Splunk for F5 Networks - Anyone got it working?

fatmcgav · ‎10-28-2011

Hi there,

I'm trying to set-up the above app as part of our F5 deployment...

I've installed the App, created the iRule - tweaking the pool name to be appropriate - and associated the iRule to the relevant Vips...

I can see the log entries hitting the messages file on the splunk server, and can see the results in the search screen... However none of the F5 charts are populating...

All coming back with 'No results found'...

Any ideas?

Cheers
Gavin

cmeo · ‎02-15-2012

This advice conflicts with the documentation I've seen, which specifies the following sourcetypes:

LTM product – ltm_log
Firepass – firepass_log
GTM product – gtm_log
APM product - apm_log
Packetfilter – packet_log

I tried using sourcetype F5_SPLUNK_iRULE and no events appeared in the apps. Furthermore, after looking at the saved searches in the apps, the above would seem to be what they use. So where does this other sourcetype come into the picture?

Which is correct for the current version of the apps? And if you have multiple products, do you have to set up each module to log to a different port? Otherwise, how do you get multiple sourcetypes from one data input?

There is a fair bit about setting this thing up that I don't get.

charlestips · ‎11-09-2011

How do you have it associate that source type on the iRule

fatmcgav · ‎11-10-2011

Not sure tbh... I split it out because it's then easier to separate the valid traffic data from the general syslog events...

Guess the other option is you could split the messages on priority using syslog-ng... And then set the iRule file up with a specific traffic type.

charlestips · ‎11-09-2011

We currently have all of our network equipment syslogs sending to splunk on udp 514, and also our syslog function for our F5's sending via udp 514. Can we not just tag the traffic coming in from our F5's as F5_SPLUNK_iRULE so that we dont have to send on a different port and open up that different port on all our firewalls? 514 is already open because it is our standard syslog port.

fatmcgav · ‎11-09-2011

Got it set up using syslog-ng...

Initially, set the f5 hsl logging pool to port 515, so its seperate from the standard syslog traffic. Then setup syslog-ng to listen on 515, and write out to a file. Had some fun n games getting the write msg template, but once that was sorted I could see the log entries being written.

I then setup the input in splunk with a defined source type of F5_SPLUNK_iRULE... And hey presto, its all working 🙂

Gav

fatmcgav · ‎11-08-2011

Ok, as a further update, I found that the issue was being caused by the syslog-ng config...

I'm now getting one entry per line, which is parsing nicely in the F5 Networks app...

Cheers for the pointers.

Regards
Gavin

fatmcgav · ‎11-04-2011

Ah, cheers for that hint... Didn't see it specified in the documentation anywhere...

Have made that change, and can see the contents being populated now... However I think I've found another issue...

I seem to be getting multiple log entries on one line... This is resulting in the F5 dashboard giving duff data back...

Not sure if this is a F5 issue or syslog-ng though :s

Gav

mbassettjr · ‎11-02-2011

Do you have the events getting assigned the proper sourcetype?

sourcetype="F5_SPLUNK_iRULE"

Splunk for F5 Networks - Anyone got it working?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes