I have installed Splunk for F5 and the ASM Log Source type is not listed as an available source type for my logs.
I am running Splunk 4.1.3 Build 80534 for Windows.
Can someone tell me how to setup my data input as ASM Logs Source type?
Thanks.
↧
ASM Log Source Type not showing up after Splunk for F5 install.
↧
When will Splunk App (F5) support ARX switches?
When will Splunk App (F5) support ARX switches?
↧
↧
Multi-character delimiters?
I have data coming in in the format "data1","data2","data3" from F5.
however, some events contain " and some contain , - thus the usual
DELIMS = ","
FIELDS = "field1", "field2", "field3"
Doesn't seem to be working 100% of the time.
If I put
DELIMS = "\",\""
does it:
force Splunk to look for a "," three character combination to split fields, or- make a field split every time it finds a " or ,
?
Update: "\",\"" does not work, nor do a few other ideas we tried. I guess this question has become: can Splunk use a multiple-character string as a delimiter?
Here is a line of data. This is coming from a F5 ASM:
Jun 18 20:04:34 f5name.client.com ASM:"HTTP protocol compliance failed","f5name.client.com","10.10.10.10","Client_security_policy_1","2010-07-04 12:18:19","","8000003409000000072","","0","Unknown method","HTTP","/cgi-bin/">alert(12769017.87967)/consumer/homearticle.jsp","","10.10.8.8","ConsumerSite","GET /cgi-bin/%22%3E%3Cscript%3Ealert(12769017.87967)%3C/script%3E/consumer/homearticle.jsp?pageid=Page_ID' onError=alert(12769017.97637) ' HTTP/1.1\r\nHost: host1.client.com\r\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/20080630 Firefox/3.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nKeep-Alive: 15\r\nConnection: keep-alive\r\nReferer: https://host1.client.com/consumer/site/registration\r\nCookie: IMNAME=/cgi-bin/"">alert(12769017.87967); Partner=; MS_CN=; IDSS=6qjob0U1A/3SCCBYXiwQ6T5WE/EVg==; TS58d302=fb35699ac4c1c0946; MHS_INFO=ObsId=\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n"
The error comes after the HTTP field, as the next field starts as /cgi-bin/">. Splunk takes /cgi-bin/>...Accept: text/html as the field. It drops quotes and grabs everything up to the next unescaped comma.
↧
splunk for F5 app: getting data to splunk
I installed the splunk for F5 app, and I'm trying to figure out how to get data from our 2 LTMs running ASM into splunk in a format that's useable by this app. The splunk server I'm using is at 4.1.3, and has a "generic" syslog data input on port 514 that I'm using to send syslog events from a few devices to splunk.
Splunk seems to be receiving syslog input from our LTM units just fine. However, it seems that this app expects data in a different format.
Looking at another question posted to splunk (http://answers.splunk.com/questions/3925/splunk-for-f5-data-input-method), I see the inputs.conf from $SPLUNK_HOME/etc/apps/SplunkforF5/local is referenced, and looking at that file on our own splunk install, I'm not sure how it is expecting data. The first few sections there look like this:
[tcp://9998]
sourcetype = asm_log
[monitor:///home/sheyda/SplunkData/asm_full_dos]
disabled = 1
host = sheyda-laptop
host_regex =
[tcp://9998]
sourcetype = asm_log
I'm still trying to fully grasp splunk, but the way it reads to me (and please correct me if I'm wrong), its expecting a data input on the splunk server to be configured on port 9998, of type asm_log. I'm not quite sure I understand this part, as it seems to me that it expects some type of Splunk Light Forwarder on the LTM units to forward data to port 9998 on our splunk server. Is using the SplunkLightForwarder directly on our LTM units really a "recommended" way of getting data using this method?
The next line seems to be looking at the file "/home/sheyda/SplunkData/asm_full_dos", however, I'm not sure how that file gets there, or what that file really is. I'm guessing this is equivalent to the /var/log/asm file on our LTM units, but I can't be 100% sure. If this is true, where is it expecting this? On the splunk server? Is this type of method expecting some automated job to be copying the /var/log/asm (and /var/log/ltm) log files from our LTM units onto the splunk server to be processed? This seems, in my limited knowledge, contradictory to the first part that contains the input on 9998, but I'm not sure if that's meant to be used as an alternative. If it is, it doesn't seem very "real time".
There was also a suggestion on http://answers.splunk.com/questions/3925/splunk-for-f5-data-input-method at the bottom to make the source type of the syslog input to something asm/ltm/firepass related. This makes sense, but wouldn't that mean I couldn't use the syslog input for anything else BUT asm/ltm/firepass, and even then, only one of the 3 at that?
I feel like I'm missing something painfully obvious (and in all likelyhood, I am), so can someone help explain the "proper" way of getting data from our LTM units that can be used by the SplunkforF5 app?
