F5 Record Connection Table script

Today, someone in the group just asked a situation, the user's business concurrent connection suddenly soared, as deployed in the sensitive location of the F5 device, and does not automatically record the connection request log off-the-shelf functionality, if this happens, the user needs to know the connection table situation at the time, at least to know which IP address issued a large number of requests.

F5 faced with this situation, there are 2 basic options:

1. In vs Irule, record each TCP request, including the request of the original address, source port, net into internal address, net into internal port, to which server to distribute information. But record these logs very consumes the device performance, I remember a user do not want to do this, how to advise not to listen to, his device concurrency peak is 12 million/s, that is, it is possible to write on the millions log for a moment, do not do it, e-mail The situation of the case, resulting in the consequences stated, Irule to him, Do it yourself if you have to do it. Sure enough, it was immediate, put up a bit "update", the device went down.

2, every time to check the number of connection table entries, if the threshold is exceeded to record the current connection table situation, and according to the original address filtering sorting. I think this way is better, even if you have 12 million concurrent, I show the connection table, the connection table information filtering, and so on, is only relatively slow, the device will not cause too much impact.

#!/bin/bashfunction define () {    threshold=20000    log_path=/tmp /f5_conn_log/    user= ' WhoAmI '}function check () {    if [   $user  != root ];then        echo  "please  use root user. "         exit 1    fi         if [ ! -d  $log _path ];then         mkdir  $log _path    fi}function gather () {     while true    do        timestamp= ' Date  +%y%m%d_%h%m%s '         num_conn= ' tmsh show sys  Connection | wc -l '             &NBsp;   if [  $num _conn -gt  $threshold  ];then             tmsh show sys connection>${log_path}${ timestamp}.log            awk -f  ': '   ' {print $1} '  ${log_path}${timestamp}.log | sort -nr | uniq -c  | sort -nr | head -20 >> ${log_path}${timestamp}_top.log         fi                 sleep 300    done}function main () {     define    check    gather}main

The script is a while dead loop, when used with & put in the background, can be set to boot.

Each fetch is 2 text files, one is the complete connection table, and the other is the TOP20 to filter the list of connections.

[[email protected]:active] f5_conn_log # cat 20160114_164101_top.log     5841 192.168.1.7   1674 192.168.1.104   1462  164.115.20.151    317 192.168.4.110    274 192.168.4.84     258 192.168.1.248    257 192.168.4.13     246 192.168.1.76    214 192.168.1.85    199  192.168.1.146    183 192.168.1.120    169 192.168.1.166     165 192.168.1.134    163 172.18.0.131     161 192.168.1.115    155 100.90.90.150    153  192.168.1.6    148 192.168.100.76    142 172.18.0.107     137 192.168.1.150

This article is from "rookie East" blog, please be sure to keep this source http://radish.blog.51cto.com/5944322/1735052

F5 Record Connection Table script