Splunk Connect for Syslog F5 Log Ingestion

We have been approached by several clients who have been using Splunk Connect for Syslog and have been experiencing issues with automatic filtering. This has been particularly prominent with F5 logs, as we have noticed that ingesting these logs has been a recurring issue across Splunk deployments.

In the case of F5 logging, where iRules may be output completely differently in each deployment, SC4S will not recognise the logs and you will likely see nothing ingested into Splunk, or for it to be incorrectly ingested as the nix:syslog sourcetype.

We were able to identify the solution to the issue within the Splunk connect for Syslog guides. 

SC4S needs to be configured to recognise which hosts are sending it F5 logs. This is done by creating a config file in /opt/sc4s/local/config/app-parsers named something unique such as app-pvs-f5_bigip.conf. The configuration is as follows:

#/opt/sc4s/local/config/app-parsers/app-vps-f5_bigip.conf

#File name provided is a suggestion it must be globally unique

application app-vps-test-f5_bigip[sc4s-vps] {

 filter {

        “${HOST}” eq “f5_bigip”

    };

    parser {

        p_set_netsource_fields(

            vendor(‘f5’)

            product(‘bigip’)

        );

    };

};

All that needs the be configured is replacing “f5_bigip” with the regex for the hostnames that will be sending the F5 logs. Once written simply systemctl restart sc4s and your SC4S server should now recognise your F5 logs.

The filter “${HOST}” eq “f5_bigip” can be changed as needed to better match your F5 filters for example:

  • To match using a wild carded host name host(“f5_bigip*” type(glob))
  • If IP addresses need to be used netmask(“192.168.5.0/24”)

More information on Syslog-ng filters can be found here.

F5 logs are not the only source that requires this configuration, another example is Dell RSA SecureID. Therefore, it’s always a good idea to double check the vendor specific pages in the SC4S documentation.

Additionally, a new version of the F5 add-on has been released with new additional features which can be viewed here.

See how we can build your digital capability,
call us on +44(0)845 226 3351 or send us an email…

    Read more