user alert on apm logs
I try to trigger a command when a specific log is written on /var/log/apm It works on 2 different non prod big-ip, but on a third one in production it only works with /var/log/ltm logs. user_alert.conf "failed" is commun in my ltm logs. "New session" is commun in apm logs. So this works (triggered from ltm logs): alert test "failed" { exec command="logger -p local0.notice 'test'" } This doesn't (not triggered from apm logs): alert test "New session" { exec command="logger -p local0.notice 'test'" } Do you have any idea why?27Views0likes2Commentsuser_alert.conf limited regex
Hello, It seems regex in user_alert.conf are limited but I didn't find any good documentation. I would like a script to be executed with this log line: Aug 27 09:03:42 xxxxxxxx.mgt.xxxxxxxx.corp notice tmm2[26043]: 01490549:5: /Common/xxxxxxxx_policy:Common:eb1a58a1: Assigned PPP Dynamic IPv4: 100.100.100.100 ID: d60f8480 Tunnel Type: VPN_TUNNELTYPE_DTLS NA Resource: /Common/Network_xxxxxx Client IP: 100.100.100.200 But not with: Aug 27 09:03:42 xxxxxxxx.mgt.xxxxxxxx.corp notice tmm2[26043]: 01490549:5: /Common/xxxxxxxx_policy:Common:eb1a58a1: Assigned PPP Dynamic IPv4: 100.100.100.100 ID: d60f8480 Tunnel Type: VPN_TUNNELTYPE_DTLS NA Resource: /Common/Network_xxxxxx Client IP: 100.100.100.200 - Reconnect This line takes both but works: alert log_username_vpn_ip "Assigned PPP Dynamic IPv4" { exec command="/shared/scripts/xxxxxxxxxxx.sh" } These two should work but make alertd restarting over and over: alert log_username_vpn_ip "Assigned PPP Dynamic IPv4.*\d$" { exec command="/shared/scripts/xxxxxxxxxxx.sh" } alert log_username_vpn_ip "Assigned PPP Dynamic IPv4.*\d(?!.*Reconnect)" { exec command="/shared/scripts/log_username_vpn_ip_logon.sh" } Any idea?157Views0likes0CommentsRegular expression format in user_alert.conf
I'm trying to use iCall and an event from user_alert.conf to fail over a BIG-IP VE cluster if an arbitrary BGP neighbor goes down. I have the handler and script working just fine if the event only looks in my logs for a static phrase, but when I have it look for a regex instead, it no longer works. However, if I test in a tool like regex101 with my expression and a log entry, it matches just fine. Here's my user_alert.conf (sanitized of course) alert bgp_neighbor_down "neighbor 100.200.[0-9]{1,3}.[0-9]{1,3} Down" { exec command="tmsh generate sys icall event neighbordown context { { name protocol value bgp } }" } And one of the logs I'm trying to match on: 2024/06/20 15:04:32 informational: BGP : %BGP-5-ADJCHANGE: neighbor 100.200.30.4 Down BGP Notification CEASE If I then runimish and shut down a neighbor that should match that regex, the device I'm on stays active. Any thoughts on what else I can try?46Views0likes1Commentemail alert notification not working when member came up again
Hello guys i've configured this: https://support.f5.com/csp/article/K3667 https://support.f5.com/csp/article/K59616664 I receive alerts when node goes down, but not when going up again What could be the problem? Oct 3 23:02:57 my.website.com notice mcpd[8459]: 01070640:5: Node /Common/172.17.70.18 address 172.17.70.18 monitor status down. [ /Common/icmp: down ] [ was up for 24hrs:2mins:5sec ] Oct 3 23:02:57 my.website.com notice mcpd[8459]: 01070640:5: Node /Common/172.17.70.19 address 172.17.70.19 monitor status down. [ /Common/icmp: down ] [ was up for 24hrs:2mins:6sec ] Oct 3 23:02:57 my.website.com notice mcpd[8459]: 01071682:5: SNMP_TRAP: Virtual /Common/dev-myweb has become unavailable Oct 3 23:02:59 my.website.com notice mcpd[8459]: 01070728:5: Node /Common/172.17.70.18 address 172.17.70.18 monitor status up. [ /Common/icmp: up ] [ was down for 0hr:0min:2sec ] Oct 3 23:03:02 my.website.com notice mcpd[8459]: 01070728:5: Node /Common/172.17.70.19 address 172.17.70.19 monitor status up. [ /Common/icmp: up ] [ was down for 0hr:0min:5sec ]615Views0likes9CommentsWrong SNMP Trap email alert being triggered in user_alert.conf
I currently have two webpages being hosted on the same server. I am using f5 to monitor those pages with the HTTPS health monitor. I have two separate monitors for the two pages. My goal was to be able to receive email alerts when one of the monitors would fail but i wanted the email to state which monitor exactly was the one generating the alert so that i can know immediately which page is no longer up. I did the following in the user_alert.conf alert WEBPAGE1 Monitor Fail " SNMP_TRAP: Pool /Common/Test_Pool member Server_Test (ip:port=10.100.X.X:0) state change green --> red ( Monitor /Common/WebPage1_Monitor from 10.10.X.X : connect: timeout search result false)" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.200"; email toaddress="anton639@email.com" fromaddress="F5_BIGIP " body="Webpage1 Monitor Fail" } alert WEBPAGE2 Monitor Fail " SNMP_TRAP: Pool /Common/Test_Pool member Server_Test (ip:port=10.100.X.X:0) state change green --> red ( Monitor /Common/WebPage2_Monitor