search

tuckner / f5-elk

Logstash Configs and Kibana Dashboards for F5 LTM & ASM
MIT License
16 stars 6 forks source link

ELK 6 #1

Open buenoser opened 6 years ago

buenoser commented 6 years ago

Hi,

I test to do it with ELK 6 and F5 BigIP 13.0, but nothing works anymore.

Have you test it with this conponents ?

tuckner commented 6 years ago

I haven't tested with ELK 6. I believe some of the type mappings in the template may have been depreciated and Kibana changes often as far as dashboard widgets are concerned, but as far as I know, the F5 log format should be the same (key/value) and Logstash should still be able to process them into Elastic

buenoser commented 6 years ago

Hi, For the ASM logs, it's worked. In fact the mapping dosen't work with the template.

And the automatic mapping do like this:

<131>Jul 27 15:55:09 F5DEVICE.domain.lu ASM:unit_hostname <131>Jul 27 15:55:09 F5DEVICE.domain.lu ASM:unit_hostname.keyword So 1 new entry = 2 new fields, i supposed it's because the template doesen't load. The Config Logstash is like this: ``` input { udp { port => 1517 type => 'hsl' } tcp { port => 1517 type => 'syslog' } } filter { kv { field_split => "," trim_value => "\"" } if ([ClientIP]) { geoip { source => "ClientIP" } } } output { stdout {} elasticsearch { hosts => ["ELK-TEST07-VMR:9200"] index => "logstash-%{+YYYY.MM.dd}" template => "/etc/logstash/templates/f5-template.json" template_name => "f5-template" template_overwrite => true } } ``` Regards
buenoser commented 6 years ago

In the Big IP 13.X, The application Security propose this: image

In Logging Format: image

If you want, I can help to update this great intégration with ELK 6.X and Big IP 13.X ?

tuckner commented 6 years ago

Yeah! Submit a pull or send me what should be updated and I'll look it over!

buenoser commented 6 years ago

Great, I will do this for ASM!

For LTM, I have an issue, I follow your post, and nothing is ingested, I configured a simple VS and aply an Analytic profil with an Log Destination / Publisher, but nothing enter in ELK. What can I do to find the issue ?

Regards

tuckner commented 6 years ago

Can you verify F5 is sending the logs succesfully? I seem to remember not being able to send syslog out of the management interface of the F5.

buenoser commented 6 years ago

Hi, Thank you for the response, I folloed this instruction https://support.f5.com/csp/article/K13080 and it's working for syslog ! But the LTM from AVR nothing appear, how can i check if its really send?

Regards

tuckner commented 6 years ago

Make sure to apply the AVR profile to your virtual server, have the correct pool of AVR logging servers, and make sure you're not sending logs out the management port. Other than that, maybe using tcpdump will help validate if the logs are actually being sent or not.

buenoser commented 6 years ago

Hi, I understand what you mean, but I don't know how to check if the AVR use the management port to send this logs...

Can you help me to check this ?

tuckner commented 6 years ago

It would depend on routing. If the fastest path to the ELK server is through the management port, then AVR will probably fail to send the logs.