Using an external monitor is a good idea, as this will be part of the configuration and thus survive any upgrades.
b conn | grep | awk '{print $1 }'| cut -d: -f1 | uniq -c | sort
"b conn" is a good starting point, however I do see two problems:
1.) If the connection table is very large, it can take serveral seconds to get the whole table. And it might put some load on the system. I also had situations where "b conn" just hung and never
returned anything.
2.) with "b conn" you will only see those connections that are active while the monitor script is running. If a connection was closed just a few second before your monitor script was started, you won't see that connection.
I suggest to use a session table to add an entry for each syslog source ip. Create an iRule similar to this.
WARNING: Totally UNTESTED code. Not even checked for syntax. Just the basic idea!!!
when RULE_INIT {
set ::syslog_table_timeout 60
set ::syslog_sources { "10.1.1.1" "10.1.1.2" "10.1.1.3" }
}
when CLIENT_ACCEPTED {
set table_entries [table keys -count -subtable syslog_sources]
if {$table_entries < [llength $::syslog_sources]} {
if we have less than the number of syslog sources in the table, one must have stopped sending
lets find those servers. We have to loop over the list of syslog sources
foreach source_ip $::syslog_sources {
if { not [table lookup -notouch -subtable syslog_sources $source_ip] } {
log local0. "SYSLOG::WARNING: no message from $source_ip for $::syslog_timeout seconds"
update the table entry, otherwise we will loop forever here
table set -subtable syslog_sources $source_ip "inactive" $::syslog_timeout
}
}
} else {
update the table entry and it's timeout value
table set -subtable syslog_sources [IP::client_addr] "active" $::syslog_timeout
}
}
This iRule will be triggered if any of the syslog sources sends some data. However, there is still one problem. If ALL syslog sources stop sending messages, the iRule will no longer be triggered and thus it will not detect anything. SOLUTION: Add a monitor that monitors the virtual server ip (the LB monitos itself!) with a simple TCP/UDP monitor. The monitor will just help to trigger the iRule every few seconds
🙂
Now you have the WARNING messages in the log (/var/log/ltm). If you want to receive an email or an smtp trap, please configure alertd to react on messages that start with "SYSLOG::WARNING".
Here is some information about "table" and alertd.
http://devcentral.f5.com/wiki/iRules.table.ashx
http://devcentral.f5.com/Default.as...cleId=2375
http://devcentral.f5.com/wiki/AdvDe...eamon.ashx
Hope that helps.
Regards
Kurt Knochner