Configuring F5 BIG-IP to Send Logs to Splunk

This post outlines the steps necessary to configure your F5 BIG-IP system to send logs to Splunk, aiding in monitoring and securing your network environment. This post will help your IT department implement a robust logging solution following industry best practices.

Prerequisites

  • F5 BIG-IP device (preferably running version 13 to 15)
  • Splunk instance (Splunk Forwarder or Splunk Enterprise)
  • Network access to both the F5 device and the Splunk instance

Preparatory Actions

1. Backup Current Configuration

Ensure you back up the current configuration on your F5 BIG-IP system to facilitate a rollback if necessary.

2. Setup Splunk Server

Prepare your Splunk server to receive logs from F5 BIG-IP by setting up the necessary inputs and installing the F5 app for Splunk to aid in parsing and dashboard creation.

Configuration Steps

1. Configure Remote Syslog

  • Objective: To set up remote syslog servers on your F5 BIG-IP to forward logs to your Splunk instance.
  • Best Practice: Use TCP for reliable log transmission.
# Add remote syslog destination

tmsh modify /sys syslog {remote-servers add { Splunk { remote-server-host {SPLUNK-IP} remote-server-port 6514 } }

# Enable remote logging for system events

tmsh modify /sys syslog { log-settings system { remote-servers add { remote-servers-name Splunk } } }

2. Create ASM Logging Profile

  • Objective: To define what logs should be forwarded to Splunk.
  • Best Practice: Customize filters based on your organization’s requirements.
# Create logging profile

tmsh create /security log profile Splunk-ASM storage-format field-list end

# Set filters and format

tmsh modify /security log profile Splunk-ASM { storage-format field-list { filter { log-acl-match-accept enabled log-acl-match-drop enabled log-acl-match-reject enabled } format { field-list f5_asm="date_time="%date_time%"" } } }

# Enable profile for logging illegal requests

tmsh modify /security log illegal-requests { security-log-profiles add { Splunk-ASM } }

3. Configure HSL iRules

  • Objective: To create rules for how LTM and DNS logs should be handled.
  • Best Practice: Ensure that iRules are tested in a non-production environment first.
# Create HSL pool to Splunk server
create ltm pool Splunk-HSL-Pool members add { {SPLUNK-IP}:6514 } 

# Create HTTP request/response iRule 
create ltm rule Splunk-HTTP-iRule ...

# Create DNS request/response iRules
create ltm rule Splunk-DNS-Request-iRule ...
create ltm rule Splunk-DNS-Response-iRule ...

# Reference iRules from virtual servers
ltm virtual {vs_name} rules { Splunk-HTTP-iRule Splunk-DNS-Request-iRule Splunk-DNS-Response-iRule }

4. Configure APM Logging

  • Objective: To enhance APM logging verbosity.
  • Best Practice: Regularly review logs to fine-tune the verbosity level to avoid log flooding.
# Set APM to debug level for session logging

tmsh modify /apm log-setting Log-Settings { access-system session { log-level debug } }

Post-Configuration

1. Verification

Verify the setup by checking the Splunk indexes to ensure that logs are being received correctly.

2. Documentation

Document all the changes made during this setup, including any iRule scripts created.

3. Monitoring

Implement a monitoring solution to alert the necessary personnel in case of any issues with the logging infrastructure.

Conclusion

This guide should assist your IT department in setting up F5 BIG-IP to send logs to Splunk, following the industry’s best practices. Ensure to adhere to the best practices mentioned and update the setup based on evolving organizational needs and industry standards.

Feel free to reach out for clarifications or further guidance on specific sections of this guide. Always validate configurations in a non-production environment before rolling them out to production to maintain system integrity.