SSL Certificate Alerts via Email
Hello, This is my first post here and I am relatively new to this and have been lightly working with the f5 for a few years but nothing to this extent. I am trying to setup receiving emails for when my certificates are about to expire. I am trying to run this on a weekly basis using cron. I have followed: https://community.f5.com/t5/crowdsrc/ssl-certicate-report/ta-p/278398 I am able to receive emails when doing the following command: echo "Automated SSL Certificate Report" | mail -vs "Test Email for Automated SSL Certificate Report"my@email.com When I try to run my script I am not able to recieve and email and not getting anything back. Here is what I have so far: Command: tmsh edit cli script certificatereport.tcl Output: modify script certificatereport.tcl { proc script::run {} { # Iterate through certs in files set hostname [exec {/bin/hostname}] set reportdate [exec {/bin/date}] puts "---------------------------------------------------------------------" puts "Certificate report for BIG-IP $hostname " puts "Report Date: $reportdate" puts "---------------------------------------------------------------------" puts "\n\n" set certcount 0 set certproblems 0 set certwarnings 0 foreach file [glob -directory /config/filestore/files_d/Common_d/certificate_d/ * ] { incr certcount # Get Certificate Subject set cn [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-subject" "|" "grep" "subject"] "=" ] end] set start [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-startdate" "|" "grep" "Before"] '='] 1] set stop [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-enddate" "|" "grep" "After"] '='] 1] # Clean up bad X509 date fields removing multiple spaces before tokenizing them regsub -all -- {[[:space:]]+} $start " " start regsub -all -- {[[:space:]]+} $stop " " stop set startparts [split $start] set stopparts [split $stop] set activatedseconds [expr {[clock scan "[lindex $startparts 0] [lindex $startparts 1], [lindex $startparts 3]"] - [clock seconds]}] set expiredseconds [expr {[clock seconds] - [clock scan "[lindex $stopparts 0] [lindex $stopparts 1], [lindex $stopparts 3]"]}] # Date Math if { $activatedseconds > 0 } { puts "File: $file" puts "\tCN: $cn certificate" puts "\tError: certificate is not valid yet. It will be valid on $start." puts "\tActivates in: [expr {$activatedseconds / 86400}] days." puts "---------------------------------------------------------------------" incr certproblems #} elseif { $expiredseconds > 0 } { # puts "File: $file" # puts "\tCN: $cn certificate" # puts "\tError: is not valid because it HAS EXPIRED on $stop." #puts "\tEXPIRED: [expr {$expiredseconds / 86400}] days ago." #puts "---------------------------------------------------------------------" #incr certproblems } elseif { [expr {$expiredseconds * -1}] < 2629743 } { # All certs that will expire within this month puts "File: $file" puts "\tCN: $cn certificate" puts "\tError: WILL EXPIRE ON $stop." puts "\tWILL EXPIRE IN: [expr {$expiredseconds / -86400}] days." puts "---------------------------------------------------------------------" incr certwarnings } } puts "\n" puts "$certcount Certificates Found" puts "$certproblems Certificate Errors Found" puts "$certwarnings Certificate Warnings Found" } } *Note: I am able to run this using Commandrun cli script certificatereport.tcl and recieve the correct output Command: cat automated_certificate_email.sh Output: tmsh run cli script certificatereport.tcl > /var/tmp/certificate-out.txt from="myf5@domain.com" to="my@email.com" subject="Automated SSL Certificate Report" mail -s "$subject" -r "$from" -a "/var/tmp/certificate-out.txt" "$to" I have not bothered with setup of the crontab configuration yet until I can run the script using the following command and actually receive the email: Command: ./automated_certificate_email.sh *Right now when I run this command it will create a file and put the output in the correct certificate-out.txt and I can view it using cat certificate-out.txtbut it never finishes running and never send the email.Solved2.1KViews0likes5CommentsF5 ltm email alert customizing.
Hello, I have a questions some F5 ltm email alert. Using the /config/user_alert.conf, and F5 sent email alert to customizing. So I received the email, but email subject was so long long... Examples, "01070638:5: Pool xxxxxx member xxxx:80 monitor status down. [ /Common/xxxxx: down; last error: /Common/xxxxxx: Response Code: 200 (OK); Downed instance came up.; Unable to connec..." I want to email subject customizing that "01070638:5: Pool xxxxxx member xxxx:80 monitor status down." and email body fill the detail syslog include. I read other question that add the text. It's not working that user_alert.conf. alert BIGIP_MCPD_MCPDERR_POOL_MEMBER_MON_STATUS "Pool xxx member xxxxx:80 monitor status down." { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.10"; email toaddress="gds@wemakeprice.com" body="Subject: Pool xxx member xxxxx:80 monitor status down." } Would please ASAP please give me the solution. waiting for your reply...512Views1like2CommentsFalse alerts being generated
Once or twice a day My F5 Big IP device would generate email alerts saying that either a that either a monitor was triggered or some network device (server/ firewall) state has been changed from green to red when we know for a fact that the devices are fine and functional. Within less than a minute we would be notified that the issue has been resolved. The system we are monitoring is critical and it would cause a lot of problems if we continue getting these false alerts. I understand that the cause would be that the F5 in not receiving some response within a timeout period and that generates the alerts. Is there a way to fix this? Can I eliminate or at least try to minimize as much these false alerts being generated by F5?215Views0likes1CommentDisable alerts on pool / pool member
Hi, Without disabling the health monitor, is there a way to stop alerts for a particular pool or pool member being sent to my alerting server? I believe the alerting on F5 is a global thing.. And I also assume the health monitor is required for load balancing to take effect... Cheers....306Views0likes1CommentSimplifying the editing of alert.conf on multiple devices
I'm in the process of doing email alert notifications following Sol3667: Configuring alerts to send email notifications. Instead of editing all alert.conf in several BIG-IP's one by one, is it safe to edit one alert.conf, copy the file to a remote computer and paste the file to the other BIG-IP devices? The BIG-IP hardware are 3600's and 1600's. Some are running on software 11.3.0 and some are running on 11.5.1. I saw some alerts intended for blades (e.g. BIGIP_SYSTEM_CHECK_E_BLADE_TEMP_HIGH_1) in the 1600 alert.conf so I was thinking that this file can be applied to any model since this alert is only applicable to the Viprion model. Suggestions for simplifying the process of applying SOL3667 to multiple devices will be highly appreciated.399Views0likes5Comments