Skip to main content
Sumo Logic

Collect Logs for the F5 - BIG-IP LTM App

This page provides instructions for collecting logs for the F5 - BIG-IP LTM App, as well as a sample log message and query sample.

This page provides instructions for collecting logs for the F5 - BIG-IP LTM App, as well as a sample log message and query sample.

Collection overview

The following image provides a high-level view of the F5 - BIG-IP LTM collection process using the F5 iApp template.

F5_Collection_Overview.png

Configure log collection for the F5 - BIG-IP LTM App

Perform the following tasks to configure log collection for the F5 - BIG-IP LTM App.

  1. Configure a Hosted Collector in Sumo Logic using these instructions.

  2. Add an HTTP source, configuring the Source Category with the string f5 in it (e.g. “f5/ltm”).

    Make a note of the URL for the HTTP source, as you will need it in the following steps. The URL for our example is: https://collectors.us2.sumologic.com/receiver/v1/http/Thisis4fakeendpoint4testing==

  3. Use F5 Analytics iApp to send F5 LTM logs to Sumo Logic using the Hosted Collector.

  4. Choose the Configuring the Analytics iApp template and select Sumo Logic as the Data format, as shown in the following example. Default options were accepted for the other selections in the example.

    F5-BIGIPLTM_Collector-dialog1.png

  5. Enter the value for the Analytics System Tenant in the text field.

    The value for the Analytics System Tenant is the last field of the URL from Step 2. In our example URL, we've highlighted the Analytics System Tenant value that we'll use in the following step: https://collectors.us2.sumologic.com/receiver/v1/http/Thisis4fakeendpoint4testing==   
    For more information, see the F5 BIG-IP LTM documentation.

    F5-BIGIPLTM_Collector-dialog2.png

  6. Provide the following information:

  • IP Address or Hostname—enter the Hostname or IP address for the Host Source (from step 2) in the text field. In our example, the hostname is collectors.us2.sumologic.com.
  • Port—enter the port number for the Host Source (from step 2), we specified port 443.
  • Protocol—select the protocol for the Host Source (from step 2), we selected HTTPS.

Default options were accepted for the other selections in the example.

F5-BIGIPLTM_Collector-dialog3.png

Sample Log Message

The following is a sample event with payload log.

Bigip.tmstats.mcp_request_stat
{
 "time": 1545076080,
 "host": "alb-bv3-2001-p2-1a.psdf.acme.com",
 "source": "bigip.tmstats.mcp_request_stat",
 "sourcetype": "f5:bigip:stats:iapp:json",
 "device_base_mac": "xx:xx:xx:xx:xx:xx",
 "devicegroup": "device-group-failover-b92a84720f17",
 "facility": "",
 "app": "",
 "appComponent": "",
 "tenant": "",
 "aggr_period": "60",
 "class_id": 38264,
 "create_count": 4,
 "create_mean": 585,
 "create_var": 12993,
 "modify_count": 4,
 "modify_mean": 3717,
 "modify_var": 48651249,
 "delete_count": 0,
 "delete_mean": 0,
 "delete_var": 0,
 "query_count": 4,
 "query_mean": 42213,
 "query_var": 7216095,
 "other_count": 0,
 "other_mean": 0,
 "other_var": 0
}

Query sample

The following query sample is from the F5 - BIG-IP LTM - Overview Dashboard, Pool Status panel.

_sourceCategory=*f5* "bigip.tmsh.pool_member_status"
| json field=_raw "availability_state"
| json field=_raw "facility"
| json field=_raw "enabled_state"
| json field=_raw "pool_name"
| parse regex field=pool_name "[\S]+\/(?<pool_name>[\S]+)"
| json field=_raw "pool_member_name"
| parse regex field=pool_member_name "[\S]+\/(?<pool_member_name>[\S]+)"
| json field=_raw "address"
| json field=_raw "port"
| count by pool_name, facility, pool_member_name, availability_state, enabled_state,  address, port
| fields - _count
| sort by facility