Setting up F5 Telemetry Streaming with Splunk Cloud

As we automate more and more, having visibility into how your F5 infrastructure is running is even more important.  F5 BIG-IP Telemetry Streaming can help gather and send all the telemtry data one could want to know, including syslog, device stats, and application stats, which is better than the typical syslog/snmp configuration.

Setting up Telemetry Streaming can be really simple and rather complicated at the same time.  Over the years I've had a need to test and tweak telemetry for different scenarios. 

This article aims to provide a quick and simple walk through of how to setup F5 Telemetry Streaming with one of the more popular logging and analytics systems available, Splunk.  Splunk Cloud Trials are great for quick and simple solution development in this manner.  

https://clouddocs.f5.com/products/extensions/f5-telemetry-streaming/latest/

This process should easily convert to most other logging and analytic platforms.

Let's get started!

1. Create a Splunk account

https://www.splunk.com/en_us/download/splunk-cloud.html

2. Deploy a Splunk Cloud instance

Once the cloud instance is deployed (takes about 120 seconds), you will get an email with the login details.  Take note of these details as they will be needed later in the setup

 
 
3. Create an HTTP Event Collector to receive BIG-IP Telemetry Streaming data
 
An HTTP Event Collector is needed to allow the F5 Telemetry Streaming service to PUSH data into our Splunk Cloud instance
 
 
a. Under Settings >> Data Inputs

 

b. Add a new HTTP Event Collector

 

c. Give it a name, click next;

 

 
 
d. No changes needed for input settings, click Review to continue, then Submit to finish
 
 
e. Click and copy this token for later use 
 

4. Test data input!

Using a bash prompt, let's test what we have so far.

https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/UsetheHTTPEventCollector#JSON_request_and_response

Update the fqdn from the 'Splunk Cloud Platform URL' in our email, and the Splunk Authorization token from setting up the HTTP Event Collector.  Port 8088 is default for the event collector running next to the main managemnt site on 443.

curl https://hec.example.com:8088/services/collector/event -H "Authorization: Splunk B5A79AAD-D822-46CC-80D1-819F80D7BFB0" -d '{"event": "hello world"}'

If successful, you should see this as a response

{"text": "Success", "code": 0}

 

5. Confirm data input test

Under the Search & Reporting, update the search for our index and most recent time

index=*

last 15 minutes

Here we see the four test posts I made

 

 

 

F5 TMOS/TS configuration

1. Make sure TS is installed on the BIG-IP

    - https://clouddocs.f5.com/products/extensions/f5-telemetry-streaming/latest/installation.html

    - https://f5devcentral.github.io/vscode-f5/#/

2. Post the following declaration

https://clouddocs.f5.com/products/extensions/f5-telemetry-streaming/latest/declarations.html#specifying-proxy-settings-for-splunk-consumers

    - be sure to update the host (Splunk Cloud Platform URL) and passphrase.ciphertext (HTTP Collector api key), to match the details we collected earlier (see our test curl)

{
    "$schema": "https://raw.githubusercontent.com/F5Networks/f5-telemetry-streaming/master/src/schema/latest/base_schema.json",
    "class": "Telemetry",
    "schemaVersion": "1.33.0",
    "My_System": {
        "class": "Telemetry_System",
        "systemPoller": {
            "interval": 60,
            "enable": true
        },
        "enable": true,
        "host": "localhost",
        "port": 8100,
        "protocol": "http",
        "allowSelfSignedCert": false
    },
    "My_Listener": {
        "class": "Telemetry_Listener",
        "port": 6514,
        "enable": true
    },
    "My_Consumer": {
        "class": "Telemetry_Consumer",
        "type": "Splunk",
        "host": "prd-p-xxxx.splunkcloud.com",
        "protocol": "https",
        "port": 8088,
        "allowSelfSignedCert": true,
        "format": "default",
        "passphrase": {
            "cipherText": "184ddab7-xxxx-xxxx-xxxx-d0f924364a96"
        },
        "enable": true,
        "compressionType": "gzip"
    }
}

 

After a couple of minutes you should start to see the telemetry flowing.  Be sure to search the right index (index=*) and scope the time for the last 15 minutes

 

EXPLORE ALL THE DATA!

To recap, this article provides a quick walk through of configuring Splunk Cloud and BIG-IP Telemetry Streaming.  BIG-IP Telemetry Streaming is a comprehensive solution for capturing and shipping BIG-IP telemetry (syslog, device stats, and application stats) for deeper analysis.

Published May 17, 2023
Version 1.0
  • Hey, I've been trying to figure out how to get TS to log syslogs, the same data that I'd normally send via configuring TMSH "list sys syslog" settings. Your article mentions syslogs, but I can't find details on how to get that data packaged in with the rest that TS can send.