Forum Discussion

Dayal_141213's avatar
Dayal_141213
Icon for Nimbostratus rankNimbostratus
Jan 14, 2015

Is it possible to send out email alerts for all VS changes being made?

Hi All, I have a requirement where I need to get email alerts for changes being made on LTM vservers (create, modify and delete). I am trying to achieve this through the user_alert.conf. I have done the configuration for smtp alerts and do have quite a few email alerts that are working fine. I have gone through the following threads as well. https://support.f5.com/kb/en-us/solutions/public/3000/600/sol3667.html https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13180.html https://support.f5.com/kb/en-us/solutions/public/3000/700/sol3727.html

 

What I am really worried about is whether the custom alert can be taken from the audit logs? I tried something like this, but it didnt work.

 

alert ltm_modified "modify { virtual_server" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.330"; email toaddress="

 

" fromaddress="" body="Virtual server modified." }

 

Thanks for your help.

 

Cheers, D

 

2 Replies

  • Well, seems like I have reached a conclusion that the audit logs are not part of Syslog. The audit log format in the F5 shows the following fields: Timestamp : UserName : Transaction : Event

     

    contrary to the normal syslog fields Timestamp : LogLevel : Host : Service : Status Code : Event

     

    I tried to log message using the logger with priority local0 and it went to ltm logs local1 and it went to em logs local2 and it went to gtm logs local3 and it went to asm logs local4 --it should be going to apm (mine was not licensed) local5 and it went to pktfilter logs

     

    But I could not find anything logging anything under audit logs(local6 or local7)

     

    What is left is to try and trigger the same custom alert on ltm and see if it works.

     

  • You are correct, SELinux doesn't use syslog.

    You can tell it to but I can't find any information on it using a specific facility.

    Edit this file:

    /etc/audisp/plugins.d/syslog.conf
    and change
    active = no
    to
    active = yes
    .

    I've no idea if a service restart is required.

    Assume this won't survive an upgrade or hotfix.