Forum Discussion
Extended logging to Splunk servers beyond Syslog & Analytic Profiles & iRules.
Splunk destination hosts are defined as Log publishers based on F5 configuration documentation. Splunk destination hosts are in a pool.
Splunk destination hosts are defined as log destinations. As this is APM there are actually 2 destinations defined. One is HSL, which is defined for the Splunk pool.
Another element is syslog instance that forwards to the HSL element.
Access policyies logging created. Access profiles created for each policy created.
Client SSL profiles also created for each instance.
So all syslog traffic is being sent to the Splunk destinations. In fact everything that is defined is sending logs to the Splunk destinations. However, since the beginning of this project the Splunk folks continue to maintain that they "are not seeing all the traffic we would expect to see."
The customer is asking that the F5's perform the heavy lifting in an attempt to avoid spending money on taps, port aggregators and a local flow collecter / netflow host / local Splunk logging host.
> The customer is asking that the F5's perform the heavy lifting in an attempt to avoid spending money on taps, port aggregators and a local flow collecter / netflow host / local Splunk logging host.
And you appear to be avoiding the fact that because of the privileged position of the BigIP in the packet flow, it is actually uniquely positioned to provide the requested per-connection data that is required, and looking for validation of that position. You are not going to get it here. People who use F5 devices are expecting to use them as a multipurpose tool to patch functionality holes in their network, and discovering that they can do so both capably and elegantly.
If you are dealing with HTTP virtuals or HTTPS virtuals with a client-side SSL profile, the BigIP (via iRules) has complete visibility into the layer-4 connection and layer-7 request/response, and can log all (or part) that information directly to a remote splunk server via High Speed Logging. For virtuals that work at layer-4 (ip-forwarding, performance layer-4, including passthrough TLS/SSL) you still have access to the layer-4 information in the same way.
If you are being asked to provide that sort of visibility from the F5 (without spend large amounts of additional money), you can. Of course, there is a performance cost when using irules, and you will need to monitor the application of logging irules to ensure that the device is not being pushed beyond it's capability.
If you want both visibility and service chaining, talk to F5 about SSL-Orchestrator.
Talk to your F5 Account team/F5 Sales. They can put you in touch with F5 Professional Services who are really good at that sort of thing.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com