# Useful F5 Log Queries

### Introduction

If you work with F5 BIG-IP you maybe need to know for example when a cluster failover has happened or a user has done some changes.

The following will describe some useful F5 log queries which you can use on the F5 logs or any central syslog server you're sending the F5 logs to.

### F5 LTM Log Queries

Check in the Admin UI at System - Logs: Local Traffic

<table class="table-striped" id="bkmrk-research-smartlog-qu"><tbody><tr><th scope="col">Research</th><th scope="col">Log Query</th></tr><tr><td>Show cluster switchover of a F5 BIG-IP</td><td>***<span class="t">HA</span> <span class="t">unit</span> <span class="t">1</span> <span class="t a"><span class="t">state</span></span> <span class="t"><span class="t a h">change</span></span>***

> <span class="t"><span class="t a h">Example output:</span></span>
> 
> <span class="t"><span class="t a h">Jul 22 21:19:04 bigip1 notice tmm1\[11529\]: 01340011:5: HA unit 1 <span class="t a">state</span> <span class="t a">change</span>: from 1 to 0.</span></span>

</td></tr></tbody></table>

### F5 Audit Log Queries

Check in the Admin UI at System - Logs: Audit: List

<table class="table-striped" id="bkmrk-research-smartlog-qu-1"><tbody><tr><th scope="col">Research</th><th scope="col">Log Query</th></tr><tr><td>Show which user has done changes</td><td>***<span class="t">transaction</span>***

> <span class="t">Example output:</span>
> 
> <span class="t">client tmui, user username@bigip1 - transaction #1067178-8 - object 0 - create { pool\_member { pool\_member\_pool\_name "/Common/pool\_name" pool\_member\_node\_name "/Common/node1" pool\_member\_port 9020 pool\_member\_inherit\_profile 1 pool\_member\_update\_status 1 pool\_member\_priority 0 pool\_member\_ratio 1 pool\_member\_conn\_limit 0 pool\_member\_addr 1.2.3.4 } } \[Status=Command OK\]:</span>

</td></tr></tbody></table>