Forum Discussion

Joe_Chapman_416's avatar
Joe_Chapman_416
Icon for Nimbostratus rankNimbostratus
Jun 28, 2012

Splunk for F5 Networks LTM v11 iRule

Hello, I've been struggling to get Splunk for F5 networks working properly.

http://splunk-base.splunk.com/apps/50944/splunk-for-f5-networks

 

 

 

There is an install guide that I've followed very closely. I think that the problem is with the iRule that they suggest:

 

when CLIENT_ACCEPTED {

 

set client [IP::client_addr]

 

}

 

 

 

when HTTP_REQUEST {

 

set vhost [HTTP::host]:[TCP::local_port]

 

set url [HTTP::uri]

 

set method [HTTP::method]

 

set http_version [HTTP::version]

 

set user_agent [HTTP::header "User-Agent"]

 

set tcp_start_time [clock clicks -milliseconds]

 

set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]

 

set req_elapsed_time 0

 

set virtual_server [LB::server]

 

 

 

if { [HTTP::header Content-Length] > 0 } then {

 

set req_length [HTTP::header "Content-Length"]

 

HTTP::collect $req_length

 

} else {

 

set req_length 0

 

}

 

 

 

if { [HTTP::header "Referer"] ne "" } then {

 

set referer [HTTP::header "Referer"]

 

} else {

 

set referer -

 

}

 

}

 

 

 

when HTTP_REQUEST_DATA {

 

set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]

 

HTTP::release

 

}

 

 

 

when HTTP_RESPONSE {

 

set hsl [HSL::open -proto UDP -pool pool_syslog]

 

set resp_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]

 

set node [IP::server_addr]:[TCP::server_port]

 

set status [HTTP::status]

 

 

 

if { [HTTP::header Content-Length] > 0 } then {

 

set response_length [HTTP::header "Content-Length"]

 

} else {

 

set response_length 0

 

}

 

 

 

HSL::send $hsl "<190>|$vhost|$client|$method|\"$url\"|HTTP/$http_version|$user_agent|\"$referer\"|$req_start_time|$req_length|$req_elapsed_time|$node|$status|$resp_start_time|$response_length|$virtual_server"

 

}

 

 

 

 

 

 

 

 

I cannot get this to work as designed and I think it's because we're on v11

 

BIG-IP 11.1.0 Build 1943.0 Final

 

 

 

Has anyone figured out how to send this information to a logging server via an iRule (as suggested)?

 

Any help would be appreciated, I'm stuck!

 

 

 

Thanks

 

-Joe