Up to this point all the  “How I Did it” series installments have been focused on F5’s flagship product the BIG-IP.  But not this time.  For this installment I’ll be turning my attention towards F5’s latest offering, F5 Distributed Cloud (XC) Services.  Specifically, I'll provide a brief overview of the concepts and steps required to enable log streaming from the F5 XC platform to third party analytics and SEIM vendors.

Rather than including the step-by-step instructions, I've included a video walkthrough of the configuration process.  Hey, if a picture is worth a thousand words, then a video has to be worth well…

F5 Distributed Cloud Services

F5 XC provides a global cloud native platform where customers can deploy, manage and secure their applications regardless of whether the application resides in a public cloud, in a private data center, or a colocation facility, (see below).  It provides a variety of both ADN and CDN services.

Although the F5 XC console UI provides very good observability natively, many enterprises prefer to aggregate their telemetry from various sources and centralize visibility/analytics down to a “single pane of glass”.  To this end, the F5 XC platform includes the Global Log Receiver service.  

Global Log Receiver

There are a few different options for remote logging from the F5 XC platform.  This includes querying an F5 XC API logging endpoint, configuring a basic log receiver, and the Global log receiver.   A basic log receiver can be configured to send customer edge logs, ( sent in Syslog format only) to either a TCP or UDP endpoint.  In contrast,  a Global log receiver can be configured to securely send logs to a variety of vendor-specific endpoints over HTTP(s).

Multi-vendor support

The Global log receiver currently includes integrations with Splunk, Datadog, AWS S3, Azure Blob, and Azure Event Hubs.  In addition, the log receiver includes a generic HTTP(s) configuration option.  Additional vendor-specific integrations are currently being developed. 

Log format

To ensure events are easily consumable across a variety of providers, the global log receiver delivers events in JSON format.  Delivering JSON-formatted logs ensures they are ready to be parsed, visualized, and analyzed.

Namespaces

Namespaces provide logical grouping and isolation of objects within a distributed cloud tenant.  A Global log receiver  can be configured to select events associated with the current namespace, events from all namespaces within an F5 XC tenant, or a specific namespace(s).  

Check it Out

Rather than walk you through the entire configuration, how about a movie? Click on the link (image) below for a brief walkthrough demo integrating the F5 Distributed Cloud (XC) Services platform with Splunk and Datadog.

Additional Links

F5 Distributed Cloud (XC) Services

F5 XC Global Log Receiver

F5 Distributed Cloud Services API Reference