Skip to content

Prepare F5 servers for Telemetry Streaming

To prepare F5 servers for Telemetry Streaming:

  • Set up the Telemetry Streaming Consumer.
  • Forward F5 BIG-IP logs to Splunk.
  • Use versions 13.1 or later of F5 Big-IP. Telemetry Streaming is only compatible with versions 13.1 or later of F5 BIG-IP.

Access the F5 documentation for examples of the SystemInfo data you’ll receive when using Telemetry Streaming.

Set up Telemetry Streaming Consumer

  1. Create HEC input on your Splunk instance: https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/UsetheHTTPEventCollector
  2. Install Telemetry Streaming package into F5 BIG-IP. For more information, see the F5 BIG-IP documentation
  3. Enter this declaration in your API client for the F5 BIG IP Telemetry Streaming configuration request.

JSON Data for Telemetry Streaming configuration:

{
    "class": "Telemetry",
    "My_System": {
        "class": "Telemetry_System",
        "systemPoller": {
            "interval": <INTERVAL>
        }
    },
    "My_Listener": {
        "class": "Telemetry_Listener",
        "port": 6514
    },
    "My_Consumer": {
        "class": "Telemetry_Consumer",
        "type": "Splunk",
        "host": <Splunk_IP>,
        "protocol": "http",
        "port": 8088,
        "passphrase": {
            "cipherText": "<HEC_TOKEN>"
        },
       "allowSelfSignedCert": "true"
    }
}

Setting “allowSelfSignedCert”: “true” allows the F5 server to stream data to Splunk over an insecure connection. However, if the user has their own certificates in the CA store, the connection from the F5 server to Splunk will be secured using those certificates. Therefore, it will not be necessary to disable the global EnableSSL setting for HEC

As you enter this data:

  1. Replace INTERVAL with actual data collection interval value for example: 60
  2. Replace HEC_TOKEN with HEC token value of HEC input with created at step 1.
  3. Use 6514 as the local telemetry streaming listener.
  4. Replace Splunk_IP with IP address of Splunk where the event should get collected.
  5. Enter 255.255.255.254 as the virtual server ip address to configure logging using either AS3 or TMSH.

Splunk should start receiving SystemInfo data after these steps

Forward F5 BIG-IP logs to Splunk

  1. Configure the remote server from System > Logs > Configuration > Remote Logging. Example: Remote IP: 127.0.0.1 and Remote Port: 6514
  2. Forward F5 BIG-IP LTM network traffic events to Splunk.
    • Create an iRule and copy the iRule data provided in the Splunk_HTTP_TS example in the table below into the definition section for the new iRule.
    • Configure a virtual server to reference the iRule. This is the local virtual server in the BIG-IP system from which you want to send events to the Splunk platform.
    • Add the recently created iRule to the list of resources to be managed for this virtual server.

Name - Splunk_HTTP_TS

Definition -

when CLIENT_ACCEPTED {
    set client_address [IP::client_addr]
    set vip [IP::local_addr]
}
when HTTP_REQUEST {
    set http_host [HTTP::host]:[TCP::local_port]
    set http_uri [HTTP::uri]
    set http_url $http_host$http_uri
    set http_method [HTTP::method]
    set http_version [HTTP::version]
    set http_user_agent [HTTP::header "User-Agent"]
    set http_content_type [HTTP::header "Content-Type"]
    set http_referrer [HTTP::header "Referer"]
    set tcp_start_time [clock clicks -milliseconds]
    set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
    set cookie [HTTP::cookie names]
    set user [HTTP::username]
    set virtual_server [LB::server]

    if { [HTTP::header Content-Length] > 0 } then {
        set req_length [HTTP::header "Content-Length"]
    } else {
        set req_length 0
    }
}
when HTTP_RESPONSE {
    set res_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
    set node [IP::server_addr]
    set node_port [TCP::server_port]
    set http_status [HTTP::status]
    set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]
    if { [HTTP::header Content-Length] > 0 } then {
        set res_length [HTTP::header "Content-Length"]
    } else {
        set res_length 0
    }
    set hsl [HSL::open -proto TCP -pool telemetry]
    HSL::send $hsl "src_ip=\"$client_address\",vip=\"$vip\",http_method=\"$http_method\",http_host=\"$http_host\",http_uri=\"$http_uri\",http_url=\"$http_url\",http_version=\"$http_version\",http_user_agent=\"$http_user_agent\",http_content_type=\"$http_content_type\",http_referrer=\"$http_referrer\",req_start_time=\"$req_start_time\",cookie=\"$cookie\",user=\"$user\",virtual_server=\"$virtual_server\",bytes_in=\"$req_length\",res_start_time=\"$res_start_time\",node=\"$node\",node_port=\"$node_port\",http_status=\"$http_status\",req_elapsed_time=\"$req_elapsed_time\",bytes_out=\"$res_length\""
}
when LB_FAILED {
    set hsl [HSL::open -proto TCP -pool telemetry]
    HSL::send $hsl "src_ip=\"$client_address\",vip=\"$vip\",http_method=\"$http_method\",http_host=\"$http_host\",http_uri=\"$http_uri\",http_url=\"$http_url\",http_version=\"$http_version\",http_user_agent=\"$http_user_agent\",http_content_type=\"$http_content_type\",http_referrer=\"$http_referrer\",req_start_time=\"$req_start_time\",cookie=\"$cookie\",user=\"$user\",virtual_server=\"$virtual_server\",bytes_in=\"$req_length\""
}

Forward F5 BIG-IP ASM events to Splunk

Configure F5 Logging Profiles for ASM using the details below. If you are already collecting the LTM data, then don’t select All requests for the Request Type, as LTM already logs all the network traffic events.

Protocol - TCP

Server Addresses - The address of the server and the port. 255.255.255.254:6514

Storage Format -

attack_type="%attack_type%",date_time="%date_time%",dest_ip="%dest_ip%",dest_port="%dest_port%",geo_info="%geo_location%",headers="%headers%",http_class="%http_class_name%",ip_addr_intelli="%ip_address_intelligence%",ip_client="%ip_client%",ip_route_domain="%ip_with_route_domain%",is_trunct="%is_truncated%",manage_ip_addr="%management_ip_address%",method="%method%",policy_apply_date="%policy_apply_date%",policy_name="%policy_name%",protocol="%protocol%",query_str="%query_string%",req="%request%",req_status="%request_status%",resp="%response%",resp_code="%response_code%",route_domain="%route_domain%",session_id="%session_id%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",src_port="%src_port%",sub_violates="%sub_violations%",support_id="%support_id%",unit_host="%unit_hostname%",uri="%uri%",username="%username%",violate_details="%violation_details%",violate_rate="%violation_rating%",violations="%violations%",virus_name="%virus_name%",x_fwd_hdr_val="%x_forwarded_for_header_value%"

Forward F5 BIG-IP APM events to Splunk

  1. Create a new logging profile with Logging Profile for Splunk as the Profile Name.
  2. Associate this logging profile with the Access Policy.
  3. Change the logging verbosity for your APM logs to suit your needs. The default log level for APM is Notice, but this does not log session variables, which may be useful for troubleshooting.