Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Virtual Server Log Forward to Splunk

Jaspreetgurm
Altocumulus
Altocumulus

I want to setup log forwarding from F5 to splunk server for https traffic of one of virtual server.

 

Below needs to be capture from traffic and send to splunk server.

 

Domain Name

Source IP

Http Version

Target IP

http status

time taken

 

4 REPLIES 4

JRahm
Community Manager
Community Manager

You can do that with HSL, all the pieces you need are in this article. Post back with some code fragments if you have any questions and we'll help you out!

Thanks, Jason 🙂

 

I just prepared the configuration as below. Please revert with your kind suggestion on this.

 

 

 

1) Adding Splunk server as pool member.

 

Navigate to Local Traffic > Pools

 

Click Create.

 

Name:-Splunk_HSL_Pool

 

IP address :-10.10.10.10

Port    :-514

 

Click Finished.

 

2) Log Destination

 

Navigate to System > Logs > Configuration > Log Destinations .

 

Click Create.

 

Name field :- Splunk_HSL_logging

Type:- Remote High-Speed Log

 

Pool Name :- Splunk_HSL_Pool

 

Protocol :- HSL

 

Click Finished.

 

3) Log Formatt

 

Navigate to System > Logs > Configuration > Log Destinations .

 

Click Create.

 

Name:- Splunk_Logs

 

Type:- Splunk.

 

Forward To :- Splunk_HSL_logging

 

Click Finished.

 

4) Publisher

 

Navigate to System > Logs > Configuration > Log Publishers .

 

Click Create.

 

Name :- Splunk_Publisher

 

Destinations :-Splunk_HSL_logging.

 

Click Finished.

 

 

Irule for virtual Server.

******************************

 

Goto->Local Traffic-Irule

Name:- Splunk_logging

 

Copy paste below code.

 

when CLIENT_ACCEPTED {

 set client_address [IP::client_addr]

 set vip [IP::local_addr]

 set hsl [HSL::open -proto TCP -pool Splunk_HSL_Pool]

}

when HTTP_REQUEST {

 set http_host [HTTP::host]:[TCP::local_port]

 set http_uri [HTTP::uri]

 set http_method [HTTP::method]

 set http_version [HTTP::version]

 set virtual_server [LB::server]

 set http_user_agent [HTTP::header "User-Agent"]

 set http_content_type [HTTP::header "Content-Type"]

 set tcp_start_time [clock clicks -milliseconds]

 set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]

 if { [HTTP::header Content-Length] > 0 } then {

   set req_length [HTTP::header "Content-Length"]

 } else {

   set req_length 0

 }

}

when HTTP_RESPONSE {

#  set res_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]

 set node [IP::server_addr]

 set node_port [TCP::server_port]

 set http_status [HTTP::status]

 set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]

 if { [HTTP::header Content-Length] > 0 } then {

   set res_length [HTTP::header "Content-Length"]

 } else {

   set res_length 0

 }

set hsl [HSL::open -proto UDP -pool Splunk_HSL_Pool]

HSL::send $hsl "<514> HSL, CLIENT_IP=$client_address, VIP=$vip, VIP_NAME=\"$virtual_server\", SERVER_NODE=$node, SERVER_NODE_PORT=$node_port, HTTP_URL=$http_url, HTTP_VERSION=$http_version, HTTP_STATUS=$http_status, HTTP_METHOD=$http_method, HTTP_CONTENT_TYPE=$http_content_type, HTTP_USER_AGENT=\"$http_user_agent\", HTTP_REFERRER=\"$http_referrer\",REQUEST_START_TIME=$req_start_time,REQUEST_ELAPSED_TIME=$req_elapsed_time, BYTES_IN=$req_length, BYTES_OUT=$res_length\r\n"

}

 

 

 

 

Hi Jaspreet,

Amazing Instructions above, I followed it step by step thank you for the easy guide.

 

Can I ask did the above work for you? was you able to get logs regarding your virtual server? 

I.e connectivity etc ?

I am looking on Splunk and I can find any good data ?

You'll have to modify your hsl cmd to avoid outage, there's a known bug & I learned it by experience. Hope it helps.

Also why would you need a TCP, set it as UDP protocol.

when CLIENT_ACCEPTED {
set client_address [IP::client_addr]
set vip [IP::local_addr]
#Set the splunk hsl pool in a variable first
set splunk_pool Splunk_HSL_Pool
#Use that variable to call out in below command
#Bug - https://support.f5.com/csp/article/K14505
set hsl [HSL::open -proto UDP -pool $splunk_pool]
}

And again i see you are creating an HSL open in HTTP RESPONSE which is not required. Just HSL send would be enough.