I'm not too familiar with monitoring the F5 syslogs but I'm hoping someone can help with this.
We have multiple web servers running multiple IIS sites and they are all pooled on an F5. I know that there are health created for each pool to monitor if a particular web server in the pool has an issue.
Can we setup up monitoring of those health checks in Splunk so we can setup alerts if a health check for a specific web server fails instead of having to try to check each server for the issue when our site checks fail?
This is an old post, but an easy one to setup. We have our F5 LTM logs going to Splunk so we can monitor when the F5 marks a member of a pool up or down.
The first thing you need to do is setup a UDP (or TCP, depending on how your network team wants to send F5 logs to your Splunk server) listen port on your Splunk indexer server in inputs.conf
Mine looks like this (be sure the index you set has been created)
connection_host = ip
sourcetype = ltm_log
source = ltm
index = f5
Next, have your network admin config the F5 to forward the LTM logs to your Splunk indexer hostname (or IP) and port you configured above
If everything works, you should see F5 logs similar to the following
mcpd: 01070727:5: Pool /Common/Pool_A member /Common/Server1:80 monitor status up.
mcpd: 01070638:5: Pool /Common/Pool_A member /Common/Server1:80 monitor status down.
Where Pool_A is the F5 pool name, Server1:80 is the member server name/ip and port, and monitor status shows whether the F5 disabled (down) or enabled (up) the member in the pool based on it's availability.