Forum Discussion
NimbostratusLTM logs(All events) to splunk using HSL
Hi Guys need help in settingup HSl for Bigip logs. as F5 recommend i have followed the porcedure creating pool(log servers)->log destination-> publisher- filter.
Now the challenge we face is we are seeing only the below logs in splunk below b not rest of the logs. such as mcpd , tmm etc.
2014-11-14T03:12:46.247064-05:00 default send string 2014-11-14T03:12:46.805381-05:00 10.X.X.1 hostname="localhost.localdomain",errdefs_msgno="013d0007: 6:" 2014-11-14T03:12:48.145854-05:00 10.X.X.2 hostname="localhost.localdomain",errdefs_msgno="013d0007: 6:" 2014-11-14T03:12:48.805812-05:00 10.X.X.1 hostname="localhost.localdomain",errdefs_msgno="013d0007: 6:" 2014-11-14T03:12:49.904306-05:00 default send string
is there anyhting im missing ?
8 Replies
What_Lies_Bene1Cirrostratus
Can you post more detail on your publisher and filter configurations please?
Shiva14HSL configuration: Publisher:
name Splunk -hsl partition: Common Destination : Splunk-formatted
Filters:
Name: Filter-splunk partition: Commom severity: informational source :all Message Id : Log publisher: Splunk-hsl
- Shiva14
Publisher:
name Splunk -hsl partition: Common Destination : Splunk-formattedFilters:
Name: Filter-splunk partition: Commom severity: informational source :all Message Id : Log publisher: Splunk-hsl 
Hem_66900Cirrus
Do you guys have any update on this one.Any insight on this one is greatly appreciated.
- Hem_66900
Any update on this one?Im facing similar issue as well.
SDnath_82757I have configured hsl and are forwarding logs to mcafee siem. I am also receiving similar errdefs_msgno="01260018:5: logs.
Any idea as why only those logs.
- Hem_66900
It is format issue and SIEM not interpreting it fine.
Assume SIEM ip and port is x.x.x.x:514 Run the following tmsh commands. 1.Create pool 2.HSL log config 3.Syslog log config 4.Publisher.
create ltm pool pool.HSLogging.SIEM members add { x.x.x.x colon port} create sys log-config destination remote-high-speed-log SIEM_Server description SIEM_Server pool-name /Common/pool.HSLogging.SIEM protocol udp create sys log-config destination remote-syslog SIEM_Filter description SIEM_Filter format rfc5424 remote-high-speed-log SIEM_Server create sys log-config publisher Syslog_Publisher description Splunk_Publisher destinations add { SIEM_Filter }
Good luck !!!!
- SDnath_82757
the HSl configuration that i did is partially working. I have created a request logging profile and have modified the template in http request to fit the SIEM parser format and sequence and that works like a sweet candy using the tmm interface i configured and mapped the the new vlan.
Now the problem is the i am not getting the system logs via HSL. i cannot see any audit log. Incase i add the siem server as remote syslog server then i start receiving but i loose control as i cannot use my log filter because it is not using the hsl.
had raised a f5 case. there is something which is still not triggering the system logs through hsl tmm interface.
