Forum Discussion
3 Replies
- Mohamed_LrhaziAltocumulus
If audit logging is enabled, in version 11.4.0, I get this logged when I change an iRule:
Wed Mar 19 16:40:39 EDT 2014 ml623 45840903-2 RULE modified: name="/A/test-rule" definition="when HTTP_REQUEST { set test_file "test_file" set uri [HTTP::uri] if { $uri equals "/test" } { if { ! [ catch {set content [ifile get $test_file] } fid] } { HTTP::respond 200 content $content "Content-Type" "text/html" } else { HTTP::respond 200 content "$test_file Not Found" "Content-Type" "text/html" } } event disable }" ignore_verification=0
- John_Alam_45640Historic F5 Account
This solution article shows you how to send email triggered by a log message.
http://support.f5.com/kb/en-us/solutions/public/3000/600/sol3667.html?sr=35995690
To customize the examples in the link above to alert on iRule changes you can use this alert config in /config/user_alert.conf
alert IRULE_CHANGE_NOTIFICATION "*//*" { email toaddress="demo@askf5.com" fromaddress="root" body="The iRule // was modified !" }
Replace and with real values.
The system sends this message to /var/log/ltm when an iRule is saved which will cause alertd to send you the email:
err mcpd[6534]: 01020066:3: The requested iRule (/Common/test) already exists in partition Common.
The log messages that Mohammed shows above are actually more reliable than this but, they would require changing more system files in order to force alertd to look into the /var/log/audit instead of /var/log/ltm.
HTH.
- John_Alam_45640Historic F5 Account
Sorry the system is not saving the changes.
Here are the customizations again:
alert IRULE_CHANGE_NOTIFICATION "*/Partition_name/irule_name*" { email toaddress="demo@askf5.com" fromaddress="root" body="The iRule /Partition_name/irule_name was modified !" }