Setting up F5 Telemetry Streaming with Splunk Cloud
As we automate more and more, having visibility into how your F5 infrastructure is running is even more important. F5 BIG-IP Telemetry Streaming can help gather and send all the telemtry data one could want to know, including syslog, device stats, and application stats, which is better than the typical syslog/snmp configuration.
Setting up Telemetry Streaming can be really simple and rather complicated at the same time. Over the years I've had a need to test and tweak telemetry for different scenarios.
This article aims to provide a quick and simple walk through of how to setup F5 Telemetry Streaming with one of the more popular logging and analytics systems available, Splunk. Splunk Cloud Trials are great for quick and simple solution development in this manner.
https://clouddocs.f5.com/products/extensions/f5-telemetry-streaming/latest/
This process should easily convert to most other logging and analytic platforms.
Let's get started!
1. Create a Splunk account
https://www.splunk.com/en_us/download/splunk-cloud.html
2. Deploy a Splunk Cloud instance
Once the cloud instance is deployed (takes about 120 seconds), you will get an email with the login details. Take note of these details as they will be needed later in the setup
b. Add a new HTTP Event Collector
c. Give it a name, click next;
4. Test data input!
Using a bash prompt, let's test what we have so far.
Update the fqdn from the 'Splunk Cloud Platform URL' in our email, and the Splunk Authorization token from setting up the HTTP Event Collector. Port 8088 is default for the event collector running next to the main managemnt site on 443.
curl https://hec.example.com:8088/services/collector/event -H "Authorization: Splunk B5A79AAD-D822-46CC-80D1-819F80D7BFB0" -d '{"event": "hello world"}'If successful, you should see this as a response
{"text": "Success", "code": 0}
5. Confirm data input test
Under the Search & Reporting, update the search for our index and most recent time
index=*
last 15 minutes
Here we see the four test posts I made
F5 TMOS/TS configuration
1. Make sure TS is installed on the BIG-IP
- https://clouddocs.f5.com/products/extensions/f5-telemetry-streaming/latest/installation.html
- https://f5devcentral.github.io/vscode-f5/#/
2. Post the following declaration
- be sure to update the host (Splunk Cloud Platform URL) and passphrase.ciphertext (HTTP Collector api key), to match the details we collected earlier (see our test curl)
{
"$schema": "https://raw.githubusercontent.com/F5Networks/f5-telemetry-streaming/master/src/schema/latest/base_schema.json",
"class": "Telemetry",
"schemaVersion": "1.33.0",
"My_System": {
"class": "Telemetry_System",
"systemPoller": {
"interval": 60,
"enable": true
},
"enable": true,
"host": "localhost",
"port": 8100,
"protocol": "http",
"allowSelfSignedCert": false
},
"My_Listener": {
"class": "Telemetry_Listener",
"port": 6514,
"enable": true
},
"My_Consumer": {
"class": "Telemetry_Consumer",
"type": "Splunk",
"host": "prd-p-xxxx.splunkcloud.com",
"protocol": "https",
"port": 8088,
"allowSelfSignedCert": true,
"format": "default",
"passphrase": {
"cipherText": "184ddab7-xxxx-xxxx-xxxx-d0f924364a96"
},
"enable": true,
"compressionType": "gzip"
}
}
After a couple of minutes you should start to see the telemetry flowing. Be sure to search the right index (index=*) and scope the time for the last 15 minutes
EXPLORE ALL THE DATA!
To recap, this article provides a quick walk through of configuring Splunk Cloud and BIG-IP Telemetry Streaming. BIG-IP Telemetry Streaming is a comprehensive solution for capturing and shipping BIG-IP telemetry (syslog, device stats, and application stats) for deeper analysis.
