All Apps and Add-ons

Splunk for F5 Networks: Is there any documentation for this app on how to configure it?

hemendralodhi
Contributor

Hello,

We have installed the app but not able to find the documentation as where and how to configure it.

 App is installed on Search Head
 LB is sending syslog data to syslog-ng server and there Universal forwarder is picking the data and sending to Heavy Forwarder.
 Heavy Forwarder is sending data it to Indexer which in turn is searchable by Search head for load balancer index.

I checked the app but not able to configure it. Can you please advise?

Thanks in advance.

Hemendra

sjohnson_splunk
Splunk Employee
Splunk Employee

You mentioned that you are using a heavy forwarder on the syslog server. I took a look at the app and in the props.conf section there is a set of transforms that operates on the syslog sourcetype that changes the sourcetype for the different types of events that the F5 generates:

TRANSFORMS-sourcetype=f5-dcfw,f5-syslog,f5-access

This means that you will have to install the app on the heavy forwarder so it can do this operation before the data gets indexed.

I didn't see any index specified in the app, so not sure what index you are putting the data into, but if you don't have rights to search all indexes by default, you might consider modifying the macros.conf file (on the search head) and putting index=foo (the index where the f5 data is) in front of the sourcetype. Something like:

definition = index=foo sourcetype="F5:AFM:Syslog"

After that as long as you have the app installed on your search head, you should be good to go.

,

0 Karma

maciep
Champion

Are you specifying a sourcetype in your input? And also what is the sourcetype of the data after indexed? Did you deploy the props/transforms conf files to the heavy forwarder and/or indexer?

From what I recall, I think the data is supposed to come in with a sourcetype of syslog and then should get transformed into other various sourectypes before getting indexed.

0 Karma

guarisma
Contributor

There's a PDF inside the /etc/apps/SplunkforF5Network directory/folder called Configuring BigIP AFM Logging for Splunk.pdf that explains how to properly configure your F5 devices to send the syslogs for the Splunk app to understand it, and then just as @maciep said configure your inputs to label the sourcetype as syslog and the transforms in the props.conf should take care of the rest.

hemendralodhi
Contributor

we are specifying sourcetype as "syslog" and we are seeing the same sourcetype in indexed data. We haven't done any change in props/transforms.conf ,not sure what to apply there. Is there any doc/sample config to check on that?

0 Karma

maciep
Champion

Yes, it doesn't seem like that app is very well documented.

I would suggest you copy/install the app to the heavy forwarder and restart. The app contains the props and transforms, so hopefully the data will start showing up with a different sourcetype. And then hopefully the searches in the app will start to produce results.

If you look in the props.conf, you can see that there is a stanza for the syslog sourcetype. In that stanza, it defines some transforms to apply to the data to change the sourcetype. If you look in transforms.conf, you should see the various stanzas referenced in props, the regex being used and the new sourcetypes being applied.

hemendralodhi
Contributor

great thanks. I will check on that and will update the result here.

0 Karma

ssuresh
Explorer

There is documentation inside the installed ap for F5 for security App. refer to it. We have configured using same document.

0 Karma

ssuresh
Explorer

You will find the PDF Under $splunk_home$\etc\apps\SplunkforF5Networks

0 Karma

hemendralodhi
Contributor

Thanks for the info but I am not sure still how it will serve in our current set up. LB is pushing data to our syslog-ng server and from there UF is reading that data and sending to HF which in turns send to indexer. From the doc look like LB should directly sending the data to indexer?

Any help is appreciated.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!