Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk for F5 Networks -- Syslog Logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk for F5 Networks -- Syslog Logs
All,
Is there a particular sourcetype that should be assigned to the F5 syslog logs? Right now, the logs are being forwarded to Splunk over port 514 and are simply being assigned a sourcetype of "udp:514". Also, I'm not certain the format of the logs is correct. Currently, they look like this:
May 14 16:34:45 10.238.148.22 May 14 16:34:28 AAA-SLDC-LTM3900-2 info logger: [ssl_req][14/May/2013:16:34:28 -0400] 10.238.140.125 TLSv1 AES128-SHA "/xxx/stuff.jsp" 2503
I was expecting a syslog id to appear as part of the logs, such as something like the following:
May 13 13:41:12 AAA-SLDC-LTM3900-2 notice sod[6060]: 010c0019:5: Active
Is it possible all of the logs I am currently receiving simply have no syslog id?
Lastly, if the sourcetype is not being auto assigned, is it possible to assign a sourcetype to a subset of logs destined to a particular source? For example, in addition to the F5 syslog logs, I am also forwarding some firewall logs over this port as well. I obviously don't want to force the sourcetype to be the same for everything destined to port 514.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you can by using your props.conf.
[host::<IPorHOSTname>]
sourcetype=<your source type>
Additional Reading:
Hope this helps or gets you started. Dont forget to vote and accept answers that help.
Cheers,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you post a couple of samples of both types od syslog data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This will not work in this case. There are actually two different sourcetypes originating from the same host. For the F5, I have both F5:iRule:WebAccess logs and standard syslog logs. The F5:iRule:WebAccess logs are being recognized as they should. They are being sent to a unique port and I have overridden the sourcetype. But, how do I indicate the other type of logs from the same host should be classified with a different sourcetype?
Thanks!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
