Solved: What are the benefits of using the F5 Networks - L...

damode · ‎10-04-2017

In order to collect logs from F5-LTM, do we require to install both the F5 Networks - LTM App and Splunk Add-on for F5 BIG-IP or either one will do ?

walterk82 · ‎10-05-2017

I believe that the Add-On is a superset of the individual parts. The Add-On also has additional capabilities s to collect metrics thru iControl APIs.

View solution in original post

walterk82 · ‎10-05-2017

I believe that the Add-On is a superset of the individual parts. The Add-On also has additional capabilities s to collect metrics thru iControl APIs.

walterk82 · ‎10-05-2017

Additionally, the Add-On provides the CIM model to use with the Splunk stack products like ITSI or ES.

damode · ‎10-09-2017

Hi @walterk82

Thanks for your input.

So, does that mean it is advisable to install both the F5 Networks - LTM App and Splunk Add-on for F5 BIG-IP to get LTM-F5 logs ?

Because, nowhere the documentation states that both app and add-on needs to installed.

walterk82 · ‎10-10-2017

I haven't installed just the LTM App, but I would advise against it. Focus only on the Add-On.

damode · ‎10-10-2017

So you recommend to install only the add-on ?

walterk82 · ‎10-10-2017

Yes, that is correct.

damode · ‎11-05-2017

Hi @walterk82, I installed the F5 Networks - LTM App as well to get its visualisation, dashboard capabilities.

For this, I have used the same inputs.conf(given below) of the Add-on for BIG-IP within the the App. However, there is still no data getting populated within the App.

[udp://9514]
index = main
sourcetype = f5:bigip:syslog
disabled = 0

Can you please advise if there is a workaround for this ?

damode · ‎10-10-2017

Hi @walterk82,

If I just need to collect logs from LTM, is configuring just the UDP and TCP inputs enough rather than modular inputs of the add-on ?

walterk82 · ‎10-11-2017

Correct again.

damode · ‎10-15-2017

Hi @walterk82,

When I had set udp port 9514 with sourcetype as syslog on my Heavy Forwarder, it accepted all F5 logs, however, when I configured the inputs according to below,

[udp://9514]
disabled = false
connection_host=ip
sourcetype = f5:bigip:syslog

[tcp://9515]
disabled = false
connection_host=ip
sourcetype = f5:bigip:syslog

I stopped receiving any logs from f5. Please help me with this.

walterk82 · ‎10-15-2017

What is the SPL or search command you used to find the events. Also, what is your indexing topology? That syntax is what I use. How did you configure the F5 side?

damode · ‎10-15-2017

just by the sourcetype, which at that time was syslog. Then I configured according to as mentioned above. That is when I stopped getting any logs

There is S.H (add on installed with visibility OFF), Indexer (no add-on) and Heavy Forwarder (add-on installed with visbility ON and configured as shown above.)

Configured F5 according to splunk docs,

Add a remote syslog server using the Configuration utility [https://support.f5.com/csp/article/K13080#CU]
Configuring the BIG-IP system to log to the remote syslog server using TCP protocol [https://support.f5.com/csp/article/K13080#tcpsyslog]
http://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Setup#Configure_iRules_for_LTM

walterk82 · ‎10-16-2017

You configured port 9515 as the TCP syslog port in splunk. I would change that back to 9514 as you can have TCP/UDP on the same port number.

damode · ‎10-17-2017

Actually, I have started receiving logs from LTM-F5 but so far it has only been from udp 9514. No logs have been collected yet from tcp 9515.

damode · ‎10-10-2017

ok. thanks!

What are the benefits of using the F5 Networks - LTM App Splunk Add-on for F5 BIG-IP to log F5 LTM data?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?