Forum Discussion

Gary_T_31565's avatar
Gary_T_31565
Icon for Nimbostratus rankNimbostratus
Aug 09, 2007

Irule to external reporting tool

 

Hi,

 

 

new to F5 and a Ops guy (little ASP/SOAP experience). I have two new 3400s in production.

 

 

I would like to monitor http failures using lets say MRTG (with threshold monitoring add-on). We use a .NET/SOAP webservices. Http 500 errors can mean one of our external business partners is trying to send a bad SOAP message i.e. data is wrong. They are meant to deal with the 500s their end but are not. We have to tell them or they just loop. Each soap message is potentially worth £300 ($600) and needs to be acted on same day.

 

 

A F5 engineer during install suggested I could create a custom OID. I tried creating as a custom trap but failed to make config work. We do not use traps anyway so looking something else. I do not understand or use icontrol at the moment. We use syslog but not yet for Bigip. I need to take into account we use hackersafe service so every 24 hours out web sites get attacked for an hour so could get hundreds of http errors.

 

 

We are considering MOM anyway not sure that can help here though. I believe I could use WMI to collect from each web server as there are objects such as TotalNotFoundErrors but not sure if there is a counter for 500s. Already use MRTG/WMI/IIS. I could also use MS logparser and look at last 5 minutes of each servers log, I now this works with MRTG. Both these mean I have to connect to each server. As the bigip (my irule) already handles the error centrally why take these approaches.

 

 

Any thoughts?

 

 

Example irule

 

 

when HTTP_RESPONSE {

 

if {[HTTP::status] starts_with "4"} {

 

set errorno [HTTP::status]

 

if {$retries < [active_members WS_SSL_POOL]-1} {

 

incr retries

 

log "http error $errorno, retrying $retries"

 

HTTP::retry $request

 

} else {

 

log "Max retries exceeded for http error $errorno -- $request"

 

}

 

}

 

if {[HTTP::status] starts_with "5"} {

 

set errorno [HTTP::status]

 

set server_ip [IP::server_addr]

 

log "client=$client_ip, server=$server_ip, $errorno -- $request"

 

}

 

}

3 Replies

  • Hello,

     

     

    You could make the log text a little more specific like this (assuming you're saving [HTTP::uri] to the $request variable in the HTTP_REQUEST event):

     

     

    log local0. "5xx response from [IP::client_addr] to [IP::server_addr] for request: $request"

     

     

    You could then add an entry to the user_alert.conf that looks for the string "5xx response" and generates a trap. The action for the trap could be an email alert. There are some solutions on AskF5 which detail this:

     

     

    Configuring custom SNMP traps

     

    Click here

     

     

    Configuring SNMP trap alerts to send email notifications

     

    Click here

     

     

    The solutions don't mention it, but I think you need to restart alertd to initialize the change:

     

     

    bigstart restart alertd

     

     

    I can try posting a more complete example in a bit.

     

     

    Aaron
  •  

    Thanks. I considered this but needs more thought to stop email floods. We use a external company, Scan Alert, to scan for weaknesses create lots of errors. I could change my irule to ignore "scanalert" in requests if error found.

     

     

    Still we have no trap collector at the moment.
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    You could consider using the stats profile to store an error counter as detailed in Joe's recent article on the topic:

     

    http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=66 (Click here)

     

     

    HTH

     

    /deb