Getting Data In

splunk for F5 app: getting data to splunk

jbanda
Path Finder

I installed the splunk for F5 app, and I'm trying to figure out how to get data from our 2 LTMs running ASM into splunk in a format that's useable by this app. The splunk server I'm using is at 4.1.3, and has a "generic" syslog data input on port 514 that I'm using to send syslog events from a few devices to splunk.

Splunk seems to be receiving syslog input from our LTM units just fine. However, it seems that this app expects data in a different format.

Looking at another question posted to splunk (http://answers.splunk.com/questions/3925/splunk-for-f5-data-input-method), I see the inputs.conf from $SPLUNK_HOME/etc/apps/SplunkforF5/local is referenced, and looking at that file on our own splunk install, I'm not sure how it is expecting data. The first few sections there look like this:

[tcp://9998]
sourcetype = asm_log

[monitor:///home/sheyda/SplunkData/asm_full_dos]
disabled = 1
host = sheyda-laptop
host_regex =
[tcp://9998]
sourcetype = asm_log

I'm still trying to fully grasp splunk, but the way it reads to me (and please correct me if I'm wrong), its expecting a data input on the splunk server to be configured on port 9998, of type asm_log. I'm not quite sure I understand this part, as it seems to me that it expects some type of Splunk Light Forwarder on the LTM units to forward data to port 9998 on our splunk server. Is using the SplunkLightForwarder directly on our LTM units really a "recommended" way of getting data using this method?

The next line seems to be looking at the file "/home/sheyda/SplunkData/asm_full_dos", however, I'm not sure how that file gets there, or what that file really is. I'm guessing this is equivalent to the /var/log/asm file on our LTM units, but I can't be 100% sure. If this is true, where is it expecting this? On the splunk server? Is this type of method expecting some automated job to be copying the /var/log/asm (and /var/log/ltm) log files from our LTM units onto the splunk server to be processed? This seems, in my limited knowledge, contradictory to the first part that contains the input on 9998, but I'm not sure if that's meant to be used as an alternative. If it is, it doesn't seem very "real time".

There was also a suggestion on http://answers.splunk.com/questions/3925/splunk-for-f5-data-input-method at the bottom to make the source type of the syslog input to something asm/ltm/firepass related. This makes sense, but wouldn't that mean I couldn't use the syslog input for anything else BUT asm/ltm/firepass, and even then, only one of the 3 at that?

I feel like I'm missing something painfully obvious (and in all likelyhood, I am), so can someone help explain the "proper" way of getting data from our LTM units that can be used by the SplunkforF5 app?

Tags (3)
1 Solution

cps42
Explorer

Justin -

Take a look at the F5 Admin Guide for ASM [1] for Configuring logging profiles for web application data. You'll see that you are able to specify the destination and port for your ASM logs here. This is different than the Syslog configuration of the local TMOS appliance.

[1] http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/config_guide_asm_10_2_0/asm_sys_m...

View solution in original post

cps42
Explorer

Justin -

Take a look at the F5 Admin Guide for ASM [1] for Configuring logging profiles for web application data. You'll see that you are able to specify the destination and port for your ASM logs here. This is different than the Syslog configuration of the local TMOS appliance.

[1] http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/config_guide_asm_10_2_0/asm_sys_m...

jbanda
Path Finder

Thanks, I actually hadn't looked at it from the asm point of view. I was focused on the ltm piece, but I see what you are referring to. I'll give it a try, although I'd still like to have splunk process both asm and ltm logs.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...