Splunk® Supported Add-ons

Splunk Add-on for F5 BIG-IP

Download manual as PDF

Download topic as PDF

Prepare F5 servers to connect to the Splunk platform

Configure the F5 servers in your environment to work with the Splunk platform. Use the BIG-IP system browser-based Configuration Utility or the command line tools that are provided to set up your environment. For specific instructions on how to configure the F5 BIG-IP servers, see F5 BIG-IP Systems documentation on the F5 Support Website, https://support.f5.com/kb/en-us/products.html.

Configure F5 for syslog

Add your Splunk forwarder or Splunk Enterprise single instance to the remote syslog server list in the F5 BIG-IP system to send remote syslog data from an F5 device to the Splunk platform. Follow the F5 documentation on how to configure remote logging, using the IP address of your Splunk server and 9514 as the port for UDP and 9515 as the port for TCP.

Configure Logging Levels for APM logs

After you have configured the remote logging server, configure the log levels for your Access Policy log in the Configuration Utility. Change the logging verbosity for your APM logs to suit your needs. The default log level for APM is Notice, but this does not log session variables, which may be useful for troubleshooting.

Configure F5 Logging Profiles for ASM

In order to collect data from F5 BIG-IP ASM, you need to add a logging profile in the F5 BIG-IP Configuration Utility. Create a new logging profile with a Profile Name of Logging Profile for Splunk and enable Application Security. Use the information in the table below to configure the profile. For the Storage Filter information, select AND for Logic Operation and All for Protocols, Response Status Codes, HTTP Methods, and Request Containing String.

Field Value
Protocol TCP
Server Addresses Enter the IP addresses of your Splunk forwarders or your Splunk platform single instance. Add the default port of 9515, unless you want to configure a different port. If you do, you also need to configure a different port in inputs.conf.
Storage format Select User-Defined, then enter the storage format definition that matches your version of F5 BIG-IP.


For F5 BIG-IP 11.6.0 - 12.0.0:

f5_asm=Splunk-F5-ASM,attack_type="%attack_type%",date_time="%date_time%",dest_ip=%dest_ip%,dest_port=%dest_port%,geo_info="%geo_location%",headers="%headers%",http_class="%http_class_name%",ip_addr_intelli="%ip_address_intelligence%",ip_client=%ip_client%,ip_route_domain="%ip_with_route_domain%",is_trunct=%is_truncated%,manage_ip_addr=%management_ip_address%,method="%method%",policy_apply_date="%policy_apply_date%",policy_name="%policy_name%",protocol="%protocol%",query_str="%query_string%",req="%request%",req_status="%request_status%",resp="%response%",resp_code="%response_code%",route_domain="%route_domain%",session_id="%session_id%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",src_port="%src_port%",sub_violates="%sub_violations%",support_id="%support_id%",unit_host="%unit_hostname%",uri="%uri%",username="%username%",violate_details="%violation_details%",violate_rate="%violation_rating%",violations="%violations%",virus_name="%virus_name%",x_fwd_hdr_val="%x_forwarded_for_header_value%"

For F5 BIG-IP 11.1.0 - 11.5.x:

f5_asm=Splunk-F5-ASM,attack_type="%attack_type%",date_time="%date_time%",dest_ip=%dest_ip%,dest_port=%dest_port%,headers="%headers%",ip_client=%ip_client%,method="%method%",policy_name="%policy_name%",req="%request%",req_status="%request_status%",resp="%response%",resp_code="%response_code%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",sub_violates="%sub_violations%",unit_host="%unit_hostname%",uri="%uri%",username="%username%",violations="%violations%",virus_name="%virus_name%"

For F5 BIG-IP 10.1.x:

f5_asm=Splunk-F5-ASM,attack_type="%attack_type%",date_time="%date_time%",dest_ip=%dest_ip%,dest_port=%dest_port%,headers="%headers%",manage_ip_addr=%management_ip_address%,method="%method%",policy_name="%policy_name%",protocol="%protocol%",query_str="%query_string%",req="%request%",req_status="%request_status%",resp_code="%response_code%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",src_port="%src_port%",unit_host="%unit_hostname%",uri="%uri%",violations="%violations%"
Maximum Entry Length 64K

For more information about the storage formats provided here, see Storage format reference.

Configure F5 for HSL

Configure iRules on the F5 servers to enable them to send traffic data as HSL through the F5 device to the Splunk platform. Configuring iRules does not impact system settings or traffic controls on your F5 server. The iRules collect and send metadata to the Splunk platform.

