Forum Discussion
Roman_80473
Nimbostratus
Nimbostratuswhere does my iRule log to?
Hi folks,
I'm trying to figure out where does my iRile log to. I have a simple iRule attached to vserver on LTM 9.4.8:
when CLIENT_ACCEPTED {
Log messages to /var/log/ltm? (0=no, 1=yes)
log local0. "In client accepted ..."
}
When I run the traffic thru, I don't see any of the log files updated in /var/log/. If, I however, put smth stupid in the file, like log banana, /var/log/ltm gets updated with an error message:
[Invalid syslog level - bad facility: banana] [log banana. "In client accepted ..."]
The syslog-ng.conf has entry local0. which actually points to /var/log/ltm commented out. Might that be a reason?
Any help is appreciated.
Roman
hooleylistCirrostratus
Hi Roman,
The log command expects either just one parameter (the log message) or a valid syslog facility (local0 - local7). Can you post the syslog-ng.conf file in [ code ] [/ code ] blocks (without the spaces)?
Aaron- hooleylistThat's not actually commented out. It's just a comment on what the statement is being used to do. Your ltm logs should be logged locally and to the two remote syslog servers.
Can you add a RULE_INIT event with the following code to test and check /var/log/ltm for the output:when RULE_INIT { log local0. "Here" }
Aaron 
Roman_80473Hi Aaron,
Yep, I get "Here" in the ltm log as soon as I save the rule in the editor. However, if I go to the website which uses vserver, nothing is printed in that log. Am I doing smth wrong?
Thanks Roman- hooleylistIs the virtual server under heavy load or are you just testing with single requests?
The message from CLIENT_ACCEPTED might be getting throttled if there are a lot of repeated logs with the same message ID. Do you see messages like this in /var/log/ltm?
mcpd[2239]: 01070727:6: Per-invocation log rate exceeded; throttling.
mcpd[2239]: 01070638:6: Resuming log processing at this invocation; held 22 messages.
sol10524: Error Message: Per-invocation log rate exceeded
http://support.f5.com/kb/en-us/solutions/public/10000/500/sol10524.html
Aaron - Roman_80473It's dev server, so I doubt there's much traffic there. When I initially saved the rule, this is what I saw in ltm:
Jun 10 14:59:05 tmm tmm[1850]: Rule : Here
And that's it!
I have a pool w few members on vserver, and iRule (with RULE_INIT and CLIENT_ACCEPTED events) shows as enabled. When I access website using vserver ip, I see the apps running, but I don't get my "Here" in /var/log/ltm. Does it print elsewhere, i.e. remote server like you've suggested?
Thanks Roman - hooleylistI'm not sure what would cause this if the RULE_INIT log statement works with local0. and you see a runtime TCL error in /var/log/ltm when you change the syslog facility to something invalid. You might try opening a case with Support on this and ask them for help troubleshooting this.
Aaron - Roman_80473I'll resort to support if I'm abs stuck. I wanted to debug the rule to see if it's actually being executed. I'll dig some more.
Thanks for all your help.
Roman