Splunk® Supported Add-ons

Splunk Add-on for F5 BIG-IP

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Prepare F5 servers to connect to the Splunk platform

Use the BIG-IP system browser-based Configuration Utility or the command line tools that are provided to set up your environment. For specific instructions on how to configure the F5 BIG-IP servers, see F5 BIG-IP Systems documentation on the F5 Support Website, https://support.f5.com/kb/en-us/products.html.

Configure F5 for Telemetry Streaming

Telemetry Streaming is the best way to send all module logs in the JSON format to the HEC endpoint, except for DNS, which is not supported. Telemetry Streaming is compatible with BIG-IP versions 13.0 and later. For more information, learn how to Prepare F5 servers for telemetry streaming.

Configure F5 for syslog with SC4S

The best method for getting syslog data into the Splunk platform for production deployments is Splunk Connect For Syslog. This solution provides improved simplicity and scalability, among other benefits. For more information, see Splunk Connect for Syslog.

Configure F5 for HSL

Configure iRules on the F5 servers to enable them to send traffic data as HSL through the F5 device to the Splunk platform. Configuring iRules does not impact system settings or traffic controls on your F5 server. The iRules collect and send metadata to the Splunk platform.

Using the Configuration utility, create a Pool for HSL and add it to the Local Traffic Pool List in the F5 BIG-IP system using service port 9514, the IP address of your Splunk server, a Node Name (splunk-node), and a pool name (Pool-syslog).

Configure Logging Levels for APM logs

After you have configured the remote logging server, configure the log levels for your Access Policy log in the Configuration Utility. Change the logging verbosity for your APM logs to suit your needs. The default log level for APM is Notice, but this does not log session variables, which may be useful for troubleshooting.

Configure iRules for LTM

Configure iRules on the F5 server for the local traffic management system so that you can send local traffic data through the F5 device to the Splunk platform. iRules enable you to search on any type of data that you define.

Use the Configuration utility to create an iRule, Splunk_HTTP, to add to the iRules list of the local traffic manager (LTM). In version 11.6.5 and above, perform this configuration here: Local Traffic > iRules > iRule List.

Copy the iRule data provided in the iRule_http example in the table below into the definition section for the new iRule. Configure a virtual server to reference the iRule. This is the local virtual server in the BIG-IP system from which you want to send traffic events to the Splunk platform. Add the iRule to the list of resources to be managed for this virtual server.

iRule_http example
iRule irule_http
Description This rule collects and sends http(s) traffic data and lb_faild event data to the Splunk platform. A load balancing failure triggers this event.
Example
 when CLIENT_ACCEPTED {
    set client_address [IP::client_addr]
    set vip [IP::local_addr]
}
when HTTP_REQUEST {
    set http_host [HTTP::host]:[TCP::local_port]
    set http_uri [HTTP::uri]
    set http_url $http_host$http_uri
    set http_method [HTTP::method]
    set http_version [HTTP::version]
    set http_user_agent [HTTP::header "User-Agent"]
    set http_content_type [HTTP::header "Content-Type"]
    set http_referrer [HTTP::header "Referer"]
    set tcp_start_time [clock clicks -milliseconds]
    set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
    set cookie [HTTP::cookie names]
    set user [HTTP::username]
    set virtual_server [LB::server]
      
    if { [HTTP::header Content-Length] > 0 } then {
        set req_length [HTTP::header "Content-Length"]
    } else {
        set req_length 0
    }
}
when HTTP_RESPONSE {
    set res_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
    set node [IP::server_addr]
    set node_port [TCP::server_port]
    set http_status [HTTP::status]
    set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]
    if { [HTTP::header Content-Length] > 0 } then {
        set res_length [HTTP::header "Content-Length"]
    } else {
        set res_length 0
    }
    set hsl [HSL::open -proto UDP -pool Pool-syslog]
    HSL::send $hsl "<190>,f5_irule=Splunk-iRule-HTTP,src_ip=$client_address,vip=$vip,http_method=$http_method,http_host=$http_host,http_uri=$http_uri,http_url=$http_url,http_version=$http_version,http_user_agent=\"$http_user_agent\",http_content_type=$http_content_type,http_referrer=\"$http_referrer\",req_start_time=$req_start_time,cookie=\"$cookie\",user=$user,virtual_server=\"$virtual_server\",bytes_in=$req_length,res_start_time=$res_start_time,node=$node,node_port=$node_port,http_status=$http_status,req_elapsed_time=$req_elapsed_time,bytes_out=$res_length\r\n"
}
when LB_FAILED {
    set hsl [HSL::open -proto UDP -pool Pool-syslog]
    HSL::send $hsl "<190>,f5_irule=Splunk-iRule-LB_FAILED,src_ip=$client_address,vip=$vip,http_method=$http_method,http_host=$http_host,http_uri=$http_uri,http_url=$http_url,http_version=$http_version,http_user_agent=\"$http_user_agent\",http_content_type=$http_content_type,http_referrer=\"$http_referrer\",req_start_time=$req_start_time,cookie=\"$cookie\",user=$user,virtual_server=\"$virtual_server\",bytes_in=$req_length\r\n"
}

