Splunk® Supported Add-ons

Splunk Add-on for F5 BIG-IP

Prepare F5 servers for Telemetry Streaming

To prepare F5 servers for Telemetry Streaming:

  • Set up the Telemetry Streaming Consumer.
  • Forward F5 BIG-IP logs to Splunk.
  • Use versions 13.1 or later of F5 Big-IP. Telemetry Streaming is only compatible with versions 13.1 or later of F5 BIG-IP.

Access the F5 documentation for examples of the SystemInfo data you'll receive when using Telemetry Streaming.


Set up Telemetry Streaming Consumer

  1. Create HEC input on your Splunk instance: https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/UsetheHTTPEventCollector
  2. Install Telemetry Streaming package into F5 BIG-IP. For more information, see the F5 BIG-IP documentation.
  3. Enter this declaration in your API client for the F5 BIG IP Telemetry Streaming configuration request.

JSON Data for Telemetry Streaming configuration:


{
    "class": "Telemetry",
    "My_System": {
        "class": "Telemetry_System",
        "systemPoller": {
            "interval": <INTERVAL>
        }
    },
    "My_Listener": {
        "class": "Telemetry_Listener",
        "port": 6514
    },
    "My_Consumer": {
        "class": "Telemetry_Consumer",
        "type": "Splunk",
        "host": <Splunk_IP>,
        "protocol": "http",
        "port": 8088,
        "passphrase": {
            "cipherText": "<HEC_TOKEN>"
        },
       "allowSelfSignedCert": "true"
    }
}

Note: Setting "allowSelfSignedCert": "true" allows the F5 server to stream data to Splunk over an insecure connection. However, if the user has their own certificates in the CA store, the connection from the F5 server to Splunk will be secured using those certificates. Therefore, it will not be necessary to disable the global EnableSSL setting for HEC. As you enter this data:

  1. Replace <INTERVAL> with actual data collection interval value for example: 60
  2. Replace <HEC_TOKEN> with HEC token value of HEC input with created at step 1.
  3. Use 6514 as the local telemetry streaming listener.
  4. Replace <Splunk_IP> with IP address of Splunk where the event should get collected.

Enter 255.255.255.254 as the virtual server ip address to configure logging using either AS3 or TMSH.

Splunk should start receiving SystemInfo data after these steps.

Forward F5 BIG-IP logs to Splunk

  1. Configure the remote server from System > Logs > Configuration > Remote Logging. Example: Remote IP: 127.0.0.1 and Remote Port: 6514
  2. Forward F5 BIG-IP LTM network traffic events to Splunk.
    1. Create an iRule and copy the iRule data provided in the Splunk_HTTP_TS example in the table below into the definition section for the new iRule.
    2. Configure a virtual server to reference the iRule. This is the local virtual server in the BIG-IP system from which you want to send events to the Splunk platform.
    3. Add the recently created iRule to the list of resources to be managed for this virtual server.
Field Value
Name Splunk_HTTP_TS
Definition
when CLIENT_ACCEPTED {
    set client_address [IP::client_addr]
    set vip [IP::local_addr]
}
when HTTP_REQUEST {
    set http_host [HTTP::host]:[TCP::local_port]
    set http_uri [HTTP::uri]
    set http_url $http_host$http_uri
    set http_method [HTTP::method]
    set http_version [HTTP::version]
    set http_user_agent [HTTP::header "User-Agent"]
    set http_content_type [HTTP::header "Content-Type"]
    set http_referrer [HTTP::header "Referer"]
    set tcp_start_time [clock clicks -milliseconds]
    set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
    set cookie [HTTP::cookie names]
    set user [HTTP::username]
    set virtual_server [LB::server]

    if { [HTTP::header Content-Length] > 0 } then {
        set req_length [HTTP::header "Content-Length"]
    } else {
        set req_length 0
    }
}
when HTTP_RESPONSE {
    set res_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
    set node [IP::server_addr]
    set node_port [TCP::server_port]
    set http_status [HTTP::status]
    set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]
    if { [HTTP::header Content-Length] > 0 } then {
        set res_length [HTTP::header "Content-Length"]
    } else {
        set res_length 0
    }
    set hsl [HSL::open -proto TCP -pool telemetry]
    HSL::send $hsl "src_ip=\"$client_address\",vip=\"$vip\",http_method=\"$http_method\",http_host=\"$http_host\",http_uri=\"$http_uri\",http_url=\"$http_url\",http_version=\"$http_version\",http_user_agent=\"$http_user_agent\",http_content_type=\"$http_content_type\",http_referrer=\"$http_referrer\",req_start_time=\"$req_start_time\",cookie=\"$cookie\",user=\"$user\",virtual_server=\"$virtual_server\",bytes_in=\"$req_length\",res_start_time=\"$res_start_time\",node=\"$node\",node_port=\"$node_port\",http_status=\"$http_status\",req_elapsed_time=\"$req_elapsed_time\",bytes_out=\"$res_length\""
}
when LB_FAILED {
    set hsl [HSL::open -proto TCP -pool telemetry]
    HSL::send $hsl "src_ip=\"$client_address\",vip=\"$vip\",http_method=\"$http_method\",http_host=\"$http_host\",http_uri=\"$http_uri\",http_url=\"$http_url\",http_version=\"$http_version\",http_user_agent=\"$http_user_agent\",http_content_type=\"$http_content_type\",http_referrer=\"$http_referrer\",req_start_time=\"$req_start_time\",cookie=\"$cookie\",user=\"$user\",virtual_server=\"$virtual_server\",bytes_in=\"$req_length\""
}

Forward F5 BIG-IP ASM events to Splunk

Configure F5 Logging Profiles for ASM using the details below.
If you are already collecting the LTM data, then don't select All requests for the Request Type, as LTM already logs all the network traffic events.

Field Value
Storage Format attack_type="%attack_type%",date_time="%date_time%",dest_ip="%dest_ip%",dest_port="%dest_port%",geo_info="%geo_location%",headers="%headers%",http_class="%http_class_name%",ip_addr_intelli="%ip_address_intelligence%",ip_client="%ip_client%",ip_route_domain="%ip_with_route_domain%",is_trunct="%is_truncated%",manage_ip_addr="%management_ip_address%",method="%method%",policy_apply_date="%policy_apply_date%",policy_name="%policy_name%",protocol="%protocol%",query_str="%query_string%",req="%request%",req_status="%request_status%",resp="%response%",resp_code="%response_code%",route_domain="%route_domain%",session_id="%session_id%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",src_port="%src_port%",sub_violates="%sub_violations%",support_id="%support_id%",unit_host="%unit_hostname%",uri="%uri%",username="%username%",violate_details="%violation_details%",violate_rate="%violation_rating%",violations="%violations%",virus_name="%virus_name%",x_fwd_hdr_val="%x_forwarded_for_header_value%"
Protocol TCP
Server Addresses The address of the server and the port. 255.255.255.254:6514


Forward F5 BIG-IP APM events to Splunk

  1. Create a new logging profile with Logging Profile for Splunk as the Profile Name.
  2. Associate this logging profile with the Access Policy.
  3. Change the logging verbosity for your APM logs to suit your needs. The default log level for APM is Notice, but this does not log session variables, which may be useful for troubleshooting.
Last modified on 28 November, 2024
Prepare F5 servers to connect to the Splunk platform   Configure the modular inputs for the Splunk Add-on for F5 BIG-IP

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters