Forum Discussion
Virtual Server Log Forward to Splunk
You can do that with HSL, all the pieces you need are in this article. Post back with some code fragments if you have any questions and we'll help you out!
Thanks, Jason :)
I just prepared the configuration as below. Please revert with your kind suggestion on this.
1) Adding Splunk server as pool member.
Navigate to Local Traffic > Pools
Click Create.
Name:-Splunk_HSL_Pool
IP address :-10.10.10.10
Port :-514
Click Finished.
2) Log Destination
Navigate to System > Logs > Configuration > Log Destinations .
Click Create.
Name field :- Splunk_HSL_logging
Type:- Remote High-Speed Log
Pool Name :- Splunk_HSL_Pool
Protocol :- HSL
Click Finished.
3) Log Formatt
Navigate to System > Logs > Configuration > Log Destinations .
Click Create.
Name:- Splunk_Logs
Type:- Splunk.
Forward To :- Splunk_HSL_logging
Click Finished.
4) Publisher
Navigate to System > Logs > Configuration > Log Publishers .
Click Create.
Name :- Splunk_Publisher
Destinations :-Splunk_HSL_logging.
Click Finished.
Irule for virtual Server.
******************************
Goto->Local Traffic-Irule
Name:- Splunk_logging
Copy paste below code.
when CLIENT_ACCEPTED {
set client_address [IP::client_addr]
set vip [IP::local_addr]
set hsl [HSL::open -proto TCP -pool Splunk_HSL_Pool]
}
when HTTP_REQUEST {
set http_host [HTTP::host]:[TCP::local_port]
set http_uri [HTTP::uri]
set http_method [HTTP::method]
set http_version [HTTP::version]
set virtual_server [LB::server]
set http_user_agent [HTTP::header "User-Agent"]
set http_content_type [HTTP::header "Content-Type"]
set tcp_start_time [clock clicks -milliseconds]
set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
if { [HTTP::header Content-Length] > 0 } then {
set req_length [HTTP::header "Content-Length"]
} else {
set req_length 0
}
}
when HTTP_RESPONSE {
# set res_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
set node [IP::server_addr]
set node_port [TCP::server_port]
set http_status [HTTP::status]
set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]
if { [HTTP::header Content-Length] > 0 } then {
set res_length [HTTP::header "Content-Length"]
} else {
set res_length 0
}
set hsl [HSL::open -proto UDP -pool Splunk_HSL_Pool]
HSL::send $hsl "<514> HSL, CLIENT_IP=$client_address, VIP=$vip, VIP_NAME=\"$virtual_server\", SERVER_NODE=$node, SERVER_NODE_PORT=$node_port, HTTP_URL=$http_url, HTTP_VERSION=$http_version, HTTP_STATUS=$http_status, HTTP_METHOD=$http_method, HTTP_CONTENT_TYPE=$http_content_type, HTTP_USER_AGENT=\"$http_user_agent\", HTTP_REFERRER=\"$http_referrer\",REQUEST_START_TIME=$req_start_time,REQUEST_ELAPSED_TIME=$req_elapsed_time, BYTES_IN=$req_length, BYTES_OUT=$res_length\r\n"
}
- Sep 22, 2022
Hi Jaspreet,
Amazing Instructions above, I followed it step by step thank you for the easy guide.
Can I ask did the above work for you? was you able to get logs regarding your virtual server?
I.e connectivity etc ?I am looking on Splunk and I can find any good data ?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com