- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk for F5 (Access, Network, Security)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk for F5 (Access, Network, Security)
Since F5 has decided to divide up their app to 3 different ones (Access, Network, Security) it's getting hard to set it up. On the F5 side, I'm only seeing the option to forward all logs to a specific port on Splunk. In my case it is on port 10035.
On the Splunk side, here is what I have setup:
1) /opt/splunk/etc/apps/SplunkforF5Access/local/inputs.conf
- [udp://10035]
- connection_host = none
- sourcetype = apm_log
2) /opt/splunk/etc/apps/SplunkforF5Networks/local/inputs.conf
- [udp://10035]
- connection_host = none
- sourcetype = F5:AFM:Syslog
3) /opt/splunk/etc/apps/SplunkforF5Security/local/inputs.conf
- [udp://10035]
- connection_host = none
- sourcetype = asm_log
But now, I'm only getting logs under apm_log of access (doesn't really matter) and nothing else.
So I have a couple of questions:
- What are the correct sourcetypes that I need to use? since none of the preloaded dashboard work.
- How can I split these apps since I'm only allowed to send traffic through 1 port but need to distinguish between the data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can leave your source type as syslog and it will get transformed in the props.conf
[syslog]
TRANSFORMS-sourcetype=f5-dcfw,f5-syslog,f5-access
My input is like this;
[tcp://9515]
disabled = false
connection_host=ip
index = F5
sourcetype = syslog
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not here yet with the F5 app, but hopefully soon we will be deploying it/them. Based on my experience on other work, consider this for your issues:
- Look in the dashboard code, specifically at the searches, to see what you need to set as your sourcetypes.
- One way to do that is through transforms. And this may be what the app normally does. So look also in the props.conf and trasnforms.conf file(s) for code that takes in a "global" sourcetype and then uses something unique in each source's log data to identify it as data specific for that part of the app.
Is there a reason you cannot install the app(s) in their "normal mode"? Seems you are setting this up to customize it. True? Is there really value to that for you? Consider the long-term effect, particularly if it is someone else coming in behind you and you're long gone. How are they going to maintain this?
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
