Forum Discussion
Joe_Chapman_416
Nimbostratus
NimbostratusSplunk for F5 Networks LTM v11 iRule
Hello, I've been struggling to get Splunk for F5 networks working properly.Any help would be appreciated, I'm stuck!
http://splunk-base.splunk.com/apps/50944/splunk-for-f5-networks
There is an install guide that I've followed very closely. I think that the problem is with the iRule that they suggest:
when CLIENT_ACCEPTED {
set client [IP::client_addr]
}
when HTTP_REQUEST {
set vhost [HTTP::host]:[TCP::local_port]
set url [HTTP::uri]
set method [HTTP::method]
set http_version [HTTP::version]
set user_agent [HTTP::header "User-Agent"]
set tcp_start_time [clock clicks -milliseconds]
set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
set req_elapsed_time 0
set virtual_server [LB::server]
if { [HTTP::header Content-Length] > 0 } then {
set req_length [HTTP::header "Content-Length"]
HTTP::collect $req_length
} else {
set req_length 0
}
if { [HTTP::header "Referer"] ne "" } then {
set referer [HTTP::header "Referer"]
} else {
set referer -
}
}
when HTTP_REQUEST_DATA {
set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]
HTTP::release
}
when HTTP_RESPONSE {
set hsl [HSL::open -proto UDP -pool pool_syslog]
set resp_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
set node [IP::server_addr]:[TCP::server_port]
set status [HTTP::status]
if { [HTTP::header Content-Length] > 0 } then {
set response_length [HTTP::header "Content-Length"]
} else {
set response_length 0
}
HSL::send $hsl "<190>|$vhost|$client|$method|\"$url\"|HTTP/$http_version|$user_agent|\"$referer\"|$req_start_time|$req_length|$req_elapsed_time|$node|$status|$resp_start_time|$response_length|$virtual_server"
}
I cannot get this to work as designed and I think it's because we're on v11
BIG-IP 11.1.0 Build 1943.0 Final
Has anyone figured out how to send this information to a logging server via an iRule (as suggested)?
Thanks
-Joe
Hem_66900Cirrus
Guys,i was able to send syslogs to splunk via the following. 1.Irule via HSL statements. 2."tmsh create sys syslog" -> Plain syslog server.
However when i try to set up HSL looging through log publishers,it is giving below logs in splunk. Basically we want to send /var/log/ltm logs to splunk using below solution article. https://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/dns-dos-firewall-implementations-11-6-0/13.html?sr=43696953 Error message:- Feb 06 16:39:55 default send string.
Christopher_AchFrom memory - default send string message is from the monitor setup on the pool
What monitor are you using? Check that - are you sending to syslog UDP 514 Use either aN ICMP or UDP mon for this Chris
- Hem_66900
Using udp monitor.
- Christopher_Ach
Can you please re explain your issue?
Are you saying you are not getting the syslog stream into splunk forwarder and the only message your getting to splunk is the "default send string"
chris
- Hem_66900
That is correct.