Forum Discussion

Roman_80473's avatar
Roman_80473
Icon for Nimbostratus rankNimbostratus
Jun 09, 2011

where does my iRule log to?

Hi folks,

 

 

I'm trying to figure out where does my iRile log to. I have a simple iRule attached to vserver on LTM 9.4.8:

 

 

when CLIENT_ACCEPTED {

 

Log messages to /var/log/ltm? (0=no, 1=yes)

 

log local0. "In client accepted ..."

 

}

 

 

When I run the traffic thru, I don't see any of the log files updated in /var/log/. If, I however, put smth stupid in the file, like log banana, /var/log/ltm gets updated with an error message:

 

[Invalid syslog level - bad facility: banana] [log banana. "In client accepted ..."]

 

 

The syslog-ng.conf has entry local0. which actually points to /var/log/ltm commented out. Might that be a reason?

 

 

Any help is appreciated.

 

Roman
dev
devops
iControl

7 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jun 10, 2011
    Hi Roman,

     

     

    The log command expects either just one parameter (the log message) or a valid syslog facility (local0 - local7). Can you post the syslog-ng.conf file in [ code ] [/ code ] blocks (without the spaces)?

     

     

    Aaron
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jun 10, 2011
    That's not actually commented out. It's just a comment on what the statement is being used to do. Your ltm logs should be logged locally and to the two remote syslog servers.

     

     

    Can you add a RULE_INIT event with the following code to test and check /var/log/ltm for the output:

     

     

    
when RULE_INIT {
   log local0. "Here"
}

     

     

    Aaron
  • Roman_80473's avatar
    Roman_80473
    Icon for Nimbostratus rankNimbostratus
    Jun 10, 2011
    Hi Aaron,

     

    Yep, I get "Here" in the ltm log as soon as I save the rule in the editor. However, if I go to the website which uses vserver, nothing is printed in that log. Am I doing smth wrong?

     

     

    Thanks Roman

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jun 10, 2011
    Is the virtual server under heavy load or are you just testing with single requests?

     

     

    The message from CLIENT_ACCEPTED might be getting throttled if there are a lot of repeated logs with the same message ID. Do you see messages like this in /var/log/ltm?

     

     

    mcpd[2239]: 01070727:6: Per-invocation log rate exceeded; throttling.

     

    mcpd[2239]: 01070638:6: Resuming log processing at this invocation; held 22 messages.

     

     

    sol10524: Error Message: Per-invocation log rate exceeded

     

    http://support.f5.com/kb/en-us/solutions/public/10000/500/sol10524.html

     

     

    Aaron
  • Roman_80473's avatar
    Roman_80473
    Icon for Nimbostratus rankNimbostratus
    Jun 10, 2011
    It's dev server, so I doubt there's much traffic there. When I initially saved the rule, this is what I saw in ltm:

     

    Jun 10 14:59:05 tmm tmm[1850]: Rule : Here

     

    And that's it!

     

     

    I have a pool w few members on vserver, and iRule (with RULE_INIT and CLIENT_ACCEPTED events) shows as enabled. When I access website using vserver ip, I see the apps running, but I don't get my "Here" in /var/log/ltm. Does it print elsewhere, i.e. remote server like you've suggested?

     

     

    Thanks Roman
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jun 10, 2011
    I'm not sure what would cause this if the RULE_INIT log statement works with local0. and you see a runtime TCL error in /var/log/ltm when you change the syslog facility to something invalid. You might try opening a case with Support on this and ask them for help troubleshooting this.

     

     

    Aaron
  • Roman_80473's avatar
    Roman_80473
    Icon for Nimbostratus rankNimbostratus
    Jun 13, 2011
    I'll resort to support if I'm abs stuck. I wanted to debug the rule to see if it's actually being executed. I'll dig some more.

     

    Thanks for all your help.

     

    Roman