Useful F5 Log Queries
Introduction
If you work with F5 BIG-IP you maybe need to know for example when a cluster failover has happened or a user has done some changes.
The following will describe some useful F5 log queries which you can use on the F5 logs or any central syslog server you're sending the F5 logs to.
All possible F5 Log Messages can be found here:
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html
F5 LTM Log Queries
Check in the Admin UI at System - Logs: Local Traffic
Research | Log Query |
---|---|
Show cluster switchover of a F5 BIG-IP
See here: 01340001 : HA Connection with peer %la:%d for traffic-group %s established 01340002 : HA Connection with peer %la:%d for traffic-group %s lost
|
HA Connection with peer
Example output:
|
TMM is very busy or is stalled.
See here: K10095: Error Message: Clock advanced by <number> ticks
Any value higher than 1000 does show a problem with too high load. |
Clock advanced by
Example output:
|
A Virtual Server is under high load
See here: 01010038 : Syncookie counter %d exceeded vip threshold %u for virtual = %A:%d
If the message shows multiple times there's maybe an attack going on or a high load on the Virtual Server. |
Syncookie counter
Example output:
|
Pool Member change
See here: 01010221 : Pool %s now has available members
The pool may have had no available members due to administrative action, monitors, connection limits, or other constraints on pool member selection. |
now has available members
Example output:
|
Status change detected on Pool
See here: 01070727 : "Pool %s member %s:%u monitor status up."
This message is logged when a status change is detected for the pool member. |
monitor status up
Example output:
|
Machine Boot or mcpd restart
See here: 01070427 : Initialization complete. The MCP is up and running
the mcpd process generates this message during the normal boot process after the configuration loads and mcpd reaches a running phase. Services are down when mcpd is restarted. |
The MCP is up and running
Example output:
|
F5 Audit Log Queries
Check in the Admin UI at System - Logs: Audit: List
Research | Log Query |
---|---|
Show which user has done changes |
transaction
Example output:
|
No Comments