All Apps and Add-ons

Why is the Splunk Add-on for F5 BIG-IP not separating sourcetypes as expected?

jonesnadiam
Path Finder

Has anyone had issues with the Splunk Add-on for F5 BIG-IP setting/separating the sourcetypes?
According to the documentation, if the sourcetype is set to f5:bigip:syslog, the data should be separated into its specific sourcetypes (f5:bigip:apm:syslog, f5:bigip:asm:syslog, f5:bigip:icontrol, etc), but all of our sourcetypes are still coming in as f5:bigip:syslog.

Is there anything specific that I need to change in the configuration files so that these sourcetypes are automatically updated?

Thanks.

youngsuh
Communicator

We're having the same issue with the f5 add-on.  The problem is the add-on because if you don't use the add-on the event braking works with 8.2 just fine.  The sub sorucetype [f5:bigip:apm:syslog] works fine.  The root sourcetype [f5:bigip:syslog] isn't parsing correctly for TCP stream or Syslog format.  

BSD_format.txt
Event 1:
May 17 23:33:58 %masked_host% apmd[13742]: 01490115:5: /Common/fs.training.np2.navy.mil_modern:Common:cbd11dc1: Following rule 'CAC' from item 'Logon Authentication Type Switch' to terminalout 'CAC'

Event 2:
May 17 23:34:01 %masked_host% /Common/fs.training.np2.navy.mil_modern: Common:cbd11dc1: iRule access_policy_default CLIENTSSL_CLIENTCERT | DEBUG | Got 2 certs ||

We had our F5 SME provide two different format that configurable with the F5 appliance. 
Here is the line brake by the TA.
[f5:bigip:syslog]LINE_BREAKER = ([\r\n]+)(.*)(f5_irule|[^"]f5_asm|:\s(?:\d{4})[0-9A-Fa-f]{4}:\d+:\s+(?:[^:\s]{1,100}:[^:\s]{1,100}:\s*)?[0-9a-f]{8}:|( debug | info | warning | err | notice | alert | crit | emerg ))

Fails to parse the above two events.

Splunk_format.txt
Fails to line brake with for all the events.
[f5:bigip:syslog]LINE_BREAKER = ([\r\n]+)(.*)(f5_irule|[^"]f5_asm|:\s(?:\d{4})[0-9A-Fa-f]{4}:\d+:\s+(?:[^:\s]{1,100}:[^:\s]{1,100}:\s*)?[0-9a-f]{8}:|( debug | info | warning | err | notice | alert | crit | emerg ))

Were you able to make progress? 

0 Karma

ianbow_concur
New Member

You need to make sure the TA is installed on the indexer or heavy forwarder if you are using them. Due to the line breaks etc a Universal forwarder will not expand the events in the transforms to give you the expanded source types.

0 Karma

wojtek_emca
New Member

This could happened if F5 is not configured well (sending logs format).

Should be like this:
http://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Setup

Regards,
Wojtek

0 Karma

hungpham
Explorer

Hmm i got same problem, splunk not separating sourcetypes.
I try follow http://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Setup but the splunk only receive syslog audit.

sirajnp
Explorer

Hi,

Got same problem here. Add-on cannot extract fields for ASM audit events.

Sourcetype: f5:bigip:syslog
Port: udp:9514

Have you guys get through this issue?

pvuong
Explorer

Hello,
Did you get any answer about this question ? I have the same problem for all my F5:big IP logs

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.