Skip to main content
Sumo Logic

Collect Logs for the F5 - BIG-IP LTM App

  1. Last updated
  2. Save as PDF
This page provides instructions for collecting logs for the F5 - BIG-IP LTM App, as well as a sample log message and query sample.

This page provides instructions for collecting logs for the F5 - BIG-IP LTM App, as well as a sample log message and query sample.

Configure log collection for the F5 - BIG-IP LTM App

Perform the following tasks to configure log collection for the F5 - BIG-IP LTM App.

  1. Configure a Hosted Collector in Sumo Logic using these instructions.

  2. Add an HTTP source, configuring the Source Category with the string f5 in it (e.g. “f5/ltm”).

  3. Use F5 Analytics iApp to send F5 LTM logs to Sumo Logic using the Hosted Collector.

  4. Follow the Configuring the Analytics iApp template section, and use Sumo Logic as Data format.

    The following screenshots are examples of F5 - Sumo Logic Configuration:

    F5-BIGIPLTM_Collector-dialog1.png

    F5-BIGIPLTM_Collector-dialog2.png

Sample Log Message

The following is a sample event with payload log.

Bigip.tmstats.mcp_request_stat
{
 "time": 1545076080,
 "host": "alb-bv3-2001-p2-1a.psdf.acme.com",
 "source": "bigip.tmstats.mcp_request_stat",
 "sourcetype": "f5:bigip:stats:iapp:json",
 "device_base_mac": "xx:xx:xx:xx:xx:xx",
 "devicegroup": "device-group-failover-b92a84720f17",
 "facility": "",
 "app": "",
 "appComponent": "",
 "tenant": "",
 "aggr_period": "60",
 "class_id": 38264,
 "create_count": 4,
 "create_mean": 585,
 "create_var": 12993,
 "modify_count": 4,
 "modify_mean": 3717,
 "modify_var": 48651249,
 "delete_count": 0,
 "delete_mean": 0,
 "delete_var": 0,
 "query_count": 4,
 "query_mean": 42213,
 "query_var": 7216095,
 "other_count": 0,
 "other_mean": 0,
 "other_var": 0
}

Query sample

The following query sample is from the F5 - BIG-IP LTM - Overview Dashboard, Pool Status panel.

_sourceCategory=*f5* "bigip.tmsh.pool_member_status"
| json field=_raw "availability_state"
| json field=_raw "facility"
| json field=_raw "enabled_state"
| json field=_raw "pool_name"
| parse regex field=pool_name "[\S]+\/(?<pool_name>[\S]+)"
| json field=_raw "pool_member_name"
| parse regex field=pool_member_name "[\S]+\/(?<pool_member_name>[\S]+)"
| json field=_raw "address"
| json field=_raw "port"
| count by pool_name, facility, pool_member_name, availability_state, enabled_state,  address, port
| fields - _count
| sort by facility