All Apps and Add-ons

What are the benefits of using the F5 Networks - LTM App Splunk Add-on for F5 BIG-IP to log F5 LTM data?

damode
Motivator

In order to collect logs from F5-LTM, do we require to install both the F5 Networks - LTM App and Splunk Add-on for F5 BIG-IP or either one will do ?

0 Karma
1 Solution

walterk82
Path Finder

I believe that the Add-On is a superset of the individual parts. The Add-On also has additional capabilities s to collect metrics thru iControl APIs.

View solution in original post

0 Karma

walterk82
Path Finder

I believe that the Add-On is a superset of the individual parts. The Add-On also has additional capabilities s to collect metrics thru iControl APIs.

0 Karma

walterk82
Path Finder

Additionally, the Add-On provides the CIM model to use with the Splunk stack products like ITSI or ES.

0 Karma

damode
Motivator

Hi @walterk82

Thanks for your input.

So, does that mean it is advisable to install both the F5 Networks - LTM App and Splunk Add-on for F5 BIG-IP to get LTM-F5 logs ?

Because, nowhere the documentation states that both app and add-on needs to installed.

0 Karma

walterk82
Path Finder

I haven't installed just the LTM App, but I would advise against it. Focus only on the Add-On.

0 Karma

damode
Motivator

So you recommend to install only the add-on ?

0 Karma

walterk82
Path Finder

Yes, that is correct.

0 Karma

damode
Motivator

Hi @walterk82, I installed the F5 Networks - LTM App as well to get its visualisation, dashboard capabilities.

For this, I have used the same inputs.conf(given below) of the Add-on for BIG-IP within the the App. However, there is still no data getting populated within the App.

[udp://9514]
index = main
sourcetype = f5:bigip:syslog
disabled = 0

Can you please advise if there is a workaround for this ?

0 Karma

damode
Motivator

Hi @walterk82,

If I just need to collect logs from LTM, is configuring just the UDP and TCP inputs enough rather than modular inputs of the add-on ?

0 Karma

walterk82
Path Finder

Correct again.

0 Karma

damode
Motivator

Hi @walterk82,

When I had set udp port 9514 with sourcetype as syslog on my Heavy Forwarder, it accepted all F5 logs, however, when I configured the inputs according to below,

[udp://9514]
disabled = false
connection_host=ip
sourcetype = f5:bigip:syslog

[tcp://9515]
disabled = false
connection_host=ip
sourcetype = f5:bigip:syslog

I stopped receiving any logs from f5. Please help me with this.

0 Karma

walterk82
Path Finder

What is the SPL or search command you used to find the events. Also, what is your indexing topology? That syntax is what I use. How did you configure the F5 side?

0 Karma

damode
Motivator

just by the sourcetype, which at that time was syslog. Then I configured according to as mentioned above. That is when I stopped getting any logs

There is S.H (add on installed with visibility OFF), Indexer (no add-on) and Heavy Forwarder (add-on installed with visbility ON and configured as shown above.)

Configured F5 according to splunk docs,

  1. Add a remote syslog server using the Configuration utility [https://support.f5.com/csp/article/K13080#CU]
  2. Configuring the BIG-IP system to log to the remote syslog server using TCP protocol [https://support.f5.com/csp/article/K13080#tcpsyslog]
  3. http://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Setup#Configure_iRules_for_LTM
0 Karma

walterk82
Path Finder

You configured port 9515 as the TCP syslog port in splunk. I would change that back to 9514 as you can have TCP/UDP on the same port number.

0 Karma

damode
Motivator

Actually, I have started receiving logs from LTM-F5 but so far it has only been from udp 9514. No logs have been collected yet from tcp 9515.

0 Karma

damode
Motivator

ok. thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...