Configure iRules for BIG-IP DNS (BIG-IP GTM)

Configure iRules on F5 BIG-IP DNS (BIG-IP GTM prior to version 12.0.0) devices so that you can send global traffic data to the Splunk platform. iRules enable you to search on any type of data that you define. Telemetry Streaming and DNS are NOT compatible.

Create Splunk_DNS_REQUEST

Use the Configuration utility to create an iRule, Splunk_DNS_REQUEST, and add it to the iRule list in the BIG-IP DNS (called BIG-IP GTM prior to 12.0.0). In version 11.6.5 and above, perform this configuration here: DNS > GSLB > iRules.

Add the data definition for the iRule, Splunk_DNS_REQUEST, to the iRule properties. Copy the iRule data provided in the irule_dns_request example in the table below into the definition section for the new iRule. Apply the iRule, Splunk_DNS_REQUEST, to existing listeners. These listeners alert GTM to DNS traffic destined for the system. Add the iRule, Splunk_DNS_REQUEST, to the list of resources to be managed for this listener.

irule_dns_request example
iRule irule_dns_request
Description The system triggers the iRule to send data when it receives a DNS parsing request.
Example
when DNS_REQUEST {
    set client_addr [IP::client_addr]
    set dns_server_addr [IP::local_addr]
    set question_name [DNS::question name]
    set question_class [DNS::question class]
    set question_type [DNS::question type]
    set data_center [whereami]
    set geo_information [join [whereis $client_addr] ;]
    set gtm_server [whoami]
    set wideip [wideip name]
    set dns_len [DNS::len]
      
    set hsl [HSL::open -proto UDP -pool Pool-syslog]
    HSL::send $hsl "<190>,f5_irule=Splunk-iRule-DNS_REQUEST,src_ip=$client_addr,dns_server_ip=$dns_server_addr,src_geo_info=$geo_information,question_name=$question_name,question_class=$question_class,question_type=$question_type,data_center=$data_center,gtm_server=$gtm_server,wideip=$wideip,dns_len=$dns_len\r\n"
}

Create Splunk_DNS_RESPONSE

Use the Configuration utility to create an iRule, Splunk_DNS_RESPONSE, and add it to the iRule list in the BIG-IP DNS (called BIG-IP GTM prior to version 12.0.0). In version 11.6.5 and above, perform this configuration here: Local Traffic > iRules > iRule List.

Add the data definition for the iRule, Splunk_DNS_RESPONSE, to the iRule properties. Copy the iRule data provided in the irule_dns_response example in the table below into the definition section for the new iRule. Apply the iRule, Splunk_DNS_RESPONSE, to an existing wide IP in the GSLB wide IP list.

irule_dns_response example
iRule irule_dns_response
Description The system triggers the iRule to send data when it replays to a client with the DNS parsing result.
Example
when DNS_RESPONSE {
    set client_addr [IP::client_addr]
    set dns_server_addr [IP::local_addr]
    set question_name [DNS::question name]
    set is_wideip [DNS::is_wideip [DNS::question name]]
    set answer [join [DNS::answer] ;]
       
    set hsl [HSL::open -proto UDP -pool Pool-syslog]
    HSL::send $hsl "<190>,f5_irule=Splunk-iRule-DNS_RESPONSE,src_ip=$client_addr,dns_server_ip=$dns_server_addr,question_name=$question_name,is_wideip=$is_wideip,answer=\"$answer \"\r\n"
}

Configure F5 Logging Profiles for ASM

In order to collect data from F5 BIG-IP ASM, you need to add a logging profile in the F5 BIG-IP Configuration Utility. Create a new logging profile with a Profile Name of Logging Profile for Splunk and enable Application Security. Use the information in the table below to configure the profile. For the Storage Filter information, select AND for Logic Operation and All for Protocols, Response Status Codes, HTTP Methods, and Request Containing String.

