BigIP¶
Key facts¶
- Requires vendor product by source configuration
- Legacy BSD Format default port 514
- Needs host to be defined in log header similarly like in this issue.
Links¶
Ref | Link |
---|---|
Splunk Add-on | https://splunkbase.splunk.com/app/2680/ |
Product Manual | unknown |
Sourcetypes¶
sourcetype | notes |
---|---|
f5:bigip:syslog | None |
f5:bigip:irule | None |
f5:bigip:ltm:http:irule | None |
f5:bigip:gtm:dns:request:irule | None |
f5:bigip:gtm:dns:response:irule | None |
f5:bigip:ltm:failed:irule | None |
f5:bigip:asm:syslog | None |
f5:bigip:apm:syslog | None |
nix:syslog | None |
f5:bigip:ltm:access_json | User defined configuration via irule producing a RFC5424 syslog event with json content within the message field <111>1 2020-05-28T22:48:15Z foo.example.com F5 - access_json - {"event_type":"HTTP_REQUEST", "src_ip":"10.66.98.41"} This source type requires a customer specific Splunk Add-on for utility value |
Index Configuration¶
key | index | notes |
---|---|---|
f5_bigip | netops | none |
f5_bigip_irule | netops | none |
f5_bigip_asm | netwaf | none |
f5_bigip_apm | netops | none |
f5_bigip_nix | netops | if f_f5_bigip is not set the index osnix will be used |
f5_bigip_access_json | netops | none |
Parser Configuration¶
#/opt/sc4s/local/config/app-parsers/app-vps-f5_bigip.conf
#File name provided is a suggestion it must be globally unique
application app-vps-test-f5_bigip[sc4s-vps] {
filter {
"${HOST}" eq "f5_bigip"
};
parser {
p_set_netsource_fields(
vendor('f5')
product('bigip')
);
};
};