Splunk® Supported Add-ons

Splunk Add-on for F5 BIG-IP

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Obtain syslog data for the Splunk Add-on for F5 BIG-IP

The best method for getting syslog data into the Splunk platform for production deployments is Splunk Connect For Syslog. This solution provides improved simplicity and scalability, among other benefits. For more information, see Splunk Connect for Syslog.

The Splunk Add-on for F5 BIG-IP collects APM logs and system events (package filter events, audit configuration events, local and global traffic events, and application traffic data) from F5 BIG-IP servers from HSL via iRules and System logs over the network on UDP port 9514. The add-on also collects logs from ASM over the network on TCP port 9515.

Manually enable UDP and TCP inputs

You can also use the following manual configuration in development environments. The source type on the network is f5:bigip:syslog. During index time, the add-on separates the data into more specific source types.

The ports used by the add-on must match the ports you specified when you configured F5 BIG-IP for logging. You must enable these inputs using either Splunk Web on your heavy forwarder or by manually editing the inputs.conf file.

To manually enable the UDP and TCP inputs in inputs.conf:

  1. Create an inputs.conf file in the add-on local folder.
    • $SPLUNK_HOME/etc/apps/Splunk_TA_f5-bigip/local on Unix-based systems.
    • %SPLUNK_HOME%\etc\apps\Splunk_TA_f5-bigip\local on Windows systems.
  2. Copy the following two stanzas into your local inputs.conf file:
    [udp://9514]
    disabled = false
    connection_host=ip
    sourcetype = f5:bigip:syslog
    
    [tcp://9515]
    disabled = false
    connection_host=ip
    sourcetype = f5:bigip:syslog
    
  3. Change the values for [udp://9514] and [tcp://9515] to custom port numbers if you used different ports on your F5 server.
  4. Restart the Splunk platform.

Enable UDP and TCP inputs using Splunk Web

To enable the UDP and TCP port in Splunk Web:

  1. Log into Splunk Web on your data collection node.
  2. Navigate to Settings, Data inputs.

To collect data using TCP:

  1. Click TCP then click New Local TCP in the top-right corner.
  2. Enter 9515 in the Port field and click Next.
  3. Select f5:bigip:syslog as the Source Type.
  4. Select Splunk Add-on for F5 BIG-IP (Splunk_TA_f5-bigip) as the App Context.
  5. Select IP as the Method and click Review.
  6. Click Submit.

To collect data using UDP:

  1. Click UDP then click New Local UDP in the top-right corner.
  2. Enter 9514 in the Port field and click Next.
  3. Select f5:bigip:syslog as the Source Type.
  4. Select Splunk Add-on for F5 BIG-IP (Splunk_TA_f5-bigip) as the App Context.
  5. Select IP as the Method and click Review.
  6. Click Submit.

Note: If you configured different port numbers on the F5 BIG-IP server, then enter the custom port numbers as shown above.

You do not need to restart the Splunk platform if you make these configuration changes in Splunk Web.

Last modified on 28 March, 2022
PREVIOUS
Configure the modular inputs for the Splunk Add-on for F5 BIG-IP
  NEXT
Troubleshoot the Splunk Add-on for F5 BIG-IP

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters