Forum Discussion

roachet's avatar
roachet
Icon for Nimbostratus rankNimbostratus
Apr 26, 2020

Extended logging to Splunk servers beyond Syslog & Analytic Profiles & iRules.

What has been configured to date.   All syslog traffic is being sent to Splunk destination hosts. The Splunk hosts are external and have to transverse the WAN to eventual destination.  AVR has be...
application delivery
BIG-IP Access Policy Manager (APM)
LTM
security
Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Apr 28, 2020

You might start with a Request Logging Profile:

 

AskF5 | Manual Chapter: Configuring Request Logging

 

Also look at

 

Adding the body of requests/responses to the data being logged to Splunk via iRule.

 

which has a pretty comprehensive irule for sending detailed information formatted for Splunk (ignoring the attempt to send the payload).

 

> I personally do not believe that the F5’s should be part of Cyberfusions security suite relative to the detailed information that is being requested to be sent externally.

 

In many cases, the BigIP is supplying required information (such as client IP) via headers and other insertions, and so the logging on webservers should be configured to use things like X-Forwarded-For as the client IP address.