# Useful F5 Log Queries ### Introduction If you work with F5 BIG-IP you maybe need to know for example when a cluster failover has happened or a user has done some changes. The following will describe some useful F5 log queries which you can use on the F5 logs or any central syslog server you're sending the F5 logs to. All possible F5 Log Messages can be found here: [https://techdocs.f5.com/kb/en-us/products/big-ip\_ltm/releasenotes/related/log-messages.html](https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html) ### F5 LTM Log Queries Check in the Admin UI at System - Logs: Local Traffic

Research	Log Query
*Show cluster switchover of a F5 BIG-IP* See here: [01340001 : HA Connection with peer %la:%d for traffic-group %s established](https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html#A01340001) [01340002 : HA Connection with peer %la:%d for traffic-group %s lost](https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html#A01340002)	*HA Connection with peer* Example output: > Apr 8 07:56:42 bigip1 err slot1 tmm3\[20728\]: 01340001:3: HA Connection with peer 1.2.3.4:32770 for traffic-group /Common/traffic-group-1 established.
*TMM is very busy or is stalled.* See here: [K10095: Error Message: Clock advanced by <number> ticks](https://my.f5.com/manage/s/article/K10095) Any value higher than 1000 does show a problem with too high load.	*Clock advanced by* Example output: > Apr 8 16:12:59 bigip1 notice slot1 tmm\[18639\]: 01010029:5: Clock advanced by 103 ticks
*A Virtual Server is under high load* See here: [01010038 : Syncookie counter %d exceeded vip threshold %u for virtual = %A:%d](https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html#A01010038) If the message shows multiple times there's maybe an attack going on or a high load on the Virtual Server.	*Syncookie counter* Example output: > Mar 21 09:24:33 bigip1 warning slot1 tmm1\[20805\]: 01010038:4: Syncookie counter 1500 exceeded vip threshold 1499 for virtual = 1.2.3.4:443
*Pool Member change* See here: [01010221 : Pool %s now has available members](https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html#A01010221) The pool may have had no available members due to administrative action, monitors, connection limits, or other constraints on pool member selection.	*now has available members* Example output: > Apr 8 16:33:53 bigip1 notice slot1 tmm1\[18800\]: 01010221:5: Pool /Common/pool\_MyPool now has available members
*Status change detected on Pool* See here: [01070727 : "Pool %s member %s:%u monitor status up."](https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html#A01070727) This message is logged when a status change is detected for the pool member.	*monitor status up* Example output: > Apr 8 16:17:42 bigip1 notice slot1 mcpd\[5587\]: 01070727:5: Pool /Common/pool\_MyPool member /Common/\_auto\_1.2.3.4:443 monitor status up. \[ /Common/https\_Monitor: up \] \[ was down for 0hr:1min:59sec \]
*Machine Boot or mcpd restart* *See here:* [01070427 : Initialization complete. The MCP is up and running](https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html#A01070427) the mcpd process generates this message during the normal boot process after the configuration loads and mcpd reaches a running phase. *Services are down when mcpd is restarted.*	*The MCP is up and running* Example output: > notice mcpd\[<PID>\]: 01070427:5: Initialization complete. The MCP is up and running

### F5 Audit Log Queries Check in the Admin UI at System - Logs: Audit: List

Research	Log Query
*Show which user has done changes*	*transaction* Example output: > client tmui, user username@bigip1 - transaction #1067178-8 - object 0 - create { pool\_member { pool\_member\_pool\_name "/Common/pool\_name" pool\_member\_node\_name "/Common/node1" pool\_member\_port 9020 pool\_member\_inherit\_profile 1 pool\_member\_update\_status 1 pool\_member\_priority 0 pool\_member\_ratio 1 pool\_member\_conn\_limit 0 pool\_member\_addr 1.2.3.4 } } \[Status=Command OK\]:

Research	Log Query
*Show cluster switchover of a F5 BIG-IP* See here: [01340001 : HA Connection with peer %la:%d for traffic-group %s established](https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html#A01340001) [01340002 : HA Connection with peer %la:%d for traffic-group %s lost](https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html#A01340002)	*HA Connection with peer* Example output: > Apr 8 07:56:42 bigip1 err slot1 tmm3\[20728\]: 01340001:3: HA Connection with peer 1.2.3.4:32770 for traffic-group /Common/traffic-group-1 established.
*TMM is very busy or is stalled.* See here: [K10095: Error Message: Clock advanced by <number> ticks](https://my.f5.com/manage/s/article/K10095) Any value higher than 1000 does show a problem with too high load.	*Clock advanced by* Example output: > Apr 8 16:12:59 bigip1 notice slot1 tmm\[18639\]: 01010029:5: Clock advanced by 103 ticks
*A Virtual Server is under high load* See here: [01010038 : Syncookie counter %d exceeded vip threshold %u for virtual = %A:%d](https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html#A01010038) If the message shows multiple times there's maybe an attack going on or a high load on the Virtual Server.	*Syncookie counter* Example output: > Mar 21 09:24:33 bigip1 warning slot1 tmm1\[20805\]: 01010038:4: Syncookie counter 1500 exceeded vip threshold 1499 for virtual = 1.2.3.4:443
*Pool Member change* See here: [01010221 : Pool %s now has available members](https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html#A01010221) The pool may have had no available members due to administrative action, monitors, connection limits, or other constraints on pool member selection.	*now has available members* Example output: > Apr 8 16:33:53 bigip1 notice slot1 tmm1\[18800\]: 01010221:5: Pool /Common/pool\_MyPool now has available members
*Status change detected on Pool* See here: [01070727 : "Pool %s member %s:%u monitor status up."](https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html#A01070727) This message is logged when a status change is detected for the pool member.	*monitor status up* Example output: > Apr 8 16:17:42 bigip1 notice slot1 mcpd\[5587\]: 01070727:5: Pool /Common/pool\_MyPool member /Common/\_auto\_1.2.3.4:443 monitor status up. \[ /Common/https\_Monitor: up \] \[ was down for 0hr:1min:59sec \]
*Machine Boot or mcpd restart* *See here:* [01070427 : Initialization complete. The MCP is up and running](https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html#A01070427) the mcpd process generates this message during the normal boot process after the configuration loads and mcpd reaches a running phase. *Services are down when mcpd is restarted.*	*The MCP is up and running* Example output: > notice mcpd\[<PID>\]: 01070427:5: Initialization complete. The MCP is up and running