Collect Logs for the F5 - BIG-IP LTM App

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

This page provides instructions for collecting logs for the F5 - BIG-IP LTM App, as well as a sample log message and query sample.

Collection overview

The following image provides a high-level view of the F5 - BIG-IP LTM collection process using the Telemetry Streaming.

Telemetry Streaming (TS) is a software RPM file. Installing it on BIG-IP enables you to declaratively aggregate, normalize, and forward statistics and events from the BIG-IP to a consumer application by posting a single TS JSON declaration to TS’s declarative REST API endpoint.

Telemetry Streaming uses a declarative model, meaning you provide a JSON declaration rather than a set of imperative commands. For more information on Telemetry Streaming, see here.

Telemetry Services.png

Configure log collection for the F5 - BIG-IP LTM App

Prerequisite

1. Install AS3 RPM

The Application Services 3 (AS3) extension is a mechanism for declaratively configuring application-specific resources on a BIG-IP system. This involves posting a JSON declaration to the system’s API endpoint, (https://<BIG-IP>/mgmt/shared/appsvcs/declare).

2. Install Telemetry Streaming RPM (download from here)

Login to F5 (user admin, password from the above output), navigate to the Main tab, iApps > Package Management LX > Import.
Select the downloaded file and click Upload to upload Telemetry Streaming RPM. For more information on installing TS RPM, see here.

3. Enable AVR

To enable the AVR, follow the steps below:

Go to System > Resource Provisioning.
Enable Application Visibility and Reporting (AVR)
Click Submit.

Collection Set Up

Perform the following tasks to configure log collection for the F5 - BIG-IP LTM App.

Step 1: Create a Sumo Logic Hosted Collector

Configure a Hosted Collector in Sumo Logic using these instructions.
Add an HTTP source, configuring the Source Category with the string f5 in it (e.g. “f5/ltm”).
Make a note of the URL for the HTTP source, as you will need it in the following steps. The URL for our example is: https://collectors.us2.sumologic.com/receiver/v1/http/Thisis4fakeendpoint4testing==

Step 2: Use AS3 Declarative language to define a logging profile on BIG-IP.

Download AS3Listener.json from here, and we will use it to define the logging profile st BIG IP. Use the following curl cmd to set logging profile at BIG-IP. Replace BIG-IP PWD, BIG-IP IP, and PORT in the following cmd :

curl -k --user admin:<BIG-IP PWD> -H "Accept: application/json" -H "Content-Type:application/json" -X POST -d@AS3Listener.json https://<BIG-IP IP>:<PORT>/mgmt/shared/appsvcs/declare | python -m json.tool

Step 3: Sumo Logic Consumer Set up using Telemetry

Download Sumo Logic Consumer sumo.json from here, and replace SUMOLOGIC_HOST

SUMOLOGIC_SECRET_KEY and SUMOLOGIC_PATH with values from Sumo logic HTTP URL created in step 1.

Example: For Sumo Logic HTTP URL https://collectors.us2.sumologic.com/receiver/v1/http/Thisis4fakeendpoint4testing== above values are as follows :

SUMOLOGIC_HOST. collectors.us2.sumologic.com
SUMOLOGIC_SECRET_KEY. /receiver/v1/http/
SUMOLOGIC_PATH. Thisis4fakeendpoint4testing==

Now, Using telemetry we will define a Sumo Logic sink which will enable us to forward statistics and events from the BIG-IP to Sumo Logic. Use the following curl cmd and replace BIG-IP PWD, BIG-IP IP, and PORT.

curl -k --user admin:<BIGIP PWD> -H "Accept: application/json" -H "Content-Type:application/json" -X POST -d@sumo.json https://<BIG-IP IP>:<PORT>3/mgmt/shared/telemetry/declare | python -m json.tool

Sample Log Message

The following is a sample F5 LTM Request Log.

LTM Request Log

{
    "event_source":"request_logging",
    "event_timestamp":"2019-01-01:01:01.000Z",
    "hostname":"hostname",
    "client_ip":"192.0.2.42",
    "server_ip":"",
    "http_method":"GET",
    "http_uri":"/",
    "virtual_name":"/Common/app.app/app_vs",
    "tenant":"Common",
    "application":"app.app",
    "telemetryEventCategory": "LTM"
}

Query sample

The following query sample is from the F5 - BIG-IP LTM - Overview Dashboard, Pool Status panel.

_sourceCategory=f5/bigip/ltm  systemInfo
| json field=_raw "telemetryEventCategory"  as telemetryEventCategory
| json field=_raw "virtualServers"
| parse regex field=virtualServers "name\"\:\"(?<virtualServer_name>[\S]+?)\"" multi
| parse regex field=virtualServers "enabledState\"\:\"(?<enabledState>[\S]+?)\"" multi
| parse regex field=virtualServers "application\"\:\"(?<application>[\S]+?)\"" multi
| parse regex field=virtualServers "availabilityState\"\:\"(?<availabilityState>[\S]+?)\"" multi
| parse regex field=virtualServers "tenant\"\:\"(?<tenant>[\S]+?)\"" multi
| parse regex field=virtualServers "pool\"\:\"(?<pool>[\S]+?)\"" multi
| parse regex field=virtualServers "destination\"\:\"(?<destination>[\S]+?)\"" multi
| parse regex field=virtualServers "clientside.curConns\"\:(?<current_connections>[\S]+?)\," multi
| parse regex field=virtualServers "clientside.bitsOut\"\:(?<client_bits_out>[\S]+?)\," multi
| count by virtualServer_name, pool, application, enabledState, availabilityState