Severals views in f5 accessdashboard for splunk a...

yossim · ‎10-29-2012

Hello forum,

I have a fresh install of splunk 4.3.4 with f5 access application version 1.1 which collect events ( focus on apm_log) from f5 version 11.2.

The challange is that some of the viewes q report are empty for example Auth Success vs. Failed is empty.

From more query it seems that the apm_log send minimal info and the otion to configure log level to info or debug is too much in term of vast amount of dta and performence.

Do you know what tweaks are required so the apm_log file in order to get user id , success/failed logins etcw ?

Regards,

Yossi Mor

davecroto · ‎10-29-2012

Create the IRule.

https://devcentral.f5.com/tutorials/tech-tips/big-ip-logging-and-reporting-toolkit-part-three

and

splunk/etc/apps/SplunkforF5Networks/Installing Splunk for F5 Big.pdf

splunk/etc/apps/SplunkforF5Networks/irule.txt

yossim · ‎10-29-2012

Hi davecroto,

Thanks for your quick answer.

I am not familier with irule ( not yet).

Also from inspectiong the apm log on the Big IP hardware it seems that nly minimal informaion is gathered so i have to confiigure the apm log file to provide more info.

regards,

Yossi Mor

Severals views in f5 accessdashboard for splunk are not are empty

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!