from 10.10.X.X : connect: timeout search result false)" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.201"; email toaddress="anton639@email.com" fromaddress="F5_BIGIP " body="Webpage2 Monitor Fail" } My issue is that when i am testing and i intentionally stop webpage 2 from running, i am receiving the email alert for webpage one. I am assuming the snmp trap text used to identify the event is not differentiating between the two monitors and is sending the first snmmp trap in the list. Is it possible to send an email alert for the specific health monitor that is failing even though the monitors are of the same type? What can be changed in my configuration to achieve this? Your assistance will be appreciated.334Views0likes2CommentsF5 custom user_alert.conf same trap with alert.conf
Hi Refer tohttps://support.f5.com/csp/article/K3727. We should use different name and different match message from the one in alert.conf If I want to set email alert on CPU temp high (this stanza is in alert.conf) alert BIGIP_SYSTEM_CHECK_E_CPU_TEMP_HIGH { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.4"; lcdwarn description="CPU Temp too high." priority="3" } How can i do it in user_alert.conf? Should I just copy above stanza into user_alert.conf? eg. alert BIGIP_SYSTEM_CHECK_E_CPU_TEMP_HIGH { >>>> same name snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.4"; >>> same oid lcdwarn description="CPU Temp too high." priority="3"; email toaddress="test@test.com fromaddress="f5@test.com }Solved1.2KViews0likes1CommentiControl or script to get dynamic route from F5
Hi I currently use F5 with dynamic routing (Learn BGP dynamic route from neighbor router). Problem is sometimes router can't send me route and all dynamic route is gone. (we got downtimes and there is no alert to us) Do we have iControl script or any script command to get route list from F5 ? I only know tmsh command to get dynamic route. So there will be alert to us when routing have a problem. Thank you431Views0likes1CommentForwarding ASM Event Logs to AWS Cloudwatch v15.1.2.1
Hi, Running in an AWS setup, our requirement is to receive HTTP request logs from WAF onto Cloudwatch. We have followed the following: 1.5.2. WAF HTTP Request and Security Logging to CloudWatch (f5.com) Using this template: f5-cloud-iapps/f5.cloud_logger.v1.0.0.tmpl at master · F5Networks/f5-cloud-iapps · GitHub We aren't receiving any traffic logs on Cloudwatch. The cloudwatch logging profile has been added to every virtual server under VS>Security>Policies. LTM logging is not what we want, and we had disabled it while configuring the iApp, hence there is no remote logging profile for LTM. There is no outbound traffic from the management in a TCP Dump. Now the questions: 1.) In the support matrix of the iApp template in Cloud Logger iApp template (f5.com), it states that the supported BIG-IP versions are 12.1.x-14.x and unsupported are 12.0.0 and earlier. What about v15.x and above? Could that be the reason for it not working? If yes, then is it even possible in this case at all? 2.) In the lab tutorial, it states that it is an AWS auto-scale environment. Whereas, we're running just a standard Active-Active HA pair. Will configuration differ? 3.) Our main goal is to generate email alerts for every blocked request that we are receiving on our WAF. We don't have a syslog server in the environment presently. Since ASM doesn't store logs locally and hence SNMP can't work, we are looking at possible options. It's a fairly small setup with not much traffic.694Views0likes0CommentsSend email on reaching bandwidth threshold
Hello Devcentral! I've been looking for a way to send out an email from a F5 BIG-IP (12.1.2) but I cannot find anything that tells me if a) this can be done and b) how to do that. I do have ASM's running around that I send emails from using the alert.conf on the CLI but that /var/log/ltm message of "Bandwidth exceeded by 75% ... " etc. etc, I want that to be send out as well. Any tips are greatlly appreciated. Witih kind regards, DLP P.s.: We do not log from these specific F5's to a SIEM of any kind otherwise I could have gotten my information that way :)506Views0likes3CommentsExpiring SSL certificate alerts
I want to send out a mail from F5 when a certificate is about to expire. so far i have done this. Configured mail. did a test mail with the below code. echo "ssmtp test mail" | mail -vs "Test email for SOL15288" user@mydomain.com Below code in "/config/user_alert.conf" alert CERTIFICATE_EXPIRED "Certificate (.*) expired" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.300"; email toaddress="user@mydomain.com" body="Certificate Expired on " } alert CERTIFICATE_WILL_EXPIRE "Certificate (.*) will expire" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.301"; email toaddress="user@mydomain.com" body="Certificate will Expire on " } and then i run "run sys crypto check-cert" from tmsh. Still i dont get any alert mails415Views0likes1Comment