Alerting
Highlighted

How to set up monitoring of F5 health checks in Splunk?

New Member

Hello,

I'm not too familiar with monitoring the F5 syslogs but I'm hoping someone can help with this.

We have multiple web servers running multiple IIS sites and they are all pooled on an F5. I know that there are health created for each pool to monitor if a particular web server in the pool has an issue.

Can we setup up monitoring of those health checks in Splunk so we can setup alerts if a health check for a specific web server fails instead of having to try to check each server for the issue when our site checks fail?

Thanks

Labels (1)
0 Karma
Highlighted

Re: How to set up monitoring of F5 health checks in Splunk?

Path Finder

What is a F5?

0 Karma
Highlighted

Re: How to set up monitoring of F5 health checks in Splunk?

Path Finder

health checks are more searches mainly to check up on the Splunk installation itself.
To look for maintenance and service checkup. And to troubleshoot the splunk design.

And a app and search can be used to check IIS logs.

0 Karma
Highlighted

Re: How to set up monitoring of F5 health checks in Splunk?

New Member

This is an old post, but an easy one to setup. We have our F5 LTM logs going to Splunk so we can monitor when the F5 marks a member of a pool up or down.

  1. The first thing you need to do is setup a UDP (or TCP, depending on how your network team wants to send F5 logs to your Splunk server) listen port on your Splunk indexer server in inputs.conf Mine looks like this (be sure the index you set has been created) [udp://4321] connection_host = ip sourcetype = ltm_log source = ltm index = f5
  2. Next, have your network admin config the F5 to forward the LTM logs to your Splunk indexer hostname (or IP) and port you configured above
  3. If everything works, you should see F5 logs similar to the following mcpd[5933]: 01070727:5: Pool /Common/Pool_A member /Common/Server1:80 monitor status up. mcpd[5933]: 01070638:5: Pool /Common/Pool_A member /Common/Server1:80 monitor status down. Where Pool_A is the F5 pool name, Server1:80 is the member server name/ip and port, and monitor status shows whether the F5 disabled (down) or enabled (up) the member in the pool based on it's availability.
  4. From here, you can create an alert when the status changes.

Finally, there are some F5 apps on Splunkbase that you can play around with as well.

0 Karma