Forum Discussion
Joe_Chapman_416
Nimbostratus
NimbostratusSplunk for F5 Networks LTM v11 iRule
Hello, I've been struggling to get Splunk for F5 networks working properly.Any help would be appreciated, I'm stuck!
http://splunk-base.splunk.com/apps/50944/splunk-for-f5-networks
There is an install guide that I've followed very closely. I think that the problem is with the iRule that they suggest:
when CLIENT_ACCEPTED {
set client [IP::client_addr]
}
when HTTP_REQUEST {
set vhost [HTTP::host]:[TCP::local_port]
set url [HTTP::uri]
set method [HTTP::method]
set http_version [HTTP::version]
set user_agent [HTTP::header "User-Agent"]
set tcp_start_time [clock clicks -milliseconds]
set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
set req_elapsed_time 0
set virtual_server [LB::server]
if { [HTTP::header Content-Length] > 0 } then {
set req_length [HTTP::header "Content-Length"]
HTTP::collect $req_length
} else {
set req_length 0
}
if { [HTTP::header "Referer"] ne "" } then {
set referer [HTTP::header "Referer"]
} else {
set referer -
}
}
when HTTP_REQUEST_DATA {
set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]
HTTP::release
}
when HTTP_RESPONSE {
set hsl [HSL::open -proto UDP -pool pool_syslog]
set resp_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
set node [IP::server_addr]:[TCP::server_port]
set status [HTTP::status]
if { [HTTP::header Content-Length] > 0 } then {
set response_length [HTTP::header "Content-Length"]
} else {
set response_length 0
}
HSL::send $hsl "<190>|$vhost|$client|$method|\"$url\"|HTTP/$http_version|$user_agent|\"$referer\"|$req_start_time|$req_length|$req_elapsed_time|$node|$status|$resp_start_time|$response_length|$virtual_server"
}
I cannot get this to work as designed and I think it's because we're on v11
BIG-IP 11.1.0 Build 1943.0 Final
Has anyone figured out how to send this information to a logging server via an iRule (as suggested)?
Thanks
-Joe
GavinW_29074Joe
One quick thing to add from me.
We're using Splunk in our installation, with 2 pairs of F5 3900's in separate DC's.
Rather than relying on the Splunk built in syslog listener, we've installed syslog-ng, which allows you finer control over how to record logs, separate hosts, etc. We've then got Splunk configured to monitor those files on the local file-sys. There were some other benefits as well, but cant remember off the top of my head :)
This also means that we can restart Splunk without loosing any traffic data.
Oh, and one other thing...
I've created a second Splunk iRule for use with HTTPS VIPs, which adds the relevant SSL details to the Splunk log entries.
Can provide a copy if useful for you...
Cheers
Gavin
jbilbro_41390I'm having the exact same issue as nitass trying to get this setup on LTM v11 via the Splunk for F5 Networks included iRule. I see the health checks hitting Splunk (default send string) but nothing else, meaning it's not firewall related. I see usage on the iRule, but no usage on the syslog_pool. Anyone got any suggestions on troubleshooting this?
Thanks in advance,
-Jeff
hooleylistCirrostratus
Hi Jeff,
HSL must use a TMM switch port to send the messages. Do you have a route for the syslog server via a switch port (not the management port)?
Aaron- jbilbro_41390Thanks, you're right, that did the trick. Made a static route on a TMM switch port and all is well.
opers13_3280I'm running version 9.4.8 and also trying to get f5 & Splunk to work. I tried creating the same iRule and I get the following error.
If I remove the HSL lines from the irule I can save the irule but when I apply it to a VIP I'm not seeing any traffic on Splunk at all.
01070151:3: Rule [Splunk] error:
line 36: [undefined procedure: HSL::open] [HSL::open -proto UDP -pool pool_syslog]
line 47: [undefined procedure: HSL::send] [HSL::send $hsl "<190>|$vhost|$client|$method|\"$url\"|HTTP/$http_version|$user_agent|\"$referer\"|$req_start_time|$req_length|$req_elapsed_time|$node|$status|$resp_start_time|$response_length|$virtual_server"]
If I remove the two lines that are causing the error I can save the iRule.
set hsl [HSL::open -proto UDP -pool pool_syslog]
HSL::send $hsl "<190>|$vhost|$client|$method|\"$url\"|HTTP/$http_version|$user_agent|\"$referer\"|$req_start_time|$req_length|$req_elapsed_time|$node|$status|$resp_start_time|$response_length|$virtual_server"
What_Lies_Bene1I think the HSL::open command needs to be present in the CLIENT_ACCEPTED event rather than where it is in the rule posted.- hooleylistHSL was added in 10.1:
https://devcentral.f5.com/wiki/iRules.hsl.ashx
You could log remotely in 9.4.x:
https://devcentral.f5.com/wiki/iRules.log.ashx
log -noname 1.1.1.1:514 local7.info "|$vhost|$client|$method|\"$url\"|HTTP/$http_version|$user_agent|\"$referer\"|$req_start_time|$req_length|$req_elapsed_time|$node|$status|$resp_start_time|$response_length|$virtual_server"
Aaron - opers13_3280Aaron Thank You! it's working fine..so since the syslog IP is on the irule now do I still need my syslog-ng config?
- opers13_3280Posted By hoolio on 11/09/2012 09:06 AM
HSL was added in 10.1:
https://devcentral.f5.com/wiki/iRules.hsl.ashx
You could log remotely in 9.4.x:
https://devcentral.f5.com/wiki/iRules.log.ashx
log -noname 1.1.1.1:514 local7.info "|$vhost|$client|$method|\"$url\"|HTTP/$http_version|$user_agent|\"$referer\"|$req_start_time|$req_length|$req_elapsed_time|$node|$status|$resp_start_time|$response_length|$virtual_server"
Aaron
Aaron,what you I have to do to change the logging server from UDP to TCP?
Thanks Alex
Mohamed_LrhaziAltocumulus
Maybe here: https://support.f5.com/kb/en-us/solutions/public/8000/200/sol8259.html?sr=25334729