Forum Discussion

dlg_23340's avatar
dlg_23340
Icon for Cirrus rankCirrus
Feb 28, 2013

user_alert.conf, <matched message> and negation

 

 

I'm using user_alert.conf to send emails about VIPs exceeding their connection limit, so we have a section in /config/user_alert.conf that looks like this:

 

 

alert BIGIP_IP_REJECT_CONN_LIMIT {

 

email toaddress="dlg@example.com";

 

}

 

 

 

 

But now we have a customer that is using the LTM's connection limits to throttle the connection rate into an app so it's not overwhelmed. This results in thousands of emails, and of course it doesn't make the exchange admins very happy.

 

 

Pretty much the only doc I'm able to find on user_alert.conf is sol3727, which just says that the alert line can look like this:

 

alert <alert_name> "<matched message>" {

 

 

but doesn't go on to explain what matched message can look like. I'd like to use a negation, so, any message that matches BIGIP_IP_REJECT_CONN_LIMIT that doesn't contain a particular port would generate an email, but log messages for that port would not.

 

 

Help?

 

 

4 Replies

  • I'd like to use a negation, so, any message that matches BIGIP_IP_REJECT_CONN_LIMIT that doesn't contain a particular port would generate an email, but log messages for that port would not.

    do you have sample log message which you want to send and not send email?

     

     

    i think we can create multiple alert definitions, so it could be possible to specify which one we want to send out an email.

     

  • Packet rejected remote IP 10.10.10.10 port 4848 local IP 172.25.25.23 port 4848 proto UDP: Connection limit exceeded.

     

     

    The remote IP changes, obviously, and we have several local IPs that are affected by this. So ideally i'd like to email on all messages except those that contain "port 4848 proto UDP".
  • can you try something like this?

    [root@ve10:Active] config  cat /config/user_alert.conf
    alert TEST_1 "Packet rejected remote IP (.*) port (.*) local IP (.*) port 4848 proto UDP: Connection limit exceeded." {
    }
    alert BIGIP_IP_REJECT_CONN_LIMIT {
            email toaddress="someone@somedomain.com"
            fromaddress="root"
            body="this is message body."
    }
    
     contain "port 4848 proto UDP"
    
    [root@ve10:Active] config  logger -p local0.notice "01200001:5: Packet rejected remote IP 10.10.10.10 port 4848 local IP 172.25.25.23 port 4848 proto UDP: Connection limit exceeded."
    
    [root@ve10:Active] config  tcpdump -nni 0.0 port 25
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
    
    0 packets captured
    0 packets received by filter
    0 packets dropped by kernel
    
     not contain "port 4848 proto UDP"
    
    [root@ve10:Active] config  logger -p local0.notice "01200001:5: Packet rejected remote IP 10.10.10.10 port 4848 local IP 172.25.25.23 port 1234 proto UDP: Connection limit exceeded."
    
    [root@ve10:Active] config  tcpdump -nni 0.0 port 25
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
    17:44:21.039226 IP 172.28.19.253.49068 > 192.168.10.13.25: S 2008166789:2008166789(0) win 5840 
    17:44:21.204574 IP 192.168.10.13.25 > 172.28.19.253.49068: S 440775781:440775781(0) ack 2008166790 win 4380 
    17:44:21.205208 IP 172.28.19.253.49068 > 192.168.10.13.25: . ack 1 win 46