I ran across an F5 cluster that had issues with sending syslogs to our internal mail relay in order to get these logs via email. There were several issues I found.
First, test your SMTP and SNMP Traps config: SMTP:
echo "SMTP Test Email" | mail -vs "Test email for KC" firstname.lastname@example.org
logger -p local0.notice "01070638:5: Pool /Common/pool_one member /Common/192.168.10.1:80 monitor status down."
logger -p local0.notice "01070727:5: Pool /Common/me member /Common/192.168.10.1:80 monitor status up."
logger -p local0.notice "01070640:5: Node 184.108.40.206 monitor status down."
logger -p local0.notice "01070728:5: Node 220.127.116.11 monitor status up."
For me both were not working so I had to get the SMTP working first because I was getting an error. Below is the error I was getting:
[admin@F5-bigip1:Active:In Sync] ~ # echo "SMTP Test Email" | mail -vs "Test email for KC" email@example.com
send-mail: Cannot open localhost:25
Here’s the error in the log:
[admin@F5-bigip1:Active:In Sync] ~ # cat /var/log/maillog
Jan 4 09:52:45 F5-bigip1 err sSMTP: Unable to connect to "localhost" port 25.
Jan 4 09:52:45 F5-bigip1 err sSMTP: Cannot open localhost:25
Jan 4 12:24:01 F5-bigip1 err sSMTP: Unable to connect to "localhost" port 25.
Jan 4 12:24:01 F5-bigip1 err sSMTP: Cannot open localhost:25
Jan 4 12:33:40 F5-bigip1 err sSMTP: Unable to connect to "localhost" port 25.
Jan 4 12:33:40 F5-bigip1 err sSMTP: Cannot open localhost:25
Jan 4 12:33:50 F5-bigip1 err sSMTP: Unable to connect to "localhost" port 25.
Jan 4 12:33:50 F5-bigip1 err sSMTP: Cannot open localhost:25
So then I looked at the SMTP.CONF file:
[root@F5-bigip1:Active:In Sync] config # cat /etc/ssmtp/ssmtp.conf
# THIS IS AN AUTO-GENERATED FILE - DO NOT EDIT!!!
# /etc/ssmtp.conf -- a config file for sSMTP sendmail.
# See the ssmtp.conf(5) man page for a more verbose explanation of the
# available options.
# The person who gets all mail for userids < 500
# Make this empty to disable rewriting.
# The place where the mail goes. The actual machine name is required
# no MX records are consulted. Commonly mailhosts are named mail.domain.com
# The example will fit if you are in domain.com and your mailhub is so named.
# Example for SMTP port number 2525
# Example for SMTP port number 25 (Standard/RFC)
# Example for SSL encrypted connection
# Where will the mail seem to come from?
# The full hostname
# Set this to never rewrite the "From:" line (unless not given) and to
# use that address in the "from line" of the envelope.
# Use SSL/TLS to send secure messages to server.
# Use SSL/TLS certificate to authenticate against smtp host.
# Use this RSA certificate.
# Get enhanced (*really* enhanced) debugging information in the logs
# If you want to have debugging of the config file parsing, move this option
# to the top of the config file and uncomment
I noticed the "mailhub=" what commented out. At the same time, I removed the comment for "FromLineOverride=" because I want to override this.
After this, I was getting my test email alerts. So now onto the SNMP Traps. An important one for this is to make sure your OID & alert name matches the OID & name that's in "cat /etc/alertd/alert.conf" or else it won't work. Below is my "alert.conf" settings and a PIC of the "alert.conf" you need to match. Notice the OID & name in there. They need to match. The consultant who set this before me created them with different names. You can do that if their custom and your not using the default values.
Below I just checked to see if the "MAILTO=" didn't have anything after the =.
grep -i mailto /etc/cron*
[admin@F5-bigip1:Active:In Sync] ~ # grep -i mailto /etc/cron*
grep: /etc/cron.d: Is a directory
grep: /etc/cron.daily: Is a directory
grep: /etc/cron.hourly: Is a directory
grep: /etc/cron.monthly: Is a directory
grep: /etc/cron.weekly: Is a directory