BigIP
Key facts
- Requires vendor product by source configuration
- Legacy BSD Format default port 514
- Needs host to be defined in log header similarly like in this issue.
Links
Sourcetypes
| sourcetype |
notes |
| f5:bigip:syslog |
None |
| f5:bigip:irule |
None |
| f5:bigip:ltm:http:irule |
None |
| f5:bigip:gtm:dns:request:irule |
None |
| f5:bigip:gtm:dns:response:irule |
None |
| f5:bigip:ltm:failed:irule |
None |
| f5:bigip:asm:syslog |
None |
| f5:bigip:apm:syslog |
None |
| nix:syslog |
None |
| f5:bigip:ltm:access_json |
User defined configuration via irule producing a RFC5424 syslog event with json content within the message field <111>1 2020-05-28T22:48:15Z foo.example.com F5 - access_json - {"event_type":"HTTP_REQUEST", "src_ip":"10.66.98.41"} This source type requires a customer specific Splunk Add-on for utility value |
Index Configuration
| key |
index |
notes |
| f5_bigip |
netops |
none |
| f5_bigip_irule |
netops |
none |
| f5_bigip_asm |
netwaf |
none |
| f5_bigip_apm |
netops |
none |
| f5_bigip_nix |
netops |
if f_f5_bigip is not set the index osnix will be used |
| f5_bigip_access_json |
netops |
none |
Parser Configuration
#/opt/sc4s/local/config/app-parsers/app-vps-f5_bigip.conf
#File name provided is a suggestion it must be globally unique
application app-vps-test-f5_bigip[sc4s-vps] {
filter {
"${HOST}" eq "f5_bigip"
};
parser {
p_set_netsource_fields(
vendor('f5')
product('bigip')
);
};
};