Field Value
Protocol TCP
Server Addresses Enter the IP addresses of your Splunk forwarders or your Splunk platform single instance. Add the default port of 9515, unless you want to configure a different port. If you do, you also need to configure a different port in inputs.conf.
Storage format Select User-Defined, then enter the storage format definition that matches your version of F5 BIG-IP. Note that the storage format is also defined in the F5 Big IP documentation: https://support.f5.com/csp/article/K5903


For F5 BIG-IP 13.1.0 - 17.0.0

 f5_asm=Splunk-F5-ASM,attack_type="%attack_type%",blocking_exception_reason="%blocking_exception_reason%",client_type="%client_type%",credential_stuffing_lookup_result="%credential_stuffing_lookup_result%",date_time="%date_time%",dest_ip=%dest_ip%,dest_port=%dest_port%,device_id="%device_id%",enforced_by="%enforced_by%",enforcement_action="%enforcement_action%",epoch_time="%epoch_time%",geo_info="%geo_location%",headers="%headers%",http_class="%http_class_name%",ip_addr_intelli="%ip_address_intelligence%",ip_client=%ip_client%,ip_route_domain="%ip_with_route_domain%",is_trunct=%is_truncated%,login_result="%login_result%",manage_ip_addr=%management_ip_address%,method="%method%",mobile_application_name="%mobile_application_name%",mobile_application_version="%mobile_application_version%",policy_apply_date="%policy_apply_date%",policy_name="%policy_name%",protocol="%protocol%",protocol_info="%protocol_info%",query_str="%query_string%",req="%request%",req_status="%request_status%",resp="%response%",resp_code="%response_code%",route_domain="%route_domain%",session_id="%session_id%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",src_port="%src_port%",sub_violates="%sub_violations%",support_id="%support_id%",threat_campaign_names="%threat_campaign_names%",unit_host="%unit_hostname%",uri="%uri%",username="%username%",violate_details="%violation_details%",violate_rate="%violation_rating%",violations="%violations%",virus_name="%virus_name%",x_fwd_hdr_val="%x_forwarded_for_header_value%"



For F5 BIG-IP 11.6.0 - 12.0.0:

f5_asm=Splunk-F5-ASM,attack_type="%attack_type%",date_time="%date_time%",dest_ip=%dest_ip%,dest_port=%dest_port%,geo_info="%geo_location%",headers="%headers%",http_class="%http_class_name%",ip_addr_intelli="%ip_address_intelligence%",ip_client=%ip_client%,ip_route_domain="%ip_with_route_domain%",is_trunct=%is_truncated%,manage_ip_addr=%management_ip_address%,method="%method%",policy_apply_date="%policy_apply_date%",policy_name="%policy_name%",protocol="%protocol%",query_str="%query_string%",req="%request%",req_status="%request_status%",resp="%response%",resp_code="%response_code%",route_domain="%route_domain%",session_id="%session_id%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",src_port="%src_port%",sub_violates="%sub_violations%",support_id="%support_id%",unit_host="%unit_hostname%",uri="%uri%",username="%username%",violate_details="%violation_details%",violate_rate="%violation_rating%",violations="%violations%",virus_name="%virus_name%",x_fwd_hdr_val="%x_forwarded_for_header_value%"

For F5 BIG-IP 11.1.0 - 11.5.x:

f5_asm=Splunk-F5-ASM,attack_type="%attack_type%",date_time="%date_time%",dest_ip=%dest_ip%,dest_port=%dest_port%,headers="%headers%",ip_client=%ip_client%,method="%method%",policy_name="%policy_name%",req="%request%",req_status="%request_status%",resp="%response%",resp_code="%response_code%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",sub_violates="%sub_violations%",unit_host="%unit_hostname%",uri="%uri%",username="%username%",violations="%violations%",virus_name="%virus_name%"

For F5 BIG-IP 10.1.x:

f5_asm=Splunk-F5-ASM,attack_type="%attack_type%",date_time="%date_time%",dest_ip=%dest_ip%,dest_port=%dest_port%,headers="%headers%",manage_ip_addr=%management_ip_address%,method="%method%",policy_name="%policy_name%",protocol="%protocol%",query_str="%query_string%",req="%request%",req_status="%request_status%",resp_code="%response_code%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",src_port="%src_port%",unit_host="%unit_hostname%",uri="%uri%",violations="%violations%"
Maximum Entry Length 64K

For more information about the storage formats provided here, see Storage format reference.

Last modified on 19 December, 2023
PREVIOUS
Install the Splunk Add-on for F5 BIG-IP
  NEXT
Prepare F5 servers for Telemetry Streaming

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters