For a long time we had our F5 setup to email failed AD logins and email to myself and my manager. That seems to have stopeed about 2-3 weeks ago and we just realized this. I'm not exactly sure where this was setup and if any could assist I'd appreciate it. I am hoping that i wouldn't have to write a whole new Irule or anything since it was on previously.
Are You talking about AD authentication to a virtual server via APM policy or to the Bigip itself?
Actually, that sounds right. Policy, not to the bigIP itself i mean.
Then you are probably using email agent in an access-policy associated with this virtual server. And this agent is using a smtp configuration defined under system->configuration->device->smtp.
You should first look at the access policy under Access Policy > Access Profiles.
Open the visual policy editor and look for the email agent.
You could also check /var/log/apm or access policy reports and look for any errors there.
I checked the smtp and that tested ok so that's good. I checked the policies and don't see anything that references smtp in the access profiles. :-(
I think you're on the right track here though...i'll keep checking to see what else i can find.
thank you for the help thus far.
This is an example of what the emails looked like.
Oct 17 10:26:21 chf5a err apd: 01490107:3: 71b76aa1: AD module: authentication with 'USER' failed: Client 'USER@.COMPANY.COM' not found in Kerberos database, principal name: USER@.COMPANY.COM. Please verify Active Directory and DNS configuration. (-1765328378)
Does that example help in tracking down the policy?
Looking closer now i think we used to just have the syslog of the APM emailed to us. Not sure why all of a sudden that would stop.
I think You are on the right track with syslog ;)
Haven't done this myself but this should help: https://support.f5.com/csp/article/K13180
I did that KB and it seems like it accepted it but its still not sending emails out. There has to be some connection that needs to be established that is not in that article. That seems to just setup the SMTP portion, not actually start the sending of syslog