Re: Splunk Add-on for F5 BIG-IP: How to configure ...

splunker12er · ‎02-24-2016

Unable to configure iRules in F5 as per the steps given in the Splunk docs:

http://docs.splunk.com/Documentation/AddOns/latest/F5BIGIP/Setup#Configure_iRules_for_GTM

Error Message:

01070151:3: Rule [/Common/Splunk_DNS_REQUEST] error: /Common/Splunk_DNS_REQUEST:7: error: [undefined procedure: whereami][whereami]
/Common/Splunk_DNS_REQUEST:9: error: [undefined procedure: whoami][whoami]
/Common/Splunk_DNS_REQUEST:10: error: [undefined procedure: wideip][wideip name]

rhombus00 · ‎07-11-2023

I know this is an old thread, but wanted to provide some details as I ran into the same issue.

The Splunk docs provides separate iRules for DNS request logging and DNS response logging.

DNS request logging is configured in DNS > GSLB > iRules. They incorrectly state that you can apply this rule to your Listeners. You can only apply a GSLB iRule to wide IPs.

DNS response logging is configured in DNS > Delivery > iRules. I believe some older versions might list them in Local Traffic > iRules. They incorrectly state you can apply the rule to wide IPs. You can only apply a LTM/Delivery iRule to Listeners.

While the logging does work assuming you apply the rules to the correct objects, the problem I had is ensuring that the request logging rule gets applied to all wide IPs. I want to do logging on the Listeners so I can set it and forget it. Rules configured within DNS > Delivery > iRules support both DNS_REQUEST and DNS_RESPONSE events, but they don't support the whereami, whoami, whereis, and wideip name commands. I simply remove the references to those commands and joined both the request and response rules into a single rule and applied it to my Listeners. I copied an example below.

when DNS_REQUEST {
set client_addr [IP::client_addr]
set dns_server_addr [IP::local_addr]
set question_name [DNS::question name]
set question_class [DNS::question class]
set question_type [DNS::question type]
set dns_len [DNS::len]

set hsl [HSL::open -proto UDP -pool Pool-syslog]
HSL::send $hsl "<190>,f5_irule=Splunk-iRule-DNS_REQUEST,src_ip=$client_addr,dns_server_ip=$dns_server_addr,question_name=$question_name,question_class=$question_class,question_type=$question_type,dns_len=$dns_len"
}

when DNS_RESPONSE {
set client_addr [IP::client_addr]
set dns_server_addr [IP::local_addr]
set question_name [DNS::question name]
set is_wideip [DNS::is_wideip [DNS::question name]]
set answer [join [DNS::answer] ;]

set hsl [HSL::open -proto UDP -pool Pool-syslog]
HSL::send $hsl "<190>,f5_irule=Splunk-iRule-DNS_RESPONSE,src_ip=$client_addr,dns_server_ip=$dns_server_addr,question_name=$question_name,is_wideip=$is_wideip,answer=\"$answer\""
}

jkat54 · ‎05-12-2016

according to f5 documentation, whereami, whoami, wideip are all available in F5 version 10+

ppohar_splunk · ‎05-10-2016

We are seeing similar error.

jcoates_splunk · ‎02-27-2016

Hi, what version of F5 are you on?

ppohar_splunk · ‎05-12-2016

Client is on F5 version 11.5.2 HF1.0.169.

jkat54 · ‎05-12-2016

I suggest you file a case with F5 support, they can help you determine why these functions are not available in the F5.

Splunk Add-on for F5 BIG-IP: How to configure iRules for F5 GTM? Getting "[/Common/Splunk_DNS_REQUEST] error...undefined procedure:..."

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!