Unable to get anything other than SYSLOG events to...

evolutionxtinct · ‎01-04-2019

Hello,

Currently running F5 13.1.0, and Splunk Enterprise 7.1.2, i'm utilizing F5 Network s- Analytics (New) v1.0 App, and F5's Analytics Template v3.7.1.

When I enable Local System Logging (syslog) I get a slew of Syslog events from F5, all other events are not showing up. The only error I receive in /var/log/ltm is the following:

Jan  4 04:00:30 f5-n1 notice mcpd[5856]: 0107167d:5: Data publisher not found or not implemented when processing request (unknown request), tag (2901).
Jan  4 04:00:35 f5-n1 err scriptd[13853]: 014f0013:3: Script (/Common/Splunk-send_stats) generated this Tcl error: (script did not successfully complete: (01020036:3: The requested RADIUS Server (/Common/Splunk.app) was not found.     while executing "tmsh::get_config auth radius-server /Common/$appname.app/$radius_ihealth"     invoked from within "lindex [tmsh::get_config auth radius-server /Common/$appname.app/$radius_ihealth] 0"     invoked from within "set obj [lindex [tmsh::get_config auth radius-server /Common/$appname.app/$radius_ihealth] 0]" line:41))

I know this might be a F5 issue but after going over the Deployment Guide, its pretty self explanatory.... I do have syslog events going into my F5 Index (f5-bigip) but the dashboard never shows any results, and my only events are syslog. I would like to be able to get Member Pools, ASM, GTM and LTM information into this tool if its feasible.

Any help would be much appreciated, thanks!

millinkan · ‎04-05-2020

@pzharyuk : Hey man , did u get this to work ..?? How was it resolved ..?? Kindly share ..!!

evolutionxtinct · ‎01-06-2019

@Nadhiyaa

If you run a TCPDUMP from the interface and you disable hat syslog do you also see no traffic generated?

pzharyuk · ‎01-18-2019

Thanks for posting this, I'm struggling with this as well. I initially set it up in our DEV splunk and even though the dashboards were not populating I was still getting useful logs like bigip.logs which includes application info, vips, etc... A week ago or so, I deployed the F5 app on our PRD HF and SH and now I only get syslog/snmp data. I tried moving it back to DEV splunk but it looks like the iApp just stopped parsing and forwarding the data properly. I will try the RC5 like you mentioned and see if it helps. If you have any additional info/updates, please share.

Nadhiyaa · ‎01-06-2019

I am facing the same issue . We have create a rule using F5 iapp .But only the syslog events are ingested .

evolutionxtinct · ‎01-15-2019

One thing F5 also suggested, is having the F5 Analytics profile applied to your Virtual Servers, that may also be another reason why its now working - the iApp RC5 is still the fix, just this is an additional thing to do.

evolutionxtinct · ‎01-15-2019

@Nadhiyaa

Wanted to give you an update, after working w/ ANM they had a engineer that worked w/ F5 development, the issue is with the F5 Analytics iApp v3.7.1, you will need to use v3.7.2RC5 when you download the bundle from F5, under analytics folder should be a Release Canidate folder, and it has this .tmpl file in there.

When I put this in place, I got a SLEW of data, but i'm finding that the Splunk F5 app dashboard panel, are using a search query of "UNDEFINED" so now i'm facing data not collecting in panels due to this.

Hope this helps you, good luck!

Unable to get anything other than SYSLOG events to come into Splunk from F5

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life