Using the Configuration utility, create a Pool for HSL and add it to the Local Traffic Pool List in the F5 BIG-IP system using service port 9514, the IP address of your Splunk server, a Node Name (splunk-node), and a pool name (Pool-syslog).

Configure iRules for LTM

Configure iRules on the F5 server for the local traffic management system so that you can send local traffic data through the F5 device to the Splunk platform. iRules enable you to search on any type of data that you define.

Use the Configuration utility to create an iRule, Splunk_HTTP, to add to the iRules list of the local traffic manager (LTM). In versions 11.6.0 and 12.0.0, perform this configuration here: Local Traffic > iRules > iRule List.

Copy the iRule data provided in the iRule_http example in the table below into the definition section for the new iRule. Configure a virtual server to reference the iRule. This is the local virtual server in the BIG-IP system from which you want to send traffic events to the Splunk platform. Add the iRule to the list of resources to be managed for this virtual server.

iRule_http example
iRule irule_http
Description This rule collects and sends http(s) traffic data and lb_faild event data to the Splunk platform. A load balancing failure triggers this event.
Example
 when CLIENT_ACCEPTED {
    set client_address [IP::client_addr]
    set vip [IP::local_addr]
}
when HTTP_REQUEST {
    set http_host [HTTP::host]:[TCP::local_port]
    set http_uri [HTTP::uri]
    set http_url $http_host$http_uri
    set http_method [HTTP::method]
    set http_version [HTTP::version]
    set http_user_agent [HTTP::header "User-Agent"]
    set http_content_type [HTTP::header "Content-Type"]
    set http_referrer [HTTP::header "Referer"]
    set tcp_start_time [clock clicks -milliseconds]
    set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
    set cookie [HTTP::cookie names]
    set user [HTTP::username]
    set virtual_server [LB::server]
      
    if { [HTTP::header Content-Length] > 0 } then {
        set req_length [HTTP::header "Content-Length"]
    } else {
        set req_length 0
    }
}
when HTTP_RESPONSE {
    set res_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
    set node [IP::server_addr]
    set node_port [TCP::server_port]
    set http_status [HTTP::status]
    set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]
    if { [HTTP::header Content-Length] > 0 } then {
        set res_length [HTTP::header "Content-Length"]
    } else {
        set res_length 0
    }
    set hsl [HSL::open -proto UDP -pool Pool-syslog]
    HSL::send $hsl "<190>,f5_irule=Splunk-iRule-HTTP,src_ip=$client_address,vip=$vip,http_method=$http_method,http_host=$http_host,http_uri=$http_uri,http_url=$http_url,http_version=$http_version,http_user_agent=\"$http_user_agent\",http_content_type=$http_content_type,http_referrer=\"$http_referrer\",req_start_time=$req_start_time,cookie=\"$cookie\",user=$user,virtual_server=\"$virtual_server\",bytes_in=$req_length,res_start_time=$res_start_time,node=$node,node_port=$node_port,http_status=$http_status,req_elapsed_time=$req_elapsed_time,bytes_out=$res_length\r\n"
}
when LB_FAILED {
    set hsl [HSL::open -proto UDP -pool Pool-syslog]
    HSL::send $hsl "<190>,f5_irule=Splunk-iRule-LB_FAILED,src_ip=$client_address,vip=$vip,http_method=$http_method,http_host=$http_host,http_uri=$http_uri,http_url=$http_url,http_version=$http_version,http_user_agent=\"$http_user_agent\",http_content_type=$http_content_type,http_referrer=\"$http_referrer\",req_start_time=$req_start_time,cookie=\"$cookie\",user=$user,virtual_server=\"$virtual_server\",bytes_in=$req_length\r\n"
}

Configure iRules for BIG-IP DNS (BIG-IP GTM)

Configure iRules on F5 BIG-IP DNS (BIG-IP GTM prior to version 12.0.0) devices so that you can send global traffic data to the Splunk platform. iRules enable you to search on any type of data that you define.

Create Splunk_DNS_REQUEST

Use the Configuration utility to create an iRule, Splunk_DNS_REQUEST, and add it to the iRule list in the BIG-IP DNS (called BIG-IP GTM prior to 12.0.0). In versions 11.6.0 and 12.0.0, perform this configuration here: DNS > GSLB > iRules.

