All Apps and Add-ons

Splunk Add-on for F5 BIG-IP: How to configure iRules for F5 GTM? Getting "[/Common/Splunk_DNS_REQUEST] error...undefined procedure:..."

splunker12er
Motivator

Unable to configure iRules in F5 as per the steps given in the Splunk docs:

http://docs.splunk.com/Documentation/AddOns/latest/F5BIGIP/Setup#Configure_iRules_for_GTM

Error Message:

01070151:3: Rule [/Common/Splunk_DNS_REQUEST] error: /Common/Splunk_DNS_REQUEST:7: error: [undefined procedure: whereami][whereami]
/Common/Splunk_DNS_REQUEST:9: error: [undefined procedure: whoami][whoami]
/Common/Splunk_DNS_REQUEST:10: error: [undefined procedure: wideip][wideip name]
0 Karma

rhombus00
Engager

I know this is an old thread, but wanted to provide some details as I ran into the same issue.

The Splunk docs provides separate iRules for DNS request logging and DNS response logging.

DNS request logging is configured in DNS > GSLB > iRules. They incorrectly state that you can apply this rule to your Listeners. You can only apply a GSLB iRule to wide IPs. 

DNS response logging is configured in DNS > Delivery > iRules. I believe some older versions might list them in Local Traffic > iRules. They incorrectly state you can apply the rule to wide IPs. You can only apply a LTM/Delivery iRule to Listeners.

While the logging does work assuming you apply the rules to the correct objects, the problem I had is ensuring that the request logging rule gets applied to all wide IPs. I want to do logging on the Listeners so I can set it and forget it. Rules configured within DNS > Delivery > iRules support both DNS_REQUEST and DNS_RESPONSE events, but they don't support the whereami, whoami, whereis, and wideip name commands. I simply remove the references to those commands and joined both the request and response rules into a single rule and applied it to my Listeners. I copied an example below.

when DNS_REQUEST {
    set client_addr [IP::client_addr]
    set dns_server_addr [IP::local_addr]
    set question_name [DNS::question name]
    set question_class [DNS::question class]
    set question_type [DNS::question type]
    set dns_len [DNS::len]

    set hsl [HSL::open -proto UDP -pool Pool-syslog]
    HSL::send $hsl "<190>,f5_irule=Splunk-iRule-DNS_REQUEST,src_ip=$client_addr,dns_server_ip=$dns_server_addr,question_name=$question_name,question_class=$question_class,question_type=$question_type,dns_len=$dns_len"
}

when DNS_RESPONSE {
    set client_addr [IP::client_addr]
    set dns_server_addr [IP::local_addr]
    set question_name [DNS::question name]
    set is_wideip [DNS::is_wideip [DNS::question name]]
    set answer [join [DNS::answer] ;]

    set hsl [HSL::open -proto UDP -pool Pool-syslog]
    HSL::send $hsl "<190>,f5_irule=Splunk-iRule-DNS_RESPONSE,src_ip=$client_addr,dns_server_ip=$dns_server_addr,question_name=$question_name,is_wideip=$is_wideip,answer=\"$answer\""
}


0 Karma

jkat54
SplunkTrust
SplunkTrust

according to f5 documentation, whereami, whoami, wideip are all available in F5 version 10+

0 Karma

ppohar_splunk
Splunk Employee
Splunk Employee

We are seeing similar error.
alt text

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi, what version of F5 are you on?

0 Karma

ppohar_splunk
Splunk Employee
Splunk Employee

Client is on F5 version 11.5.2 HF1.0.169.

0 Karma

jkat54
SplunkTrust
SplunkTrust

I suggest you file a case with F5 support, they can help you determine why these functions are not available in the F5.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...