Created the inputs in the local folder of the apps to use UDP on the heavy forwarder, set the sourcetype to f5:bigip:syslog, but the app is not splitting the data into multiple sourcetypes like it says it is supposed to. Can someone let me know what can be done to get this to work.
Hi @marka3721 ,
are you directly receiving f5 logs or is there an intermediate log collector?
if there's an intermediate log collector, that probably modifies the log format, search in app's props.conf and transforms.conf the regexed that apply the sourcetype override and check if your logs match these regexes.
if not, open a case to Splunk Support because this app is Splunk supported.
Ciao.
Giuseppe
They are coming into the HF through syslog UDP port.
1. And you have the add-on installed on the HF?
2. Have you configured your F5 to properly export the data (AFAIR there's a section in the docs describing required configuration which needs to be performed on the F5's side)
Hi @marka3721 ,
in this case, check the regexes used in transformations:
take some log samples and put them in tegex101.com; then use this regex and see what it captures as group1
^.+?devid=\"?F(?:G|W|\dK).+?(?:\s|\,|\,\s)type=\"?(traffic|utm|event|anomaly)
if it captures the correct extension of the sourcetype it's correct, otherwise, modify it to adapt it to your different log format.
Only one final question: what's the sourcetype of your logs?
it should be fortigate_log or fgt_log, otherwise transformations aren't taken in consideration.
Ciao.
Giuseppe
We have it set to f5:bigip:syslog
Hi @marka3721 ,
You are right! sorry I confused f5 with fortinet!
Anyway, take the transformation you find in the add-on transforms.conf and try it out.
the transformations to search and verify in transforms.conf are: f5_bigip-icontrol-locallb, f5_bigip-icontrol-globallb, f5_bigip-icontrol-networking, f5_bigip-icontrol-management, f5_bigip-icontrol-system-systeminfo, f5_bigip-icontrol-system-statistics, f5_bigip-icontrol-system-disk, f5_bigip-icontrol-management-device, f5_bigip-icontrol-networking-interfaces, f5_bigip-icontrol-networking-adminip, f5_bigip-icontrol-locallb-pool, f5_bigip-icontrol-management-usermanagement.
check if those regexes match your data or you need to modify them to adapt to your logs.
If you have to modify them, remember to copy the thansforms.conf file in the local folder before modifying it.
Ciao.
Giuseppe