F5 Firepass not showing events from built-in searc...

remy06 · ‎08-02-2010

Hi,

I've Firepass sending logs to splunk server via udp 514. I've also installed F5 app but none of the built-in searches seems to display any events captured. (eg. F5 FirePass Connections by User)

Is there any thing wrong with the built-in searches?

How can I get it to show up under F5 app?

I also have linux servers sending via 514 and sourcetype as syslog. Thus when Firepass logs came in it is under syslog as well. How do I set its own "sourcetype = firepass" for example?

Thanks in advance.

jtf5splunk · ‎01-27-2011

If FirePass is the only source for udp:514 then you can specify the following in props.conf and restart the splunk server.

[source::udp:514]
sourcetype=firepass_log

If more sources are sending syslog to udp:514 then you can use regular expression to transform the sourcetype using FirePass's ip address (e.g., 192.168.1.253).

in transforms.conf add the following:

[firepass_sourcetyper]
DEST_KEY = MetaData:Sourcetype
REGEX = (?:192\.168\.1\.253)
FORMAT = sourcetype::firepass_log

in props.conf add the following:

[source::udp:514]
TRANSFORMS-firepasssoucetype = firepass_sourcetyper

Restart the splunk server. Hope this helps.

dooshiant · ‎03-12-2012

Hello,

I have edited transforms.conf and props.conf, but most of my data is not showing up in the F5 Access Dashboard.
For example I can only see 4 or 5 users in the Connections by User in the last 24 hours chart, but on the firepass, it shows that there was over a 100 connected in the same timeframe..

Thanks in advance

F5 Firepass not showing events from built-in searches

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio