Getting Data In

How do I get syslog from an F5 BIG-IP?

Dan
Splunk Employee
Splunk Employee

I see the BIG-IP can send syslog for administrative activity. I want to send syslog for all the HTTP requests the load balancer is handling (i.e. a web access log). Is there a way to do that?

1 Solution

Dan
Splunk Employee
Splunk Employee

You need to specify an iRule. Here's an example - make sure to replace ip.add.re.ss with your Splunk server listening on tcp port 514.

when HTTP_REQUEST {
   #
   # Save Request Side Information
   #
   set http_request "\"[HTTP::method] [HTTP::uri] HTTP/[HTTP::version]\""
   set http_request_time [clock clicks -milliseconds]
   set http_user_agent "\"[HTTP::header User-Agent]]\""
   set http_host [HTTP::host]
   set http_username [HTTP::username]
   set client_ip [IP::remote_addr]
   set client_port [TCP::remote_port]
   set http_request_uri [HTTP::uri]
   set referer [HTTP::header value referer]
}
when HTTP_RESPONSE {
   set response_time [expr [clock clicks -milliseconds] - $http_request_time]
   set virtual [virtual]
   set content_length 0
   if { [HTTP::header exists "Content-Length"] } {
      set content_length [HTTP::header "Content-Length"]
   }
   set lb_server "[LB::server addr]:[LB::server port]"
   if { [string compare "$lb_server" ""] == 0 } {
      set lb_server ""
   }
   set status_code [HTTP::status]
   set content_type [HTTP::header "Content-type"]
   set log_msg ""
   append log_msg "virtual=$virtual "
   append log_msg "client_ip=$client_ip "
   append log_msg "client_port=$client_port "
   append log_msg "lb_server=$lb_server "
   append log_msg "host=$http_host "
   append log_msg "username=$http_username "
   #append log_msg "$http_request_uri "
   append log_msg "request=$http_request "
   append log_msg "server_status=$status_code "
   #append log_msg "content_type=$content_type "
   append log_msg "content_length=$content_length "
   append log_msg "resp_time=$response_time "
   append log_msg "user_agent=$http_user_agent "
   append log_msg "referer=$referer"
   log ip.add.re.ss local0. $log_msg
#   log local0. $log_msg
}

View solution in original post

cps42
Explorer

HSL logging via irules is excellent for application traffic, but not for administration traffic, audit logs, and irule event logging. Also, HSL is only available in Big-IP v 10.0 and newer.

For syslogging administrative activity, you want this (also 10.0 syntax, but it is there in v. 9 as well, via 'bigpipe syslog' commands).

# tmsh list /sys syslog
sys syslog {
    remote-servers {
        syslog {
            host 10.10.10.2
        }
    }
}

Note that if you use a syslog server via your OOB management network interface, you will be able to log messages during software upgrades, or during failsafe events, where the application network is not available. However, your System logs will then come from the management interface address, and your HSL logs will come from a different address.

Also note that in any event, both members of an HA pair will syslog as their own device IP addresses, and will not use the floating address to send logs. HSL logging has a method for specifying the address that the message should come from, so HA pair logs as the same address.

Cheers~

Casey

F5 IT Network Engineer

Dan
Splunk Employee
Splunk Employee

If you need to distribute the iRule output to multiple Splunk servers (distributed environment), you need to be on BIG-IP v10.1. F5 introduced the HSL command to support High Speed Logging. It does allow use of pool (group of log servers) as destination and also specify whether to use TCP or UDP.

Replace the "log ip.add.re.ss ..." line in the last iRule example with the following:

   HSL::send [HSL::open -proto TCP -pool mypool] $log_msg

Dan
Splunk Employee
Splunk Employee

You need to specify an iRule. Here's an example - make sure to replace ip.add.re.ss with your Splunk server listening on tcp port 514.

when HTTP_REQUEST {
   #
   # Save Request Side Information
   #
   set http_request "\"[HTTP::method] [HTTP::uri] HTTP/[HTTP::version]\""
   set http_request_time [clock clicks -milliseconds]
   set http_user_agent "\"[HTTP::header User-Agent]]\""
   set http_host [HTTP::host]
   set http_username [HTTP::username]
   set client_ip [IP::remote_addr]
   set client_port [TCP::remote_port]
   set http_request_uri [HTTP::uri]
   set referer [HTTP::header value referer]
}
when HTTP_RESPONSE {
   set response_time [expr [clock clicks -milliseconds] - $http_request_time]
   set virtual [virtual]
   set content_length 0
   if { [HTTP::header exists "Content-Length"] } {
      set content_length [HTTP::header "Content-Length"]
   }
   set lb_server "[LB::server addr]:[LB::server port]"
   if { [string compare "$lb_server" ""] == 0 } {
      set lb_server ""
   }
   set status_code [HTTP::status]
   set content_type [HTTP::header "Content-type"]
   set log_msg ""
   append log_msg "virtual=$virtual "
   append log_msg "client_ip=$client_ip "
   append log_msg "client_port=$client_port "
   append log_msg "lb_server=$lb_server "
   append log_msg "host=$http_host "
   append log_msg "username=$http_username "
   #append log_msg "$http_request_uri "
   append log_msg "request=$http_request "
   append log_msg "server_status=$status_code "
   #append log_msg "content_type=$content_type "
   append log_msg "content_length=$content_length "
   append log_msg "resp_time=$response_time "
   append log_msg "user_agent=$http_user_agent "
   append log_msg "referer=$referer"
   log ip.add.re.ss local0. $log_msg
#   log local0. $log_msg
}
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...