Useful F5 Log Queries

If you work with F5 BIG-IP you maybe need to know for example when a cluster failover has happened or a user has done some changes.

The following will describe some useful F5 log queries which you can use on the F5 logs or any central syslog server you're sending the F5 logs to.

Check in the Admin UI at System - Logs: Local Traffic

Research	Log Query
Show cluster switchover of a F5 BIG-IP	HA unit 1 state change Example output: Jul 22 21:19:04 bigip1 notice tmm1[11529]: 01340011:5: HA unit 1 state change: from 1 to 0.
TMM is very busy or is stalled. Also see here: K10095: Error Message: Clock advanced by <number> ticks Any value higher than 1000 does show a problem with too high load.	Clock advanced by Example output: Apr 8 16:12:59 bigip1 notice slot1 tmm[18639]: 01010029:5: Clock advanced by 103 ticks

Check in the Admin UI at System - Logs: Audit: List

Research	Log Query
Show which user has done changes	transaction Example output: client tmui, user username@bigip1 - transaction #1067178-8 - object 0 - create { pool_member { pool_member_pool_name "/Common/pool_name" pool_member_node_name "/Common/node1" pool_member_port 9020 pool_member_inherit_profile 1 pool_member_update_status 1 pool_member_priority 0 pool_member_ratio 1 pool_member_conn_limit 0 pool_member_addr 1.2.3.4 } } [Status=Command OK]: