Since F5 has decided to divide up their app to 3 different ones (Access, Network, Security) it's getting hard to set it up. On the F5 side, I'm only seeing the option to forward all logs to a specific port on Splunk. In my case it is on port 10035.
On the Splunk side, here is what I have setup:
1) /opt/splunk/etc/apps/SplunkforF5Access/local/inputs.conf
2) /opt/splunk/etc/apps/SplunkforF5Networks/local/inputs.conf
3) /opt/splunk/etc/apps/SplunkforF5Security/local/inputs.conf
But now, I'm only getting logs under apm_log of access (doesn't really matter) and nothing else.
So I have a couple of questions:
You can leave your source type as syslog and it will get transformed in the props.conf
[syslog]
TRANSFORMS-sourcetype=f5-dcfw,f5-syslog,f5-access
My input is like this;
[tcp://9515]
disabled = false
connection_host=ip
index = F5
sourcetype = syslog
I am not here yet with the F5 app, but hopefully soon we will be deploying it/them. Based on my experience on other work, consider this for your issues:
Is there a reason you cannot install the app(s) in their "normal mode"? Seems you are setting this up to customize it. True? Is there really value to that for you? Consider the long-term effect, particularly if it is someone else coming in behind you and you're long gone. How are they going to maintain this?