Forum Discussion
Joe_Chapman_416
Nimbostratus
NimbostratusSplunk for F5 Networks LTM v11 iRule
Hello, I've been struggling to get Splunk for F5 networks working properly.Any help would be appreciated, I'm stuck!
http://splunk-base.splunk.com/apps/50944/splunk-for-f5-networks
There is an install guide that I've followed very closely. I think that the problem is with the iRule that they suggest:
when CLIENT_ACCEPTED {
set client [IP::client_addr]
}
when HTTP_REQUEST {
set vhost [HTTP::host]:[TCP::local_port]
set url [HTTP::uri]
set method [HTTP::method]
set http_version [HTTP::version]
set user_agent [HTTP::header "User-Agent"]
set tcp_start_time [clock clicks -milliseconds]
set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
set req_elapsed_time 0
set virtual_server [LB::server]
if { [HTTP::header Content-Length] > 0 } then {
set req_length [HTTP::header "Content-Length"]
HTTP::collect $req_length
} else {
set req_length 0
}
if { [HTTP::header "Referer"] ne "" } then {
set referer [HTTP::header "Referer"]
} else {
set referer -
}
}
when HTTP_REQUEST_DATA {
set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]
HTTP::release
}
when HTTP_RESPONSE {
set hsl [HSL::open -proto UDP -pool pool_syslog]
set resp_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
set node [IP::server_addr]:[TCP::server_port]
set status [HTTP::status]
if { [HTTP::header Content-Length] > 0 } then {
set response_length [HTTP::header "Content-Length"]
} else {
set response_length 0
}
HSL::send $hsl "<190>|$vhost|$client|$method|\"$url\"|HTTP/$http_version|$user_agent|\"$referer\"|$req_start_time|$req_length|$req_elapsed_time|$node|$status|$resp_start_time|$response_length|$virtual_server"
}
I cannot get this to work as designed and I think it's because we're on v11
BIG-IP 11.1.0 Build 1943.0 Final
Has anyone figured out how to send this information to a logging server via an iRule (as suggested)?
Thanks
-Joe
Joe_Chapman_416actually it seems to be working except for the HSL::open and HSL::send...
hooleylistCirrostratus
Hi Joe,
HSL must use a TMM switch port to send the messages. Do you have a route for the syslog server via a switch port (not the management port)?
Aaron- Joe_Chapman_416I have tried setting it up on the external address but the only data that's coming over appears to be from the health check
Jun 29 09:39:55 default send string
Jun 29 09:40:00 default send string
Jun 29 09:40:05 default send string
Am I missing something else here?
Thanks
-Joe 
nitassEmployee
i do not have splunk but i did capture packet and it seems hsl is working correctly. have you tried to capture packet to verify?
e.g.
tcpdump -i 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x and port yyy
x.x.x.x is pool_syslog's pool member ip
yyy is pool_syslog's pool member port- Joe_Chapman_416I must have something setup incorrectly still...
I don't think this matters, but I should mention that I'm using the VMWare virtual appliance
Here's what my interfaces look like on the LB
LB-HOSTxxx (this is where my web servers talk to the F5)
eth0
eth0:mgmtxxx
external xxx (where my SNAT and VIP addresses are)
internalxxx(HA network for redundant F5 pair)
lo127.0.0.1
lo:1127.2.0.2
tmm0127.1.1.1
my pool_syslog server sits at 10.245.50.52 with a port of 514 then a UDP check is enabled on it
Then on my log host I just setup a new interface with an ip address of 10.245.50.52 on eth2
Performing a tcpdump of all traffic on eth2 on the log host just shows me the message that's coming through on the health check...
[root@LOG01 10.245.50.11] tcpdump -ieth2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
10:00:31.318348 IP xxx.50236 > 10.245.50.52.syslog: [|syslog]
10:00:36.281836 IP xxx.50236 > 10.245.50.52.syslog: [|syslog]
so the two can definitely talk, but i think my HSL traffic must still be going somewhere else..
Thanks
-Joe 
boneyardMVP
as hoolio suggests, the members in the pool pool_syslog, do you reach them via a TMM switch port?- nitasswould you mind temporarily removing udp monitor from pool_syslog pool and generating some traffic to virtual (to trigger hsl) while running tcpdump again?
- Joe_Chapman_416Not at all.
If I turn off the UDP monitor I don't get any traffic flowing between the two and the tcpdump is empty... ping and telnet to port 514 are still successful though.
Isn't the external network outlined above part of a TMM switch port? or am I looking at that wrong? - nitasscan you run tcpdump on bigip instead?
e.g.
tcpdump -nni 0.0 udp port 514 - Joe_Chapman_416to be honest, I've changed so many items now that I don't 100% know what fixed it in the end, but it's all working now.
Thanks for your help, you definitely put me in the right direction to get this going!
Cheers!
-Joe