All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk for F5 Networks -- Syslog Logs

vragosta
Path Finder
‎05-14-2013 01:53 PM

All,

Is there a particular sourcetype that should be assigned to the F5 syslog logs? Right now, the logs are being forwarded to Splunk over port 514 and are simply being assigned a sourcetype of "udp:514". Also, I'm not certain the format of the logs is correct. Currently, they look like this:

May 14 16:34:45 10.238.148.22 May 14 16:34:28 AAA-SLDC-LTM3900-2 info logger: [ssl_req][14/May/2013:16:34:28 -0400] 10.238.140.125 TLSv1 AES128-SHA "/xxx/stuff.jsp" 2503

I was expecting a syslog id to appear as part of the logs, such as something like the following:

May 13 13:41:12 AAA-SLDC-LTM3900-2 notice sod[6060]: 010c0019:5: Active

Is it possible all of the logs I am currently receiving simply have no syslog id?

Lastly, if the sourcetype is not being auto assigned, is it possible to assign a sourcetype to a subset of logs destined to a particular source? For example, in addition to the F5 syslog logs, I am also forwarding some firewall logs over this port as well. I obviously don't want to force the sourcetype to be the same for everything destined to port 514.

Thanks!

Reply

bmacias84
Champion
‎05-14-2013 05:07 PM

Yes, you can by using your props.conf.



[host::<IPorHOSTname>]

sourcetype=<your source type>

Additional Reading:

Hope this helps or gets you started. Dont forget to vote and accept answers that help.

Cheers,

0 Karma
Reply

bmacias84
Champion
‎05-15-2013 08:35 AM

Could you post a couple of samples of both types od syslog data.

0 Karma
Reply

vragosta
Path Finder
‎05-15-2013 06:59 AM

This will not work in this case. There are actually two different sourcetypes originating from the same host. For the F5, I have both F5:iRule:WebAccess logs and standard syslog logs. The F5:iRule:WebAccess logs are being recognized as they should. They are being sent to a unique port and I have overridden the sourcetype. But, how do I indicate the other type of logs from the same host should be classified with a different sourcetype?

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...