I'm not too familiar with monitoring the F5 syslogs but I'm hoping someone can help with this.
We have multiple web servers running multiple IIS sites and they are all pooled on an F5. I know that there are health created for each pool to monitor if a particular web server in the pool has an issue.
Can we setup up monitoring of those health checks in Splunk so we can setup alerts if a health check for a specific web server fails instead of having to try to check each server for the issue when our site checks fail?
health checks are more searches mainly to check up on the Splunk installation itself.
To look for maintenance and service checkup. And to troubleshoot the splunk design.
And a app and search can be used to check IIS logs.
This is an old post, but an easy one to setup. We have our F5 LTM logs going to Splunk so we can monitor when the F5 marks a member of a pool up or down.
[udp://4321] connection_host = ip sourcetype = ltm_log source = ltm index = f5
mcpd: 01070727:5: Pool /Common/Pool_A member /Common/Server1:80 monitor status up. mcpd: 01070638:5: Pool /Common/Pool_A member /Common/Server1:80 monitor status down.Where Pool_A is the F5 pool name, Server1:80 is the member server name/ip and port, and monitor status shows whether the F5 disabled (down) or enabled (up) the member in the pool based on it's availability.
Finally, there are some F5 apps on Splunkbase that you can play around with as well.