Add the data definition for the iRule, Splunk_DNS_REQUEST, to the iRule properties. Copy the iRule data provided in the irule_dns_request example in the table below into the definition section for the new iRule. Apply the iRule, Splunk_DNS_REQUEST, to existing listeners. These listeners alert GTM to DNS traffic destined for the system. Add the iRule, Splunk_DNS_REQUEST, to the list of resources to be managed for this listener.

irule_dns_request example
iRule irule_dns_request
Description The system triggers the iRule to send data when it receives a DNS parsing request.
Example
when DNS_REQUEST {
    set client_addr [IP::client_addr]
    set dns_server_addr [IP::local_addr]
    set question_name [DNS::question name]
    set question_class [DNS::question class]
    set question_type [DNS::question type]
    set data_center [whereami]
    set geo_information [join [whereis $client_addr] ;]
    set gtm_server [whoami]
    set wideip [wideip name]
    set dns_len [DNS::len]
      
    set hsl [HSL::open -proto UDP -pool Pool-syslog]
    HSL::send $hsl "<190>,f5_irule=Splunk-iRule-DNS_REQUEST,src_ip=$client_addr,dns_server_ip=$dns_server_addr,src_geo_info=$geo_information,question_name=$question_name,question_class=$question_class,question_type=$question_type,data_center=$data_center,gtm_server=$gtm_server,wideip=$wideip,dns_len=$dns_len\r\n"
}

Create Splunk_DNS_RESPONSE

Use the Configuration utility to create an iRule, Splunk_DNS_RESPONSE, and add it to the iRule list in the BIG-IP DNS (called BIG-IP GTM prior to version 12.0.0). In versions 11.6.0 and 12.0.0, perform this configuration here: Local Traffic > iRules > iRule List.

Add the data definition for the iRule, Splunk_DNS_RESPONSE, to the iRule properties. Copy the iRule data provided in the irule_dns_response example in the table below into the definition section for the new iRule. Apply the iRule, Splunk_DNS_RESPONSE, to an existing wide IP in the GSLB wide IP list.

irule_dns_response example
iRule irule_dns_response
Description The system triggers the iRule to send data when it replays to a client with the DNS parsing result.
Example
when DNS_RESPONSE {
    set client_addr [IP::client_addr]
    set dns_server_addr [IP::local_addr]
    set question_name [DNS::question name]
    set is_wideip [DNS::is_wideip [DNS::question name]]
    set answer [join [DNS::answer] ;]
       
    set hsl [HSL::open -proto UDP -pool Pool-syslog]
    HSL::send $hsl "<190>,f5_irule=Splunk-iRule-DNS_RESPONSE,src_ip=$client_addr,dns_server_ip=$dns_server_addr,question_name=$question_name,is_wideip=$is_wideip,answer=\"$answer \"\r\n"
}
PREVIOUS
Install the Splunk Add-on for F5 BIG-IP
  NEXT
Configure the modular inputs for the Splunk Add-on for F5 BIG-IP

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Comments

To avoid a jumbled mess of logs heading to Splunk, lb_failed events or enabling pool detection in the iRules I used the built in F5 high-speed logging formatting and filtering I recommend using the following in place of pointing to the Splunk syslog pool directly from the iRule.

replace: set hsl [HSL::open -proto UDP -pool Youe-Pool-syslog]

with: set hsl [HSL::open -publisher /Common/Your-Splunk-Syslog-Publisher]

More info on how to build the publisher/formats/filtering:
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-13-0-0/3.html

Another item I recommend is blocking syslog messages that have no business flooding into Splunk. I found that I could stop those logs from being sent to Splunk right at the F5 by creating a log filter that flagged a specific message ID and set the log publisher to nothing.

This worked for me on:
F5 BigIP 12.1.3.1
F5 DNS 13.1.0.8

Pixelbrain
October 3, 2018

Thanks, Hutchch. We're working on this issue and I'll update here when I have news.

Rpille splunk, Splunker
October 5, 2017

With Splunk 7.0.0, the Web UI buttons are not clickable. I have loaded up a 6.5.5 instance, and this is not an issue. Is there a setting I can change in a .conf file or will there be an update available?

Thanks

Hutchch
October 5, 2017

Thanks, PSK! I have incorporated your additional input into the code example.

