Prepare F5 servers for Telemetry Streaming
To prepare F5 servers for Telemetry Streaming:
- Set up the Telemetry Streaming Consumer.
- Forward F5 BIG-IP logs to Splunk.
- Use versions 13.1 or later of F5 Big-IP. Telemetry Streaming is only compatible with versions 13.1 or later of F5 BIG-IP.
Access the F5 documentation for examples of the SystemInfo
data you'll receive when using Telemetry Streaming.
Set up Telemetry Streaming Consumer
- Create HEC input on your Splunk instance: https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/UsetheHTTPEventCollector
- Install Telemetry Streaming package into F5 BIG-IP. For more information, see the F5 BIG-IP documentation.
- Enter this declaration in your API client for the F5 BIG IP Telemetry Streaming configuration request.
JSON Data for Telemetry Streaming configuration:
{ "class": "Telemetry", "My_System": { "class": "Telemetry_System", "systemPoller": { "interval": <INTERVAL> } }, "My_Listener": { "class": "Telemetry_Listener", "port": 6514 }, "My_Consumer": { "class": "Telemetry_Consumer", "type": "Splunk", "host": <Splunk_IP>, "protocol": "http", "port": 8088, "passphrase": { "cipherText": "<HEC_TOKEN>" }, "allowSelfSignedCert": "true" } }
Note: Setting "allowSelfSignedCert": "true" allows the F5 server to stream data to Splunk over an insecure connection. However, if the user has their own certificates in the CA store, the connection from the F5 server to Splunk will be secured using those certificates. Therefore, it will not be necessary to disable the global EnableSSL setting for HEC. As you enter this data:
- Replace
<INTERVAL>
with actual data collection interval value for example: 60 - Replace
<HEC_TOKEN>
with HEC token value of HEC input with created at step 1. - Use
6514
as the local telemetry streaming listener. - Replace
<Splunk_IP>
with IP address of Splunk where the event should get collected.
Enter 255.255.255.254
as the virtual server ip address to configure logging using either AS3 or TMSH.
Splunk should start receiving SystemInfo
data after these steps.
Forward F5 BIG-IP logs to Splunk
- Configure the remote server from System > Logs > Configuration > Remote Logging. Example: Remote IP: 127.0.0.1 and Remote Port: 6514
- Forward F5 BIG-IP LTM network traffic events to Splunk.
- Create an iRule and copy the iRule data provided in the Splunk_HTTP_TS example in the table below into the definition section for the new iRule.
- Configure a virtual server to reference the iRule. This is the local virtual server in the BIG-IP system from which you want to send events to the Splunk platform.
- Add the recently created iRule to the list of resources to be managed for this virtual server.
Field | Value |
---|---|
Name | Splunk_HTTP_TS
|
Definition | when CLIENT_ACCEPTED { set client_address [IP::client_addr] set vip [IP::local_addr] } when HTTP_REQUEST { set http_host [HTTP::host]:[TCP::local_port] set http_uri [HTTP::uri] set http_url $http_host$http_uri set http_method [HTTP::method] set http_version [HTTP::version] set http_user_agent [HTTP::header "User-Agent"] set http_content_type [HTTP::header "Content-Type"] set http_referrer [HTTP::header "Referer"] set tcp_start_time [clock clicks -milliseconds] set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"] set cookie [HTTP::cookie names] set user [HTTP::username] set virtual_server [LB::server] if { [HTTP::header Content-Length] > 0 } then { set req_length [HTTP::header "Content-Length"] } else { set req_length 0 } } when HTTP_RESPONSE { set res_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"] set node [IP::server_addr] set node_port [TCP::server_port] set http_status [HTTP::status] set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}] if { [HTTP::header Content-Length] > 0 } then { set res_length [HTTP::header "Content-Length"] } else { set res_length 0 } set hsl [HSL::open -proto TCP -pool telemetry] HSL::send $hsl "src_ip=\"$client_address\",vip=\"$vip\",http_method=\"$http_method\",http_host=\"$http_host\",http_uri=\"$http_uri\",http_url=\"$http_url\",http_version=\"$http_version\",http_user_agent=\"$http_user_agent\",http_content_type=\"$http_content_type\",http_referrer=\"$http_referrer\",req_start_time=\"$req_start_time\",cookie=\"$cookie\",user=\"$user\",virtual_server=\"$virtual_server\",bytes_in=\"$req_length\",res_start_time=\"$res_start_time\",node=\"$node\",node_port=\"$node_port\",http_status=\"$http_status\",req_elapsed_time=\"$req_elapsed_time\",bytes_out=\"$res_length\"" } when LB_FAILED { set hsl [HSL::open -proto TCP -pool telemetry] HSL::send $hsl "src_ip=\"$client_address\",vip=\"$vip\",http_method=\"$http_method\",http_host=\"$http_host\",http_uri=\"$http_uri\",http_url=\"$http_url\",http_version=\"$http_version\",http_user_agent=\"$http_user_agent\",http_content_type=\"$http_content_type\",http_referrer=\"$http_referrer\",req_start_time=\"$req_start_time\",cookie=\"$cookie\",user=\"$user\",virtual_server=\"$virtual_server\",bytes_in=\"$req_length\"" } |
Forward F5 BIG-IP ASM events to Splunk
Configure F5 Logging Profiles for ASM using the details below.
If you are already collecting the LTM data, then don't select All requests
for the Request Type, as LTM already logs all the network traffic events.
Field | Value |
---|---|
Storage Format | attack_type="%attack_type%",date_time="%date_time%",dest_ip="%dest_ip%",dest_port="%dest_port%",geo_info="%geo_location%",headers="%headers%",http_class="%http_class_name%",ip_addr_intelli="%ip_address_intelligence%",ip_client="%ip_client%",ip_route_domain="%ip_with_route_domain%",is_trunct="%is_truncated%",manage_ip_addr="%management_ip_address%",method="%method%",policy_apply_date="%policy_apply_date%",policy_name="%policy_name%",protocol="%protocol%",query_str="%query_string%",req="%request%",req_status="%request_status%",resp="%response%",resp_code="%response_code%",route_domain="%route_domain%",session_id="%session_id%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",src_port="%src_port%",sub_violates="%sub_violations%",support_id="%support_id%",unit_host="%unit_hostname%",uri="%uri%",username="%username%",violate_details="%violation_details%",violate_rate="%violation_rating%",violations="%violations%",virus_name="%virus_name%",x_fwd_hdr_val="%x_forwarded_for_header_value%"
|
Protocol | TCP |
Server Addresses | The address of the server and the port. 255.255.255.254:6514
|
Forward F5 BIG-IP APM events to Splunk
- Create a new logging profile with
Logging Profile for Splunk
as the Profile Name. - Associate this logging profile with the Access Policy.
- Change the logging verbosity for your APM logs to suit your needs. The default log level for APM is Notice, but this does not log session variables, which may be useful for troubleshooting.
Prepare F5 servers to connect to the Splunk platform | Configure the modular inputs for the Splunk Add-on for F5 BIG-IP |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!