Forum Discussion

kris_52344's avatar
kris_52344
Icon for Nimbostratus rankNimbostratus
Apr 12, 2010

ASM & Splunk integration

hi,

 

 

i have installed & configure Splunk for F5, able to get LTM self-ip, source-ip etc. logs on splunk server. So, kindly provide any document or help to integrate ASM with Splunk? does it requires iRule to be configured on ASM?

 

 

Thank You! in advance...
APM
app sec
security

8 Replies

Sort By
  • AaronJB's avatar
    AaronJB
    Icon for SIRT rankSIRT
    Apr 12, 2010
    You won't need any iRules to log out to a Splunk server from ASM, what you will need to do is configure a Remote Logging Profile with the relevant options and assign it to your ASM Web Application. There are some sections in the relevant Configuration Guides for ASM which describe this:

     

     

    For v9.4.5-9.4.8:

     

    https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm_945_config_guide/asm_sys_mgmt.html1028448

     

     

    For v10.x:

     

    https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm_config_10/asm_sys_mgmt.html1028448

     

     

    Aaron
  • Wagner_Bianchi_'s avatar
    Wagner_Bianchi_
    Icon for Nimbostratus rankNimbostratus
    May 03, 2013

    hello guys,

     

     

    just to recap this conversation which you've started some times ago, I am getting problems in get Splunk fully functional after follow the steps part of the pdf file which came with the app's package. The field attack_type, used in many queries of the first app menu's group, is presenting, I imagine, wrong data. it is presenting graphs with symbols as commas, double quotes and single quotes. I will count on your help so as to understand whether it is a problem or not...could you give me a hand on that? Thanks a lot and looking forward to hearing from you.

     

     

    Cheers, WB

     

  • Jim_Westwood_64's avatar
    Jim_Westwood_64
    Icon for Nimbostratus rankNimbostratus
    Apr 02, 2014

    I am having the same issue. Latest splunk, latest f5 app and it fails to work as the data is in quotes?

     

  • MVA's avatar
    MVA
    Icon for Nimbostratus rankNimbostratus
    Mar 26, 2015

    So it doesn't seem possible to have all contents of /var/log/asm sent to splunk, similar to how /var/log/ltm and /var/log/audit get sent to splunk by default?

     

  • dbizzle_20930's avatar
    dbizzle_20930
    Icon for Nimbostratus rankNimbostratus
    Mar 26, 2015

    All you should have to do is define your remote logging options under system and define your inputs on Splunk. The F5 will automagically send anything that is standard syslog to that remote address. For ASM/APM you can collect data using High Speed Logging (HSL) or AVR and configure the publishers/destinations for each. Configure a pool(s) that has your indexer/port defined as a member or you could even create a VIP to handle load balancing between indexers if you wanted and your AVR/HSL destination could be a pool with the VIP address as its member.

     

    • mortoj_167568's avatar
      mortoj_167568
      Icon for Altocumulus rankAltocumulus
      Apr 20, 2016
      I am currently working on getting ASM logs over to both Splunk (syslog format) and ArcSight (CEF format) I found this link useful for understanding Field/Value/Description for Splunk and ArcSight as well as for creating Custom Logging Profiles Thought I'd share: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-11-4-0/10.html