Forwarding ASM Event Logs to AWS Cloudwatch v15.1.2.1
Hi, Running in an AWS setup, our requirement is to receive HTTP request logs from WAF onto Cloudwatch. We have followed the following: 1.5.2. WAF HTTP Request and Security Logging to CloudWatch (f5.com) Using this template: f5-cloud-iapps/f5.cloud_logger.v1.0.0.tmpl at master · F5Networks/f5-cloud-iapps · GitHub We aren't receiving any traffic logs on Cloudwatch. The cloudwatch logging profile has been added to every virtual server under VS>Security>Policies. LTM logging is not what we want, and we had disabled it while configuring the iApp, hence there is no remote logging profile for LTM. There is no outbound traffic from the management in a TCP Dump. Now the questions: 1.) In the support matrix of the iApp template in Cloud Logger iApp template (f5.com), it states that the supported BIG-IP versions are 12.1.x-14.x and unsupported are 12.0.0 and earlier. What about v15.x and above? Could that be the reason for it not working? If yes, then is it even possible in this case at all? 2.) In the lab tutorial, it states that it is an AWS auto-scale environment. Whereas, we're running just a standard Active-Active HA pair. Will configuration differ? 3.) Our main goal is to generate email alerts for every blocked request that we are receiving on our WAF. We don't have a syslog server in the environment presently. Since ASM doesn't store logs locally and hence SNMP can't work, we are looking at possible options. It's a fairly small setup with not much traffic.
email alert notification not working when member came up again
Hello guys i've configured this: https://support.f5.com/csp/article/K3667 https://support.f5.com/csp/article/K59616664 I receive alerts when node goes down, but not when going up again What could be the problem? Oct 3 23:02:57 my.website.com notice mcpd[8459]: 01070640:5: Node /Common/172.17.70.18 address 172.17.70.18 monitor status down. [ /Common/icmp: down ] [ was up for 24hrs:2mins:5sec ] Oct 3 23:02:57 my.website.com notice mcpd[8459]: 01070640:5: Node /Common/172.17.70.19 address 172.17.70.19 monitor status down. [ /Common/icmp: down ] [ was up for 24hrs:2mins:6sec ] Oct 3 23:02:57 my.website.com notice mcpd[8459]: 01071682:5: SNMP_TRAP: Virtual /Common/dev-myweb has become unavailable Oct 3 23:02:59 my.website.com notice mcpd[8459]: 01070728:5: Node /Common/172.17.70.18 address 172.17.70.18 monitor status up. [ /Common/icmp: up ] [ was down for 0hr:0min:2sec ] Oct 3 23:03:02 my.website.com notice mcpd[8459]: 01070728:5: Node /Common/172.17.70.19 address 172.17.70.19 monitor status up. [ /Common/icmp: up ] [ was down for 0hr:0min:5sec ]
Send email on reaching bandwidth threshold
Hello Devcentral! I've been looking for a way to send out an email from a F5 BIG-IP (12.1.2) but I cannot find anything that tells me if a) this can be done and b) how to do that. I do have ASM's running around that I send emails from using the alert.conf on the CLI but that /var/log/ltm message of "Bandwidth exceeded by 75% ... " etc. etc, I want that to be send out as well. Any tips are greatlly appreciated. Witih kind regards, DLP P.s.: We do not log from these specific F5's to a SIEM of any kind otherwise I could have gotten my information that way :)iControl or script to get dynamic route from F5
Hi I currently use F5 with dynamic routing (Learn BGP dynamic route from neighbor router). Problem is sometimes router can't send me route and all dynamic route is gone. (we got downtimes and there is no alert to us) Do we have iControl script or any script command to get route list from F5 ? I only know tmsh command to get dynamic route. So there will be alert to us when routing have a problem. Thank you
Expiring SSL certificate alerts
I want to send out a mail from F5 when a certificate is about to expire. so far i have done this. Configured mail. did a test mail with the below code. echo "ssmtp test mail" | mail -vs "Test email for SOL15288" user@mydomain.com Below code in "/config/user_alert.conf" alert CERTIFICATE_EXPIRED "Certificate (.*) expired" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.300"; email toaddress="user@mydomain.com" body="Certificate Expired on " } alert CERTIFICATE_WILL_EXPIRE "Certificate (.*) will expire" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.301"; email toaddress="user@mydomain.com" body="Certificate will Expire on " } and then i run "run sys crypto check-cert" from tmsh. Still i dont get any alert mails
Wrong SNMP Trap email alert being triggered in user_alert.conf
I currently have two webpages being hosted on the same server. I am using f5 to monitor those pages with the HTTPS health monitor. I have two separate monitors for the two pages. My goal was to be able to receive email alerts when one of the monitors would fail but i wanted the email to state which monitor exactly was the one generating the alert so that i can know immediately which page is no longer up. I did the following in the user_alert.conf alert WEBPAGE1 Monitor Fail " SNMP_TRAP: Pool /Common/Test_Pool member Server_Test (ip:port=10.100.X.X:0) state change green --> red ( Monitor /Common/WebPage1_Monitor from 10.10.X.X : connect: timeout search result false)" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.200"; email toaddress="anton639@email.com" fromaddress="F5_BIGIP " body="Webpage1 Monitor Fail" } alert WEBPAGE2 Monitor Fail " SNMP_TRAP: Pool /Common/Test_Pool member Server_Test (ip:port=10.100.X.X:0) state change green --> red ( Monitor /Common/WebPage2_Monitor from 10.10.X.X : connect: timeout search result false)" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.201"; email toaddress="anton639@email.com" fromaddress="F5_BIGIP " body="Webpage2 Monitor Fail" } My issue is that when i am testing and i intentionally stop webpage 2 from running, i am receiving the email alert for webpage one. I am assuming the snmp trap text used to identify the event is not differentiating between the two monitors and is sending the first snmmp trap in the list. Is it possible to send an email alert for the specific health monitor that is failing even though the monitors are of the same type? What can be changed in my configuration to achieve this? Your assistance will be appreciated.Email Alert when DDoS Starts / Ends
Hi, I have a DDoS profile setup which I have confirmed is working and logging in the DoS Event Logs. How can I setup an email notification for events such as 'Attack Started' and 'Attack Ended'? I am using BIP Ver 12.1.1. I have looked at SNMP traps however it seems that since 11.6 that is no longer an option. Thank youalert email customization options
working form sol3667 (send email from alertd) and sol13180 (configuring email) i got this working. only it remains rather basic, the title of the email is the log line and the body is a fixed text. is this just what it is or is there more to configure? to start with i would like to control the subject and put the details in the body.