↧
F5 Firepass not showing events from built-in searches
Hi,
I've Firepass sending logs to splunk server via udp 514. I've also installed F5 app but none of the built-in searches seems to display any events captured. (eg. F5 FirePass Connections by User)
Is there any thing wrong with the built-in searches?
How can I get it to show up under F5 app?
I also have linux servers sending via 514 and sourcetype as syslog. Thus when Firepass logs came in it is under syslog as well. How do I set its own "sourcetype = firepass" for example?
Thanks in advance.
↧
↧
App installation, scheduled searches, summary index and search heads
I just installed the SplunkforF5 app. I installed it on the indexer and the search head. The app has many scheduled searches, including some that feed the summary index. It seems to me that having both the search head and the indexer run the scheduled searches and si-related commands is a waste.
Just disable the scheduled jobs on the indexer? Best practices?
↧
Splunk for F5 BIG-IP LTM logging
WHat logs are needed to produce the necessary inputs for the ltm_log source type? Do I need to specify an irule? Where is it documented? If you just set the syslog setting in the LTM all you get are administrative logs not traffice logs that the ltm_log source type can understand
↧
Any Compatibility issues with Splunk 4.2
Hi, after installing the F5 app using the Splunk 4.2 web interface (not through unzipping manually in ..etc/apps folder), when i restart Splunk, i get this warning message (before configuring the F5 app):
Checking conf files for typos...
Possible typo in stanza [connection_failed] in /opt/splunk/etc/apps/SplunkforF5/default/eventtypes.conf, line 3: viewstate.resultView = normalView Possible typo in stanza [connection_success] in /opt/splunk/etc/apps/SplunkforF5/default/eventtypes.conf, line 7: viewstate.resultView = normalView
Since the current version of the F5 app is older than the release of Splunk version 4.2, is the current F5 app compatible with Splunk 4.2?
↧
Splunk for f5 Dashboard issues
So, I have a fresh install of Splunk 4.2 and the Splunk for f5 app. I've configured the ASM on my f5 to send all illegal requests to Splunk via TCP:9998. Splunk is configured with TCP:9998 for a data input and source type is set to asm_log for anything over this connection.
I'm able to see the last 10 ASM events on the bottom of the dashboard in Splunk so I know the information is being sent to Splunk and showing up as asm_log.
The problem I have is that none of the other dashboard areas are being populated with any data. Is there a special format the the logs need to be in, or special fields required? I'm a little lost at this point.
Thank in advance for your help.
↧
↧
Do you have field extractions for Big-IP ASM 10.2.1?
The comment below is from the default/props.conf and is a little confusing. What does this mean for the current (or latest version) no extractions needed? Or does this mean I need to uncomment the extraction that matches my F5 ASM version (which is 10.2.1)?
###ASM PROPS###
####YOU NEED TO UN-COMMENT THE EXTRACTION FOR OLDER VERSIONS OF ASM
Additionally, (if needed to specify) do you have field extractions for ASM 10.2.1?
↧
Feature Request: Can you add setup to enable F5 applications?
Feature Request: Setup
F5 Big-IP product has many applications (ASM, FirePass, LTM); we might not use all of these or choose to have logs for all. Could the app have a setup added to choose the features to enable. This would help by removing un-needed menu items and prevent un-needed jobs processing.
Thanks
↧
F5 Networks iRule req_elapsed_time=0
trying to implement the irule supplied by F5, we can get the irule to log to splunk.
We are having and issue with the req_elapsed_time field as it is always returning 0
Anyone else using that value and getting something other than 0 for a value?
We are trying to use the iRule to determine the response time for surfing via a particular pool and this value appears to be the one we need.
↧
secondary date time field in F5 LTM message
I am trying to extract a second date and time field from an F5 LTM message into a field (or fields).
the message looks like this...
Certificate 'abc.123.com' in file abc.123.com.crt will expire on Thu Jun 14 23:59:59 2012 GMT
the message already has auto date time extracted for the time the message occurs, but I would like to extract the date and time the certificate is expiring to do some math (certs expiring in 30/60/90 days), certs expired (7,30,60 )days ago.
↧
↧
How to log Performance layer 4 traffic?
Hi,
I installed the SplunkforF5 Networks application in my environment, it works when I log http traffic from a VS with a Standard Type. But all traffic my customer wants to log comes from a VS with a Performance Layer 4 type. So I can't specify a http profile and then the iRule doesn't work.
Is there an iRule that works with a Performance Layer 4 type of VS?
Best regards, E-L
↧
Splunk for F5 (Access, Network, Security)
Since F5 has decided to divide up their app to 3 different ones (Access, Network, Security) it's getting hard to set it up. On the F5 side, I'm only seeing the option to forward all logs to a specific port on Splunk. In my case it is on port 10035.
