Skip to main content
Sumo Logic

Collect Logs for the F5 - BIG-IP LTM App

This page provides instructions for collecting logs for the F5 - BIG-IP LTM App, as well as a sample log message and query sample.

This page provides instructions for collecting logs for the F5 - BIG-IP LTM App, as well as a sample log message and query sample.

Collection overview

The following image provides a high-level view of the F5 - BIG-IP LTM collection process using the Telemetry Streaming.

Telemetry Streaming (TS) is a software RPM file. Installing it on BIG-IP enables you to declaratively aggregate, normalize, and forward statistics and events from the BIG-IP to a consumer application by posting a single TS JSON declaration to TS’s declarative REST API endpoint.

Telemetry Streaming uses a declarative model, meaning you provide a JSON declaration rather than a set of imperative commands. For more information on Telemetry Streaming, see here.

Telemetry Services.png

Configure log collection for the F5 - BIG-IP LTM App

Prerequisite

The Application Services 3 (AS3) extension is a mechanism for declaratively configuring application-specific resources on a BIG-IP system. This involves posting a JSON declaration to the system’s API endpoint, (https://<BIG-IP>/mgmt/shared/appsvcs/declare)

  1. Login to F5 (user admin, password from the above output), navigate to the Main tab, iApps > Package Management LX > Import.
  2. Select the downloaded file and click Upload to upload Telemetry Streaming RPM. For more information on installing TS RPM, see here.

Telemetry_Streaming_RPM.png

3. Enable AVR

To enable the AVR, follow the steps below:

  1. Go to System > Resource Provisioning. 
  2. Enable Application Visibility and Reporting (AVR)
  3. Click Submit.

Enable_AVR.png

Collection Set Up

Perform the following tasks to configure log collection for the F5 - BIG-IP LTM App.

  1. Configure a Hosted Collector in Sumo Logic using these instructions.
  2. Add an HTTP source, configuring the Source Category with the string f5 in it (e.g. “f5/ltm”).
    Make a note of the URL for the HTTP source, as you will need it in the following steps. The URL for our example is: https://collectors.us2.sumologic.com/receiver/v1/http/Thisis4fakeendpoint4testing==

Step 2: Use AS3 Declarative language to define a logging profile on BIG-IP.

Download AS3Listener.json from here, and we will use it to define the logging profile st BIG IP.  Use the following curl cmd to set logging profile at BIG-IP.  Replace BIG-IP PWD, BIG-IP IP, and PORT in the following cmd :

curl -k --user admin:<BIG-IP PWD> -H "Accept: application/json" -H "Content-Type:application/json" -X POST -d@AS3Listener.json https://<BIG-IP IP>:<PORT>/mgmt/shared/appsvcs/declare | python -m json.tool

Step 3: Sumo Logic Consumer Set up using Telemetry 

Download Sumo Logic Consumer sumo.json from here, and replace SUMOLOGIC_HOST

SUMOLOGIC_SECRET_KEY and SUMOLOGIC_PATH with values from Sumo logic HTTP URL created in step 1. 

Example: For Sumo Logic HTTP URL https://collectors.us2.sumologic.com/receiver/v1/http/Thisis4fakeendpoint4testing== above values are as follows :

Now, Using telemetry we will define a Sumo Logic sink which will enable us to forward statistics and events from the BIG-IP to Sumo Logic. Use the following curl cmd and replace BIG-IP PWD, BIG-IP IP, and PORT.

curl -k --user admin:<BIGIP PWD> -H "Accept: application/json" -H "Content-Type:application/json" -X POST -d@sumo.json https://<BIG-IP IP>:<PORT>3/mgmt/shared/telemetry/declare | python -m json.tool

Sample Log Message

The following is a sample F5 LTM Request Log.

LTM Request Log

{
    "event_source":"request_logging",
    "event_timestamp":"2019-01-01:01:01.000Z",
    "hostname":"hostname",
    "client_ip":"192.0.2.42",
    "server_ip":"",
    "http_method":"GET",
    "http_uri":"/",
    "virtual_name":"/Common/app.app/app_vs",
    "tenant":"Common",
    "application":"app.app",
    "telemetryEventCategory": "LTM"
}

Query sample

The following query sample is from the F5 - BIG-IP LTM - Overview Dashboard, Pool Status panel.

_sourceCategory=f5/bigip/ltm  systemInfo
| json field=_raw "telemetryEventCategory"  as telemetryEventCategory
| json field=_raw "virtualServers"
| parse regex field=virtualServers "name\"\:\"(?<virtualServer_name>[\S]+?)\"" multi
| parse regex field=virtualServers "enabledState\"\:\"(?<enabledState>[\S]+?)\"" multi
| parse regex field=virtualServers "application\"\:\"(?<application>[\S]+?)\"" multi
| parse regex field=virtualServers "availabilityState\"\:\"(?<availabilityState>[\S]+?)\"" multi
| parse regex field=virtualServers "tenant\"\:\"(?<tenant>[\S]+?)\"" multi
| parse regex field=virtualServers "pool\"\:\"(?<pool>[\S]+?)\"" multi
| parse regex field=virtualServers "destination\"\:\"(?<destination>[\S]+?)\"" multi
| parse regex field=virtualServers "clientside.curConns\"\:(?<current_connections>[\S]+?)\," multi
| parse regex field=virtualServers "clientside.bitsOut\"\:(?<client_bits_out>[\S]+?)\," multi
| count by virtualServer_name, pool, application, enabledState, availabilityState