Forum Discussion

Shiva_69966's avatar
Shiva_69966
Icon for Nimbostratus rankNimbostratus
Nov 18, 2014

LTM logs(All events) to splunk using HSL

Hi Guys need help in settingup HSl for Bigip logs. as F5 recommend i have followed the porcedure creating pool(log servers)->log destination-> publisher- filter.

 

Now the challenge we face is we are seeing only the below logs in splunk below b not rest of the logs. such as mcpd , tmm etc.

 

2014-11-14T03:12:46.247064-05:00 default send string 2014-11-14T03:12:46.805381-05:00 10.X.X.1 hostname="localhost.localdomain",errdefs_msgno="013d0007: 6:" 2014-11-14T03:12:48.145854-05:00 10.X.X.2 hostname="localhost.localdomain",errdefs_msgno="013d0007: 6:" 2014-11-14T03:12:48.805812-05:00 10.X.X.1 hostname="localhost.localdomain",errdefs_msgno="013d0007: 6:" 2014-11-14T03:12:49.904306-05:00 default send string

 

is there anyhting im missing ?

 

application delivery
deployment
design
LTM
performance

8 Replies

Sort By
  • Shiva14's avatar
    Shiva14
    Icon for Nimbostratus rankNimbostratus
    Nov 19, 2014

    HSL configuration: Publisher:

     

    name Splunk -hsl partition: Common Destination : Splunk-formatted

     

    Filters:

     

    Name: Filter-splunk partition: Commom severity: informational source :all Message Id : Log publisher: Splunk-hsl

     

  • Shiva14's avatar
    Shiva14
    Icon for Nimbostratus rankNimbostratus
    Nov 19, 2014

    Publisher:

     name Splunk -hsl
  partition: Common
   Destination : Splunk-formatted

    Filters:

      Name: Filter-splunk
 partition: Commom
  severity: informational
   source :all
    Message Id :
     Log publisher: Splunk-hsl
  • Hem_66900's avatar
    Hem_66900
    Icon for Cirrus rankCirrus
    Dec 12, 2014

    Do you guys have any update on this one.Any insight on this one is greatly appreciated.

     

  • SDnath_82757's avatar
    SDnath_82757
    Icon for Nimbostratus rankNimbostratus
    Oct 22, 2015

    I have configured hsl and are forwarding logs to mcafee siem. I am also receiving similar errdefs_msgno="01260018:5: logs.

     

    Any idea as why only those logs.

     

  • Hem_66900's avatar
    Hem_66900
    Icon for Cirrus rankCirrus
    Oct 23, 2015

    It is format issue and SIEM not interpreting it fine.

     

    Assume SIEM ip and port is x.x.x.x:514 Run the following tmsh commands. 1.Create pool 2.HSL log config 3.Syslog log config 4.Publisher.

     

    create ltm pool pool.HSLogging.SIEM members add { x.x.x.x colon port} create sys log-config destination remote-high-speed-log SIEM_Server description SIEM_Server pool-name /Common/pool.HSLogging.SIEM protocol udp create sys log-config destination remote-syslog SIEM_Filter description SIEM_Filter format rfc5424 remote-high-speed-log SIEM_Server create sys log-config publisher Syslog_Publisher description Splunk_Publisher destinations add { SIEM_Filter }

     

    Good luck !!!!

     

  • SDnath_82757's avatar
    SDnath_82757
    Icon for Nimbostratus rankNimbostratus
    Oct 23, 2015

    the HSl configuration that i did is partially working. I have created a request logging profile and have modified the template in http request to fit the SIEM parser format and sequence and that works like a sweet candy using the tmm interface i configured and mapped the the new vlan.

     

    Now the problem is the i am not getting the system logs via HSL. i cannot see any audit log. Incase i add the siem server as remote syslog server then i start receiving but i loose control as i cannot use my log filter because it is not using the hsl.

     

    had raised a f5 case. there is something which is still not triggering the system logs through hsl tmm interface.