Useful F5 Log Queries

If you work with F5 BIG-IP you maybe need to know for example when a cluster failover has happened or a user has done some changes.

The following will describe some useful F5 log queries which you can use on the F5 logs or any central syslog server you're sending the F5 logs to.

Check in the Admin UI at System - Logs: Local Traffic

Research	Log Query
Show cluster switchover of a F5 BIG-IP	HA unit 1 state change Example output: Jul 22 21:19:04 bigip1 notice tmm1[11529]: 01340011:5: HA unit 1 state change: from 1 to 0.
TMM is very busy or is stalled. Also see here: K10095: Error Message: Clock advanced by <number> ticks Any value higher than 1000 does show a problem with too high load.	Clock advanced by Example output: Apr 8 16:12:59 bigip1 notice slot1 tmm[18639]: 01010029:5: Clock advanced by 103 ticks
A Virtual Server is under high load Also see here: 01010038 : Syncookie counter %d exceeded vip threshold %u for virtual = %A:%d If the message shows multiple times there's maybe an attack going on or a high load on the Virtual Server.	Syncookie counter Example output: Mar 21 09:24:33 bigip1 warning slot1 tmm1[20805]: 01010038:4: Syncookie counter 1500 exceeded vip threshold 1499 for virtual = 1.2.3.4:443

Check in the Admin UI at System - Logs: Audit: List

Research	Log Query
Show which user has done changes	transaction Example output: client tmui, user username@bigip1 - transaction #1067178-8 - object 0 - create { pool_member { pool_member_pool_name "/Common/pool_name" pool_member_node_name "/Common/node1" pool_member_port 9020 pool_member_inherit_profile 1 pool_member_update_status 1 pool_member_priority 0 pool_member_ratio 1 pool_member_conn_limit 0 pool_member_addr 1.2.3.4 } } [Status=Command OK]: