Shulou(Shulou.com)06/01 Report--

Today, someone in the group happened to ask a situation that users' business concurrent connections have suddenly soared. As F5 devices deployed in sensitive locations, there is no ready-made function to automatically record connection request logs. If this happens, users need to know the connection table at that time, or at least which IP address sent a large number of requests.

In the face of this situation, F5 basically has two options:

1. Associate iRule in VS to record each tcp request, including the original address, source port, internal address of net, internal port of net, and which server it is distributed to. But recording these logs consumes the performance of the device very much. I remember that one user had to do this and refused to listen to any advice. The peak concurrency of his device was 12 million / s, that is, it was possible to write millions of logs in an instant. If you have to do it, write down the situation in the email, and the consequences are clear. IRule to him, do it yourself. Sure enough, it had an immediate effect. I clicked "update" on it, and the equipment went down.

2. Check the number of entries in the connection table at regular intervals, record the current connection table if it exceeds the threshold, and filter and sort according to the original address. I think this way is better, even if you have 12 million concurrency, I display the join table, filter the join table information and other operations, but the relative speed is a little slower, will not have much impact on the device.

#! / bin/bashfunction define () {threshold=20000 log_path=/tmp/f5_conn_log/ user= `whoami`} function check () {if [$user! = root]; then echo "Please use root user." Exit 1 fi if [!-d $log_path]; then mkdir $log_path fi} function gather () {while true do timestamp= `date +% Y% m% dwells% H% M% S`num_conn= `tmsh show sys connection | wc-l`if [$num_conn-gt $threshold] Then tmsh show sys connection > ${log_path} ${timestamp} .log awk-F':'{print $1}'${log_path} ${timestamp} .log | sort-nr | uniq-c | sort-nr | head-20 > > ${log_path} ${timestamp} _ top.log fi sleep 300 done} function main () {define check gather} main

The script is a while endless loop. When you use it, add & and put it in the background, which can be set to boot.

The information fetched each time is two text files, one is the complete join table, and the other is the top20 that filters and sorts the join table.

[root@F5:Active] f5_conn_log # cat 20160114_164101_top.log 5841 192.168.1.7 1674 192.168.1.104 1462 164.115.20.151 317 192.168.4.110 274 192.168.4.84 258 192.168.1.248 257 192.168.4.13 246 192.168.1.76 214 192.168.1.85 199 192.168.1.146 183 192.168.1.120 169 192.168.1.166 165 192.168.1.134 163 172.18.0.131 161 192.168.1.115 155 100.90.90.150 153 192.168.1.6 148 192.168.100.76 142 172.18.0.107 137 192.168.1.150

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.