What is F5 in Splunk?

F5 Networks Splunk App for Splunk¶ The data presented in the F5 Networks Splunk app includes a lot of data that cannot be easily visualized on a BIG-IP, such as tmstats information, virtual server and pool member health stats, system performance information, and even syslog event information .

What is F5 telemetry?

¶ Telemetry Streaming (TS) is an iControl LX Extension that enables you to aggregate, normalize, and forward statistics and events from the BIG-IP to a consumer application . It is delivered as a TMOS-independent RPM file.

What is the purpose of F5?

F5 Distributed Cloud Services enable organizations to deploy, secure, and manage their applications across various environments , including data centers, multi-cloud setups, and the network or enterprise edge.

F5 solutions help organizations take their innovative ideas from development to delivery quickly and securely . And this commitment to connection extends to our role as global citizens as well.

How do I monitor traffic on my F5?

Create an LTM monitor . You add a new HTTP or HTTPS LTM ® monitor so that you can track the availability of these services on the nodes, pools, or pool members to which you attach that monitor. At the top of the screen, click Configuration. Under LOCAL TRAFFIC, select Monitors.

How does health monitor work in F5?

A health monitor is designed to report the status of a pool, pool member, or node on an ongoing basis, at a set interval. When a health monitor marks a pool, pool member, or node as down, the BIG-IP system stops sending traffic to the device .

What is TCP monitor in F5?

The default TCP health monitor checks the health of servers by performing a TCP handshake with the server and then promptly closing the connection . This TCP handshake allows the monitor to see if the port is listening and allowing new connections; it does not check for text content by default.

What is the F5 command used for?

As mentioned earlier, the F5 key is typically used to refresh or reload a web page or to start a slideshow in PowerPoint . The F6 key is usually used to move the cursor or insertion point in a document or text field, or to switch between tabs in some web browsers.

What is F5 in load balancer?

F5 offers intelligent and customizable load balancing policies to inspect and route customers to available resources freeing up busy sites and systems . F5 can help you distribute customer traffic efficiently so DevOps teams can focus on deployments instead of cloud overages.

What does F5 server do?

F5 can address your organization's specific load balancer needs, from a static solution to an integrated, global solution that combines the strengths of hardware, software, and cloud-based load balancers. F5 has a load balancing algorithm or solution for your unique business needs.

Log messages inform you on a regular basis of the events that occur on the system . Using the BIG-IP system's high-speed logging mechanism, you can log events either locally on the BIG-IP system or remotely on a server. F5 ® Networks recommends that you store logs on a pool of remote logging servers.

How I did it - "Visualizing Data with F5 TS and Splunk"

The new Splunk Add-on for F5 BIG-IPincludes several objects, (modular inputs, CIM-knowledge, etc.) that work to “normalize” incoming BIG-IP data for use with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.

The add-on includes a mechanism for pulling network traffic data, system logs, system settings, performance metrics, and traffic statistics from the F5 BIG-IP platform using F5’s iControl API, (see below).

But what I'm really excited about is that the add-on now integrates with F5 Telemetry Streaming, (TS).With TS I am easily able to declaratively aggregate, normalize, and push BIG-IP statistics and events, (JSON-formatted) to a variety of third-party analytics vendors.

For the remainder of this article, we’ll take a look at how I integrate F5 TS with Splunk Enterprise.I’ll be working with an existing BIG-IP deployment as well as a newly deployed Splunk Enterprise instance.As an added bonus, (and since it’s part of the article’s title) I’ll import a couple custom dashboards, (see below) to visualize our newly ingested telemetry data.

Oh! As an "Extra" added bonus, here is a link to a video walk through of this solution.

Installing the Splunk Add-on for F5 BIG-IP and Splunk CIM

Installing the Splunk F5 add-on is very simple.Additionally, to make use of the add-on I’ll need to install Splunk’s Common Information Model, (CIM).

1.From the top Splunk the search page, I select ‘Apps’ → ‘Find More Apps’.

2.I browse for “CIM” and select the Splunk Common Information Model add-on.

3.I accept the license agreement, provide my Splunk account login credentials and select ‘Login and Install’.

4.I’ll repeat steps 2-3 to install the Splunk Add-on for F5 BIG-IP.

Setup Splunk HTTP Event Collector

To receive incoming telemetry data into my Splunk Enterprise environment over HTTP/HTTPs I will need to create an HTTP Event Collector.

1.From the UI I select ‘Settings’ → ‘Data Inputs’.I select ‘HTTP Event Collector’ from the input list.

Configure Telemetry Streaming

With my Splunk environment ready to receive telemetry data, I now turn my attention to configuring the BIG-IP for telemetry streaming.Fortunately, F5’s Automation Toolchain configuring the BIG-IP is quite simple.

1.I’ll use Postman to POST an AS3 declaration to configure telemetry resources, (telemetry listener, log publisher, logging profiles, etc.).

The above AS3 declaration, (available here) deploys the required BIG-IP objects for pushing event data to a third-party vendor. Notably, it creates four (4) logging profiles I’ll attach to my application’s virtual server.

2.Still using Postman, I POST my TS declaration, (sample).I will need to provide my Splunk HTTP Collector endpoint address/port as well as the token generated previously.

Associate Logging Profiles to Virtual Server

The final step to configuring the BIG-IP for telemetry streaming is associating the logging profiles I just created with my existing virtual server. In addition to system telemetry, these logging profiles, when assigned to a virtual,will send LTM, AVR, and ASM telemetry.

1.From the BIG-IP management UI, I select ‘Local Traffic’ → ‘Virtual Servers’ → <virtual>.

2.Under ‘Configuration’ I select ‘Advanced’, scroll down and select the HTTP, TCP, and request logging profiles previously created.I select ‘Update’ at the bottom of the page to save

3.From the top of the virtual server page, I select ‘Security’ → ‘Policies’.From the policy settings page, I can see that there is an existing WAF policy associated with my application.To enable ASM logging, I select the previously created ASM logging profile from the available logging profiles and select ‘Update’ to save my changes.

With the configuration process complete, I should now start seeing event data in my Splunk Environment.

Import Dashboards

“Ok, so I have event data streaming into my Splunk environment; now what?”

Since I have installed the Splunk F5 add-on, I can integrate my “normalized” data with other data sources to populate various Splunk applications like Splunk Enterprise Security and Splunk App for PCI Compliance.Likewise, I can use dashboards to visualizemy telemetry data as well as monitor BIG-IP resources/processes.To finish up, I’ll use the following steps to create custom dashboards visualizing BIG-IP metrics and Advanced WAF, (formerly ASM) attack information.

1.From the Splunk Search page, I navigate to the Dashboards page by selecting ‘Dashboards’.

2.Select ‘Create New Dashboard’ from the Dashboards page.

3.Provide a name for the new dashboard and select ‘Create Dashboard’.The dashboard name, (ID will remain unchanged) will be updated in the next step where I replace the newly created dashboard’s XML source with one of the community-supported dashboard XML files here.

4.On the ‘Edit Dashboard' screen I select ‘Source’ to edit the dashboard XML.I replace the existing XML data with the contents of the ‘advWafInsights.xml’ file.Select ‘Save’ to install the new dashboard.

5.I’ll repeat steps 1-4 using ‘bigipSystemMetrics.xml’ to install the BIG-IP metrics dashboard,