Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Virtual Server Log Forward to Splunk

Jaspreetgurm
Altocumulus
Altocumulus

‎28-Oct-2021 21:55

I want to setup log forwarding from F5 to splunk server for https traffic of one of virtual server.

 

Below needs to be capture from traffic and send to splunk server.

 

Domain Name

Source IP

Http Version

Target IP

http status

time taken

 

Labels:
0 Kudos
4 REPLIES 4

JRahm
Community Manager
Community Manager

‎12-Nov-2021 14:33

You can do that with HSL, all the pieces you need are in this article. Post back with some code fragments if you have any questions and we'll help you out!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos

Jaspreetgurm
Altocumulus
Altocumulus
In response to JRahm

‎15-Nov-2021 18:45

Thanks, Jason 🙂

 

I just prepared the configuration as below. Please revert with your kind suggestion on this.

 

 

 

1) Adding Splunk server as pool member.

 

Navigate to Local Traffic > Pools

 

Click Create.

 

Name:-Splunk_HSL_Pool

 

IP address :-10.10.10.10

Port    :-514

 

Click Finished.

 

2) Log Destination

 

Navigate to System > Logs > Configuration > Log Destinations .

 

Click Create.

 

Name field :- Splunk_HSL_logging

Type:- Remote High-Speed Log

 

Pool Name :- Splunk_HSL_Pool

 

Protocol :- HSL

 

Click Finished.

 

3) Log Formatt

 

Navigate to System > Logs > Configuration > Log Destinations .

 

Click Create.

 

Name:- Splunk_Logs

 

Type:- Splunk.

 

Forward To :- Splunk_HSL_logging

 

Click Finished.

 

4) Publisher

 

Navigate to System > Logs > Configuration > Log Publishers .

 

Click Create.

 

Name :- Splunk_Publisher

 

Destinations :-Splunk_HSL_logging.

 

Click Finished.

 

 

Irule for virtual Server.

******************************

 

Goto->Local Traffic-Irule

Name:- Splunk_logging

 

Copy paste below code.

 

when CLIENT_ACCEPTED {

 set client_address [IP::client_addr]

 set vip [IP::local_addr]

 set hsl [HSL::open -proto TCP -pool Splunk_HSL_Pool]

}

when HTTP_REQUEST {

 set http_host [HTTP::host]:[TCP::local_port]

 set http_uri [HTTP::uri]

 set http_method [HTTP::method]

 set http_version [HTTP::version]

 set virtual_server [LB::server]

 set http_user_agent [HTTP::header "User-Agent"]

 set http_content_type [HTTP::header "Content-Type"]

 set tcp_start_time [clock clicks -milliseconds]

 set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]

 if { [HTTP::header Content-Length] > 0 } then {

   set req_length [HTTP::header "Content-Length"]

 } else {

   set req_length 0

 }

}

when HTTP_RESPONSE {

#  set res_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]

 set node [IP::server_addr]

 set node_port [TCP::server_port]

 set http_status [HTTP::status]

 set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]

 if { [HTTP::header Content-Length] > 0 } then {

   set res_length [HTTP::header "Content-Length"]

 } else {

   set res_length 0

 }

set hsl [HSL::open -proto UDP -pool Splunk_HSL_Pool]

HSL::send $hsl "<514> HSL, CLIENT_IP=$client_address, VIP=$vip, VIP_NAME=\"$virtual_server\", SERVER_NODE=$node, SERVER_NODE_PORT=$node_port, HTTP_URL=$http_url, HTTP_VERSION=$http_version, HTTP_STATUS=$http_status, HTTP_METHOD=$http_method, HTTP_CONTENT_TYPE=$http_content_type, HTTP_USER_AGENT=\"$http_user_agent\", HTTP_REFERRER=\"$http_referrer\",REQUEST_START_TIME=$req_start_time,REQUEST_ELAPSED_TIME=$req_elapsed_time, BYTES_IN=$req_length, BYTES_OUT=$res_length\r\n"

}

 

 

 

 

0 Kudos

Kalido
Altostratus
Altostratus
In response to Jaspreetgurm

‎22-Sep-2022 03:43

Hi Jaspreet,

Amazing Instructions above, I followed it step by step thank you for the easy guide.

 

Can I ask did the above work for you? was you able to get logs regarding your virtual server? 

I.e connectivity etc ?

I am looking on Splunk and I can find any good data ?

0 Kudos

jaikumar_f5
MVP
MVP

‎18-Nov-2021 01:12 - last edited on ‎04-Jun-2023 19:15 by Fog

You'll have to modify your hsl cmd to avoid outage, there's a known bug & I learned it by experience. Hope it helps.

Also why would you need a TCP, set it as UDP protocol.

when CLIENT_ACCEPTED {
set client_address [IP::client_addr]
set vip [IP::local_addr]
#Set the splunk hsl pool in a variable first
set splunk_pool Splunk_HSL_Pool
#Use that variable to call out in below command
#Bug - https://support.f5.com/csp/article/K14505
set hsl [HSL::open -proto UDP -pool $splunk_pool]
}

And again i see you are creating an HSL open in HTTP RESPONSE which is not required. Just HSL send would be enough.

Copyright © 2023 Khoros, LLC