Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Missing F5 Logs

IZ88
Path Finder
‎10-19-2021 11:18 PM

Hello fellow Splunkers,

It was brought to my attention from our F5 system manager that some logs from F5 are missing in Splunk. Once every few logs sent (and there are a lot of them) it appears the a log or two just disappear and are not indexed.

To ingest the logs we installed the F5 add-on on our HF and configured both ends (F5 and Splunk) according to the documentation at docs.splunk.com

Does anyone have any idea what can cause this?

We're using Splunk Enterprise 8.0.7 and the Splunk Add-On for F5 4.0.1

 

Thanks

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-20-2021 02:37 AM

Unfortunately, syslog is typically not a very reliable method of log relaying. Your best bet to find out where the logs are getting lost (is it on the source side or the receiving side) would be to run a tcpdump on the network stream between F5 and your splunk component receiving the syslog data and check whether the "missing" events are there (which would mean that indeed they are probably lost on the splunk's side) or aren't (which would mean that for some reason the events were not sent from the F5 at all.

0 Karma
Reply

IZ88
Path Finder
‎10-20-2021 07:25 AM

Thanks @PickleRick 

I've tried to check where the data disappears.

When looking at the PCAP file from the HF I can see the event, but when searching for it I cannot find it.

Any idea how I can solve it or perhaps an idea for workaround?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-20-2021 07:33 AM

Are you receiving events directly by tcp/udp input (which one?) on HF?

Do you see any errors on this HF?

0 Karma
Reply

IZ88
Path Finder
‎10-20-2021 07:48 AM

I'm receiving TCP events directly from other sources as well, and the majority of them are not missing events.

The only other source that show the same behavior is Arcsight, but the issue there (according to our support vendor) is that Arcsight sends too much data over one port and syslog-ng can't handle the load, which might explain the occasional missing logs. 

F5 logs are configured as TCP input directly and are not being ingested by syslog-ng.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-21-2021 12:14 AM

Receiving data directly on splunk's TCP and UDP inputs is not the recommended way to go. But you can try tweaking queueSize and persistentQueueSize parameters. Might help. But then again - might not.

Reply

IZ88
Path Finder
‎10-26-2021 05:49 AM

Hi @PickleRick 

Thank you.

I asked F5 system manager to contact them and see if maybe there's a problem from F5s side.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...