cancel
Showing results for 
Search instead for 
Did you mean: 

user_alert.conf, <matched message> and negation

dlg_23340
Cirrus
Cirrus

 

 

I'm using user_alert.conf to send emails about VIPs exceeding their connection limit, so we have a section in /config/user_alert.conf that looks like this:

 

 

alert BIGIP_IP_REJECT_CONN_LIMIT {

 

email toaddress="dlg@example.com";

 

}

 

 

 

 

But now we have a customer that is using the LTM's connection limits to throttle the connection rate into an app so it's not overwhelmed. This results in thousands of emails, and of course it doesn't make the exchange admins very happy.

 

 

Pretty much the only doc I'm able to find on user_alert.conf is sol3727, which just says that the alert line can look like this:

 

alert <alert_name> "<matched message>" {

 

 

but doesn't go on to explain what matched message can look like. I'd like to use a negation, so, any message that matches BIGIP_IP_REJECT_CONN_LIMIT that doesn't contain a particular port would generate an email, but log messages for that port would not.

 

 

Help?

 

 

4 REPLIES 4

nitass
F5 Employee
F5 Employee
I'd like to use a negation, so, any message that matches BIGIP_IP_REJECT_CONN_LIMIT that doesn't contain a particular port would generate an email, but log messages for that port would not.

do you have sample log message which you want to send and not send email?

 

 

i think we can create multiple alert definitions, so it could be possible to specify which one we want to send out an email.

 

dlg_23340
Cirrus
Cirrus
Packet rejected remote IP 10.10.10.10 port 4848 local IP 172.25.25.23 port 4848 proto UDP: Connection limit exceeded.

 

 

The remote IP changes, obviously, and we have several local IPs that are affected by this. So ideally i'd like to email on all messages except those that contain "port 4848 proto UDP".

nitass
F5 Employee
F5 Employee
can you try something like this?

 

 

[root@ve10:Active] config cat /config/user_alert.conf alert TEST_1 "Packet rejected remote IP (.*) port (.*) local IP (.*) port 4848 proto UDP: Connection limit exceeded." { } alert BIGIP_IP_REJECT_CONN_LIMIT { email toaddress="someone@somedomain.com" fromaddress="root" body="this is message body." } contain "port 4848 proto UDP" [root@ve10:Active] config logger -p local0.notice "01200001:5: Packet rejected remote IP 10.10.10.10 port 4848 local IP 172.25.25.23 port 4848 proto UDP: Connection limit exceeded." [root@ve10:Active] config tcpdump -nni 0.0 port 25 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes 0 packets captured 0 packets received by filter 0 packets dropped by kernel not contain "port 4848 proto UDP" [root@ve10:Active] config logger -p local0.notice "01200001:5: Packet rejected remote IP 10.10.10.10 port 4848 local IP 172.25.25.23 port 1234 proto UDP: Connection limit exceeded." [root@ve10:Active] config tcpdump -nni 0.0 port 25 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes 17:44:21.039226 IP 172.28.19.253.49068 > 192.168.10.13.25: S 2008166789:2008166789(0) win 5840 17:44:21.204574 IP 192.168.10.13.25 > 172.28.19.253.49068: S 440775781:440775781(0) ack 2008166790 win 4380 17:44:21.205208 IP 172.28.19.253.49068 > 192.168.10.13.25: . ack 1 win 46

dlg_23340
Cirrus
Cirrus
That was not what I expected, but it works great. Thanks, nitass.