Hello forum,
I have a fresh install of splunk 4.3.4 with f5 access application version 1.1 which collect events ( focus on apm_log) from f5 version 11.2.
The challange is that some of the viewes q report are empty for example Auth Success vs. Failed is empty.
From more query it seems that the apm_log send minimal info and the otion to configure log level to info or debug is too much in term of vast amount of dta and performence.
Do you know what tweaks are required so the apm_log file in order to get user id , success/failed logins etcw ?
Regards,
Yossi Mor
Create the IRule.
https://devcentral.f5.com/tutorials/tech-tips/big-ip-logging-and-reporting-toolkit-part-three
and
splunk/etc/apps/SplunkforF5Networks/Installing Splunk for F5 Big.pdf
splunk/etc/apps/SplunkforF5Networks/irule.txt
Hi davecroto,
Thanks for your quick answer.
I am not familier with irule ( not yet).
Also from inspectiong the apm log on the Big IP hardware it seems that nly minimal informaion is gathered so i have to confiigure the apm log file to provide more info.
regards,
Yossi Mor