All Apps and Add-ons

Splunk Add-on for F5 BIG-IP: Can this add-on be used with a syslog server?

R_B
Path Finder

Hello. I'm fairly new to Splunk; I have been working on setting up a distributed environment at my office for the past 5 months or so, and I have taken the power user and admin classes. But, I'm still learning. Currently in our environment, we have a syslog server that receives syslogs from all of our network devices. On our syslog server, there is a folder for each network device with the folder name being the device's hostname. Inside each folder are .log files for each day, and the data for that device gets written to the .log file for that day.

I edited the inputs.conf file on the syslog server to monitor each folder and assign it a sourcetype equal to the device type. For example, all of our f5 devices are getting assigned sourcetype=f5. So basically, the network devices are forwarding their data to the syslog server, Splunk tags the data with the sourcetype I defined, and then does nothing else but forward it to the indexers.

This is good, but we want to use the Splunk Add-on for F5 BIG-IP with our data, especially since we will eventually set up Splunk Enterprise Security. So, my question is: can this add-on be used with F5 data that is being forwarded to a syslog server, or does the F5 devices have to forward their data directly to the indexers?

Thank you in advanced for any help!

0 Karma
1 Solution

gduggan1
Path Finder

You do not have to send the data from the f5 direct to your indexers. Keep sending data from the F5's to your syslog server. When defining your inputs.conf for the syslog data you set it to what you would like. See the link for predefined sourcetypes. Any system logs like ltm can be set to sourcetype f5:bigip:syslog. I would then deploy the F5 TA to the search heads or wherever else you need based on the following.

http://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Install
http://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Sourcetypes

Tip. If you are sending HSL to the syslog server you should seperate this out using a filter on your syslog so that you can set that sourcetype seperately.

View solution in original post

jasoncal108
New Member

I am building a similar setup where our F5 sends logs to a syslog server catching the System logs, APM logs, and LTM logs and then having a UF.

For ingesting, you mentioned putting the source type as f5:bigip:syslog it sounds like for all the modules. Won't be difficult to distinguish between the logs having it organized like this?

0 Karma

gduggan1
Path Finder

You do not have to send the data from the f5 direct to your indexers. Keep sending data from the F5's to your syslog server. When defining your inputs.conf for the syslog data you set it to what you would like. See the link for predefined sourcetypes. Any system logs like ltm can be set to sourcetype f5:bigip:syslog. I would then deploy the F5 TA to the search heads or wherever else you need based on the following.

http://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Install
http://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Sourcetypes

Tip. If you are sending HSL to the syslog server you should seperate this out using a filter on your syslog so that you can set that sourcetype seperately.

R_B
Path Finder

Thank you for the help! So another question with this too... if you don't use a heavy forwarder, you can use a universal forwarder instead, and the documentation says to install the app on the universal forwarder. The universal forwarder is on the syslog server, so does that mean the app needs to be installed on the syslog server?

0 Karma

gduggan1
Path Finder

You can but I don't think it is necessary to install it on the UF. If your UF is sending its output directly to indexers I would install it on them however.

Remember If you do install it on the UF you wont be able to use the iControl input function of the app.

R_B
Path Finder

oh I see... so ideally, in order to get the full use of the app, I would want to forward the data on the syslog server to the heavy forwarder with the F5 app, and then from the heavy forwarder forward the data to the indexers. Is that correct?

0 Karma

gduggan1
Path Finder

If it was me I would forward the data as follows:

UF (syslog data, no F5 TA installed) -> direct to indexers (install F5 TA on indexers)

HFA (install F5 TA and poll iControl) -> direct to indexers

R_B
Path Finder

Ok I see, that makes sense. Thank you for your help!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...