All Apps and Add-ons

What are the benefits of using the F5 Networks - LTM App Splunk Add-on for F5 BIG-IP to log F5 LTM data?

damode
Motivator

In order to collect logs from F5-LTM, do we require to install both the F5 Networks - LTM App and Splunk Add-on for F5 BIG-IP or either one will do ?

0 Karma
1 Solution

walterk82
Path Finder

I believe that the Add-On is a superset of the individual parts. The Add-On also has additional capabilities s to collect metrics thru iControl APIs.

View solution in original post

0 Karma

walterk82
Path Finder

I believe that the Add-On is a superset of the individual parts. The Add-On also has additional capabilities s to collect metrics thru iControl APIs.

View solution in original post

0 Karma

walterk82
Path Finder

Additionally, the Add-On provides the CIM model to use with the Splunk stack products like ITSI or ES.

0 Karma

damode
Motivator

Hi @walterk82

Thanks for your input.

So, does that mean it is advisable to install both the F5 Networks - LTM App and Splunk Add-on for F5 BIG-IP to get LTM-F5 logs ?

Because, nowhere the documentation states that both app and add-on needs to installed.

0 Karma

walterk82
Path Finder

I haven't installed just the LTM App, but I would advise against it. Focus only on the Add-On.

0 Karma

damode
Motivator

So you recommend to install only the add-on ?

0 Karma

walterk82
Path Finder

Yes, that is correct.

0 Karma

damode
Motivator

Hi @walterk82, I installed the F5 Networks - LTM App as well to get its visualisation, dashboard capabilities.

For this, I have used the same inputs.conf(given below) of the Add-on for BIG-IP within the the App. However, there is still no data getting populated within the App.

[udp://9514]
index = main
sourcetype = f5:bigip:syslog
disabled = 0

Can you please advise if there is a workaround for this ?

0 Karma

damode
Motivator

Hi @walterk82,

If I just need to collect logs from LTM, is configuring just the UDP and TCP inputs enough rather than modular inputs of the add-on ?

0 Karma

walterk82
Path Finder

Correct again.

0 Karma

damode
Motivator

Hi @walterk82,

When I had set udp port 9514 with sourcetype as syslog on my Heavy Forwarder, it accepted all F5 logs, however, when I configured the inputs according to below,

[udp://9514]
disabled = false
connection_host=ip
sourcetype = f5:bigip:syslog

[tcp://9515]
disabled = false
connection_host=ip
sourcetype = f5:bigip:syslog

I stopped receiving any logs from f5. Please help me with this.

0 Karma

walterk82
Path Finder

What is the SPL or search command you used to find the events. Also, what is your indexing topology? That syntax is what I use. How did you configure the F5 side?

0 Karma

damode
Motivator

just by the sourcetype, which at that time was syslog. Then I configured according to as mentioned above. That is when I stopped getting any logs

There is S.H (add on installed with visibility OFF), Indexer (no add-on) and Heavy Forwarder (add-on installed with visbility ON and configured as shown above.)

Configured F5 according to splunk docs,

  1. Add a remote syslog server using the Configuration utility [https://support.f5.com/csp/article/K13080#CU]
  2. Configuring the BIG-IP system to log to the remote syslog server using TCP protocol [https://support.f5.com/csp/article/K13080#tcpsyslog]
  3. http://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Setup#Configure_iRules_for_LTM
0 Karma

walterk82
Path Finder

You configured port 9515 as the TCP syslog port in splunk. I would change that back to 9514 as you can have TCP/UDP on the same port number.

0 Karma

damode
Motivator

Actually, I have started receiving logs from LTM-F5 but so far it has only been from udp 9514. No logs have been collected yet from tcp 9515.

0 Karma

damode
Motivator

ok. thanks!

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.