Extended logging to Splunk servers beyond Syslog & Analytic Profiles & iRules.

> The customer is asking that the F5's perform the heavy lifting in an attempt to avoid spending money on taps, port aggregators and a local flow collecter / netflow host / local Splunk logging host.

And you appear to be avoiding the fact that because of the privileged position of the BigIP in the packet flow, it is actually uniquely positioned to provide the requested per-connection data that is required, and looking for validation of that position. You are not going to get it here. People who use F5 devices are expecting to use them as a multipurpose tool to patch functionality holes in their network, and discovering that they can do so both capably and elegantly.

If you are dealing with HTTP virtuals or HTTPS virtuals with a client-side SSL profile, the BigIP (via iRules) has complete visibility into the layer-4 connection and layer-7 request/response, and can log all (or part) that information directly to a remote splunk server via High Speed Logging. For virtuals that work at layer-4 (ip-forwarding, performance layer-4, including passthrough TLS/SSL) you still have access to the layer-4 information in the same way.

If you are being asked to provide that sort of visibility from the F5 (without spend large amounts of additional money), you can. Of course, there is a performance cost when using irules, and you will need to monitor the application of logging irules to ensure that the device is not being pushed beyond it's capability.

If you want both visibility and service chaining, talk to F5 about SSL-Orchestrator.

Talk to your F5 Account team/F5 Sales. They can put you in touch with F5 Professional Services who are really good at that sort of thing.