 
17:44:21.204574 IP 192.168.10.13.25 > 172.28.19.253.49068: S 440775781:440775781(0) ack 2008166790 win 4380 
17:44:21.205208 IP 172.28.19.253.49068 > 192.168.10.13.25: . ack 1 win 46

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)