Forum Discussion

Jaspreetgurm's avatar
Jaspreetgurm
Icon for Altocumulus rankAltocumulus
Oct 29, 2021

Virtual Server Log Forward to Splunk

I want to setup log forwarding from F5 to splunk server for https traffic of one of virtual server.   Below needs to be capture from traffic and send to splunk server.   Domain Name Source I...
application delivery
iRules
LTM
Jaspreetgurm's avatar
Jaspreetgurm
Icon for Altocumulus rankAltocumulus

Thanks, Jason :)

 

I just prepared the configuration as below. Please revert with your kind suggestion on this.

 

 

 

1) Adding Splunk server as pool member.

 

Navigate to Local Traffic > Pools

 

Click Create.

 

Name:-Splunk_HSL_Pool

 

IP address :-10.10.10.10

Port    :-514

 

Click Finished.

 

2) Log Destination

 

Navigate to System > Logs > Configuration > Log Destinations .

 

Click Create.

 

Name field :- Splunk_HSL_logging

Type:- Remote High-Speed Log

 

Pool Name :- Splunk_HSL_Pool

 

Protocol :- HSL

 

Click Finished.

 

3) Log Formatt

 

Navigate to System > Logs > Configuration > Log Destinations .

 

Click Create.

 

Name:- Splunk_Logs

 

Type:- Splunk.

 

Forward To :- Splunk_HSL_logging

 

Click Finished.

 

4) Publisher

 

Navigate to System > Logs > Configuration > Log Publishers .

 

Click Create.

 

Name :- Splunk_Publisher

 

Destinations :-Splunk_HSL_logging.

 

Click Finished.

 

 

Irule for virtual Server.

******************************

 

Goto->Local Traffic-Irule

Name:- Splunk_logging

 

Copy paste below code.

 

when CLIENT_ACCEPTED {

 set client_address [IP::client_addr]

 set vip [IP::local_addr]

 set hsl [HSL::open -proto TCP -pool Splunk_HSL_Pool]

}

when HTTP_REQUEST {

 set http_host [HTTP::host]:[TCP::local_port]

 set http_uri [HTTP::uri]

 set http_method [HTTP::method]

 set http_version [HTTP::version]

 set virtual_server [LB::server]

 set http_user_agent [HTTP::header "User-Agent"]

 set http_content_type [HTTP::header "Content-Type"]

 set tcp_start_time [clock clicks -milliseconds]

 set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]

 if { [HTTP::header Content-Length] > 0 } then {

   set req_length [HTTP::header "Content-Length"]

 } else {

   set req_length 0

 }

}

when HTTP_RESPONSE {

#  set res_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]

 set node [IP::server_addr]

 set node_port [TCP::server_port]

 set http_status [HTTP::status]

 set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]

 if { [HTTP::header Content-Length] > 0 } then {

   set res_length [HTTP::header "Content-Length"]

 } else {

   set res_length 0

 }

set hsl [HSL::open -proto UDP -pool Splunk_HSL_Pool]

HSL::send $hsl "<514> HSL, CLIENT_IP=$client_address, VIP=$vip, VIP_NAME=\"$virtual_server\", SERVER_NODE=$node, SERVER_NODE_PORT=$node_port, HTTP_URL=$http_url, HTTP_VERSION=$http_version, HTTP_STATUS=$http_status, HTTP_METHOD=$http_method, HTTP_CONTENT_TYPE=$http_content_type, HTTP_USER_AGENT=\"$http_user_agent\", HTTP_REFERRER=\"$http_referrer\",REQUEST_START_TIME=$req_start_time,REQUEST_ELAPSED_TIME=$req_elapsed_time, BYTES_IN=$req_length, BYTES_OUT=$res_length\r\n"

}

 

 

 

 

Kalido's avatar
Kalido
Sep 22, 2022

Hi Jaspreet,

Amazing Instructions above, I followed it step by step thank you for the easy guide.

 

Can I ask did the above work for you? was you able to get logs regarding your virtual server? 

I.e connectivity etc ?

I am looking on Splunk and I can find any good data ?