Hunters splunk, Splunker
July 28, 2017

Hi Hunters,
irule_http uses command “HSL::open” that references a Splunk Logging pool directly using the -pool option. This is because the virtual server would be using the status of the syslog pool referenced in the HSL::open command. So the option for workaround is to place the variable and reference the variable. So irule http example can be corrected as,

"
Set splunk_pool Pool-syslog
Set splunk_pool set hsl [HSL::open -proto UDP -pool $splunk_pool]
HSL::send $hsl "<190>,f5_irule=Splunk-iRule-HTTP,src_ip=$client_address,vip=$vip,http_method=$http_method,http_host=$http_host,http_uri=$http_uri,http_url=$http_url,http_version=$http_version,http_user_agent=\"$http_user_agent\",http_content_type=$http_content_type,http_referrer=\"$http_referrer\",req_start_time=$req_start_time,cookie=\"$cookie\",user=$user,virtual_server=\"$virtual_server\",bytes_in=$req_length,res_start_time=$res_start_time,node=$node,node_port=$node_port,http_status=$http_status,req_elapsed_time=$req_elapsed_time,bytes_out=$res_length\r\n"
}
when LB_FAILED {
Set splunk_pool Pool-syslog
set hsl [HSL::open -proto UDP -pool $splunk_pool]

"

i have omitted codes and selected the only where modification is required. Hope this will help if someone comes with same problem.

Thanks.

Psk 2017
July 25, 2017

Hi Puina, the answer to your question might be lying on the F5 side rather than the Splunk side. Maybe you can try the following:
* Toggle Virtual Address ARP: https://devcentral.f5.com/wiki/tmsh.ToggleVirtualAddressARP.ashx
* Mark the status of a virtual server down: https://devcentral.f5.com/questions/mark-the-status-of-a-virtual-server-down
If they don't help, please try to dig deeper into the F5 docs or user community for an answer. Thanks!

Hunters splunk, Splunker
July 17, 2017

Hi,
I am using the irule_http but this dosen't work properly. The problem is when the pool member is made down, the associated VIP is up [VIP status is green despite all the pool members of it are made down]. It seems the condition of
when LB_FAILED {
set hsl [HSL::open -proto UDP -pool Pool-syslog]

Triggers and the VIP seems to be taking the splunk pool as a reference of monitor, thus VIP is shown up, which we don't want. What we want is when the pool member is down than the VIP also should be down.

Can the any of Splunk experts suggest on this.

Thanks in advance.

Psk 2017
July 14, 2017

Configure UDP and TCP inputs rather than modular inputs for collecting data of the f5_bigip:irule:http and f5:bigip:ltm:http:irule sourcetypes.

Hunters splunk, Splunker
February 9, 2017

Hi Saurabh, you can specify the index to store collected data when creating a task – step 10 in the following procedure:
http://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Configureinputs#Create_tasks

Hunters splunk, Splunker
February 7, 2017

Right now the iRule_http iRule is sending data to the default index (main). How do I configure this data to be sent to another index?

Schaudhary77
February 3, 2017

I verified that the Splunk_DNS_RESPONSE iRule is indeed for GTM. I think it is confusing because it is configured in LTM. The configuration is done in: Local Traffic > iRules > iRule List (for versions 11.6.0 and 12.0.0).

Hjauch splunk, Splunker
June 8, 2016

F5 Admin suggested that Splunk_DNS_RESPONSE iRule is for LTM not GTM. Can we verify this and correct our documentation ?

Ppohar
May 17, 2016

GTM iRules are not working F5 version 11.5.2 HF1.0.169. We are seeing error undefined procedure "whereami" for DNSRequest and unknown event DNS_Response.

Ppohar
May 9, 2016

Thank for your comment, Coltwanger. I have removed the duplicate "http_method=$http_method" references from the example in the "Configure iRules for LTM" section. Thank you.

Hjauch splunk, Splunker
January 7, 2016

It appears “http_method” is logged twice in the HSL line within the iRule.

HSL::send $hsl "<190>,f5_irule=Splunk-iRule-HTTP,src_ip=$client_address,vip=$vip,***http_method=$http_method***,http_host=$http_host,http_uri=$http_uri,http_url=$http_url,***http_method=$http_method***,http_version=$http_version,http_user_agent=\"$http_user_agent\",http_content_type=$http_content_type,http_referrer=\"$http_referrer\",req_start_time=$req_start_time,cookie=\"$cookie\",user=$user,virtual_server=\"$virtual_server\",bytes_in=$req_length,res_start_time=$res_start_time,node=$node,node_port=$node_port,http_status=$http_status,req_elapsed_time=$req_elapsed_time,bytes_out=$res_length\r\n"

Coltwanger
December 21, 2015

Thanks for the comment, Unicycle. I've updated the storage format to eliminate some of the less useful fields to fit within the 512 byte limit. Thanks!

Rpille splunk, Splunker
June 25, 2015

The storage format for ASM is not accepted by the F5, for 11.5.1. The F5 says it exceeds the 512 byte limit

Unicycle
June 23, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters