cancel
Showing results for 
Search instead for 
Did you mean: 
Spike_Li
F5 Employee
F5 Employee

Recently I had some requests from customer security teams asking for an email to be sent from the F5 BIG-IP when certain events triggered such as live update / system failure.

The idea is to trace system logs for desired events, and generate custom SNMP trap messages to trigger email notifications. Most syslogs and updates could be found from /log/var/ directory, event triggers need to be identified as key words from logging files when creating customer SNMP OID.

So the objection is to identify which key words from log files are associated with ASM signature updates. Let 's run a system signature live update from System  ››  Software Management : Live Update

Screen Shot 2022-07-05 at 9.21.05 pm.png

 And trace syslog for ASM:

[admin@ip-10-1-1-5:Active:Standalone] ~ # tail -f /var/log/asm
Jul  5 04:22:19 info perl[12566]: 01310053:6: ASMConfig change:  Sigfile Update Result [update]: Signatures updated successfully - 7663 signatures loaded (167 updated). Server Technologies updated successfully - 0 server technologies updated, 0 server technologies added, 0  server technologies deleted. { audit: component = Live Update }

As the word: Signatures updated successfully will only poppulate upon a completion of signature update, we could use the log key word "Signatures updated successfully" as trigger to generate a custom system OID associate with email alerts: https://support.f5.com/csp/article/K3727

For instance, you could add something like the following in to/config/user_alert.conf:

alert ASM_UPDATE_STATUS "Signatures updated successfully (.*)" {
  snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.789"
}​

and run a quick test by generating a log message into /var/log/ltm:

logger -p local0.notice "Signatures updated successfully"

from tcpdump we could see the snmp trap has been sent to a predifined snmp server 10.1.1.16

[admin@ip-10-1-1-5:Active:Standalone] ~ # tcpdump -nni eth0 host 10.1.1.16
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
05:05:24.157832 IP 10.1.1.5.58211 > 10.1.1.16.162:  V2Trap(132)  .1.3.6.1.2.1.1.3.0=37745 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.3375.2.4.0.789 .1.3.6.1.4.1.3375.2.4.1.1="Signatures updated successfully" .1.3.6.1.6.3.1.1.4.3.0=.1.3.6.1.4.1.3375.2.4

We could now run actual live update to verify snmp trap triggered from /var/log/asm

Screen Shot 2022-07-05 at 10.18.10 pm.png 

It works same way as previous testing for ltm logs, snmp traps also sent to snmp host.

[admin@ip-10-1-1-5:Active:Standalone] ~ # tcpdump -nni eth0 host 10.1.1.16
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
05:20:42.785280 IP 10.1.1.5.58211 > 10.1.1.16.162:  V2Trap(399)  .1.3.6.1.2.1.1.3.0=129608 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.3375.2.4.0.789 .1.3.6.1.4.1.3375.2.4.1.1="ASMConfig change:  Sigfile Update Result [update]: Signatures updated successfully - 7663 signatures loaded (167 updated). Server Technologies updated successfully - 0 server technologies updated, 0 server technologies added, 0  server technologies deleted. { audit: component = Live Update }" .1.3.6.1.6.3.1.1.4.3.0=.1.3.6.1.4.1.3375.2.4​

Finally we could create an email alert with SNMP Trap like following into /config/user_alert.conf: 

alert BIGIP_SIG_UPDATE_COMPLETE "Signatures updated successfully(.*)"{
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.789";
email toaddress="demo@askf5.com"
fromaddress="root"
body="The Signature has been updated!"
}​

How to create email notification:  https://support.f5.com/csp/article/K3667

This trick can also apply to any event-based notification you'd like to have, using preferred keywords combination from log files. If you prefer a easy setup to recieve notifications directly from BIG-IP notification instead of using you log server with filtering for tailored events, I hope you find this helpful.

Version history
Last update:
‎11-Jul-2022 15:11
Updated by: