log publisher
2 TopicsSplunk Log Publisher with iRule HSL
Hi, I'm having some difficulty understanding the relationship between the HSL iRule commands and formatted log publishers (Splunk, in this case) in 11.5.1. Sorry if the formatting isn't what the community expects - I'm fairly new to this ecosystem. Setup One node called "splunk-universal-forwarder" running a Splunk universal forwarder listening on 9996/tcp. A pool called "remote-logging-pool" with the splunk-universal-forwarder node listening on 9996/tcp. Log Destination "splunk-rhsl" of type Remote HSL pointed at the remote-logging-pool over TCP. Log Destination "splunk-formatted" of type "Splunk" forwarding to "splunk-rhsl" Log Publisher "splunk-publisher" pointing at the splunk-formatted destination. Log Publisher "rhsl-publisher" pointing at the splunk-rhsl destination. A virtual server backed by a pool with a single node serving up content http://10.1.1.2 (the IP address is irrelevant for this question). Given the iRule: when CLIENT_ACCEPTED { set hsl [HSL::open -publisher /tst/splunk-publisher] set hsl [HSL::open -proto TCP -pool remote-logging-pool] set hsl [HSL::open -publisher /tst/Rhsl-publisher] } when HTTP_REQUEST { HSL::send $hsl "<190>|[IP::local_addr]|[HTTP::uri]\n" } The bottom two set statements in the when CLIENT_ACCEPTED command result in a messaging going successfully to the Splunk forwarder. The first set statement results in no messages going to the Splunk forwarder. Questions Are HSL commands in iRules unable to use formatted publishers? What exactly does a formatted publisher do? It seems like it would write data to the remote receiver in a format that particular receiver expects, but I haven't found a lot of documentation on this yet. Is there an interactive way to generate dummy log events to send to different destinations and publishers to see what the effect is on remote receiver? Thanks for your help!902Views0likes2CommentsHSL Publisher does not recover when the pool goes down and then up
We have a set of iRules which produce logging to allow the back-end team to diagnose issues and due to the sheer volume of log entries these are not stored locally but via a dedicated "HSL VLAN" on a 20gig vPC link. setup is:- The pool has one pool member, the log destination is set to Remote-HSL, the aforementioned pool attached and using TCP (UDP isn't an option). Finally the log publisher itself has the log destination as its attached destination. The pool has a simple tcp-half-open monitor to confirm that it is up. What we have noticed is that should the pool go down and then back up again, the logging from the HSL commands in the iRules don't get to the destination any longer. The only way to kick it back into life is to attach the local-syslog destination (the inbuilt one), hit update and it kicks back into life. We need to use a publisher rather than hard coding an IP as the name of the publisher to use is held in a DG so that the logging iRule Proc can be used in multiple environments. Plus we can send a particular VS iRule logging to a different destination should we choose due to the granular nature of the design. Before I raise a ticket with F5, wondered if anybody else had come across this issue? (same issue exists in 11.4.1 and 11.5.1 and 11.5.2)186Views0likes1Comment