On the Splunk side, here is what I have setup:
1) /opt/splunk/etc/apps/SplunkforF5Access/local/inputs.conf
- [udp://10035]
- connection_host = none
- sourcetype = apm_log
2) /opt/splunk/etc/apps/SplunkforF5Networks/local/inputs.conf
- [udp://10035]
- connection_host = none
- sourcetype = F5:AFM:Syslog
3) /opt/splunk/etc/apps/SplunkforF5Security/local/inputs.conf
- [udp://10035]
- connection_host = none
- sourcetype = asm_log
But now, I'm only getting logs under apm_log of access (doesn't really matter) and nothing else.
So I have a couple of questions:
- What are the correct sourcetypes that I need to use? since none of the preloaded dashboard work.
- How can I split these apps since I'm only allowed to send traffic through 1 port but need to distinguish between the data?
↧
Splunk for F5 (Access, Network, Security)
Since F5 has decided to divide up their app to 3 different ones (Access, Network, Security) it's getting hard to set it up. On the F5 side, I'm only seeing the option to forward all logs to a specific port on Splunk. In my case it is on port 10035.
On the Splunk side, here is what I have setup:
1) /opt/splunk/etc/apps/SplunkforF5Access/local/inputs.conf
- [udp://10035]
- connection_host = none
- sourcetype = apm_log
2) /opt/splunk/etc/apps/SplunkforF5Networks/local/inputs.conf
- [udp://10035]
- connection_host = none
- sourcetype = F5:AFM:Syslog
3) /opt/splunk/etc/apps/SplunkforF5Security/local/inputs.conf
- [udp://10035]
- connection_host = none
- sourcetype = asm_log
But now, I'm only getting logs under apm_log of access (doesn't really matter) and nothing else.
So I have a couple of questions:
- What are the correct sourcetypes that I need to use? since none of the preloaded dashboard work.
- How can I split these apps since I'm only allowed to send traffic through 1 port but need to distinguish between the data?
↧
Splunk for F5 Access
I have installed the 3 apps that are to support Splunk for F5, namely: Access, Network, and Security. However, I'm not getting any of the dashboards and predefined searches to show up. After doing some digging, looks like I'm not getting data on the right sourcetype. But here is what I have. my SplunkforF5Access/local/inputs.conf looks like the following:
[udp://10035]
connection_host = dns
sourcetype = syslog
index = f5
source = udp:514
disabled = 0
and haven't changed the props.conf or the transforms.conf. here is a part of my props.conf:
[source::udp:514]
TRANSFORMS-apmsourcetype = apm_sourcetyper
TRANSFORMS-firepasssourcetype = firepass_sourcetyper
and I believe the part in transforms.conf that correlates to it is:
############APM EXTRACTIONS################
[apm_sourcetyper]
DEST_KEY = MetaData:Sourcetype
REGEX = :\s(?:0149|0125|0158)[0-9A-Fa-f]{4}:\d+:\s[0-9A-Fa-f]{8}:
FORMAT = sourcetype::apm_log
and:
############ FirePass sourcetype Extractions ###############
[firepass_sourcetyper]
DEST_KEY = MetaData:Sourcetype
REGEX = (?:172\.16\.73\.(4|5))
FORMAT = sourcetype::firepass_log
Here is my question, even though I have my source set as udp:514,why don't I see two sourcetypes: firepass_log and more importantly apm_log??
↧
↧
Splunk for F5 Access
Hi Support,
I am running Splunk Enterprise 6.0.2 in Windows Server 2012. i need to get syslogs from F5. i have installed the "Splunk for F5 Access" app. after installed i have rebooted the server. i didn;t see any logs...
Also i have checked this Document http://answers.splunk.com/answers/110897/splunk-for-f5-access
how do i edit the file(in the web)? where can i do(in the web/command line)?
Please help me
Thanks
↧
Error shown as part of props.conf
Hi All,
Recently i download the "Splunk for F5 Access" app and installed into into my Splunk Box.
Whenever i restart the splunk process I see the following Configuration Warning
Checking filesystem compatibility... Done
Possible typo in stanza [firepass_log] in /home/splunk/etc/apps/firepass/default/props.conf, line 6: TRANSFORM = firepass-host
There might be typos in your conf files. For more information, run 'splunk btool check --debug'
Checking conf files for typos... Done
All preliminary checks passed.
Content of Props.conf:
[firepass_log]
KV_MODE = none
TIME_FORMAT = %b%d%H:%M:%S
TRANSFORM = firepass_host
REPORT-sid = firepass-host,firepass_term_host_prt,firepass_login_src,firepass_failed_valid,firepass_failed_invalid,firepass_sid_full,firepass_sid_full_condensed,firepass_sid,firepass_sid_kv,firepass_access_type,firepass_remote,firepass_intrusion,firepass_app_tunnel_remote_host,firepass_user_domain,firepass_logon_denied
Transforms.conf
[firepass_host]
DEST_KEY = MetaData:Host
REGEX = (\d+\.\d+.\d+.\d+)
FORMAT = host::$1
Can someone please help me here to find whats the issue is ?
↧