Forum Discussion

Tom_K_185554's avatar
Tom_K_185554
Icon for Nimbostratus rankNimbostratus
Jun 01, 2018

How can I get hsl logging in splunk to be in json format

Hello, I am using the f5.analytics.v3.7.0 Iapps template. I have an irule which I will provide below which we use to send some connection event data to splunk using hsl logging.

I have attached 2 new screen prints. The way is was described to me is that splunk is expecting to receive json formatted data. They said, think of all the red fields as field types and the light blue data as a value. Notice the field type that says syslog_message in red and the value next to it is the value in json format with one syslog message for each irule event. Then notice the all the red hsl output where it all appears to be a field with no value even though all the log information is present, to splunk it all just looks like one big field type. It also has all the events lumped together in one large message. So the goal is to get the hsl data to look like the syslog_message lines.

devops
iApps
iRules
security

2 Replies

Sort By
  • Tom_K_185554's avatar
    Tom_K_185554
    Icon for Nimbostratus rankNimbostratus
    Jun 01, 2018
    when CLIENT_ACCEPTED {  
   set client "[IP::client_addr]"
   set client_port "[TCP::client_port]"
   set vip [IP::local_addr]
   set vip_local_port [TCP::local_port]
   set remote [IP::remote_addr]
   set remote_port [TCP::remote_port]
   set hsl [HSL::open -proto TCP -pool analytics-iapp-hec-forwarder-tcp-log-stage0]
 }

when SERVER_CONNECTED {
   set client "[IP::client_addr]"
   set client_port "[TCP::client_port]"
   set node "[IP::server_addr]"
   set node_server_port "[TCP::server_port]"
   set self_ip "[serverside {IP::local_addr}]"
   set self_ip_local_port "[serverside {TCP::local_port}]"
   HSL::send $hsl "hsl test Event=SERVER_CONNECTED protocol=tcp client_ip=$client client_port=$client_port vip_ip=$vip vip_port=$vip_local_port snat_ip=$self_ip snat_port=$self_ip_local_port remote_ip=$node remote_port=$node_server_port "
   log local0.info "hsl test Event=SERVER_CONNECTED protocol=tcp client_ip= $client client_port= $client_port vip_ip= $vip vip_port= $vip_local_port snat_ip= $self_ip snat_port= $self_ip_local_port remote_ip= $node remote_port= $node_server_port"
}

when SERVER_CLOSED {
   HSL::send $hsl "hsl test Event=SERVER_CLOSED protocol=tcp client_ip=$client client_port=$client_port vip_ip=$vip vip_port=$vip_local_port snat_ip=$self_ip snat_port=$self_ip_local_port remote_ip=$node remote_port=$node_server_port "
   log local0.info "hsl test Event=SERVER_CLOSED protocol=tcp client_ip= $client client_port= $client_port vip_ip= $vip vip_port= $vip_local_port snat_ip= $self_ip snat_port= $self_ip_local_port remote_ip= $node remote_port= $node_server_port"
}

when CLIENT_CLOSED {  
  HSL::send $hsl "hsl test Event=CLIENT_CLOSED protocol=tcp client_ip=$client client_port=$client_port vip_ip=$vip vip_port=$vip_local_port snat_ip=$self_ip snat_port=$self_ip_local_port remote_ip=$node remote_port=$node_server_port "
  log local0.info "hsl test Event=CLIENT_CLOSED protocol=tcp client_ip= $client client_port= $client_port vip_ip= $vip vip_port= $vip_local_port snat_ip= $self_ip snat_port= $self_ip_local_port remote_ip= $node remote_port= $node_server_port"
}
  • Samir_Jha_52506's avatar
    Samir_Jha_52506
    Icon for Noctilucent rankNoctilucent
    Jun 01, 2018

    Well, Customization part can be done on splunk only. Because F5 send all HSL logs in raw format. I guess, you need to write some script/command on the fly to view in correct readable/tabular format.

    Can you try luck to add newline [

    \n
    ] in end. Example below(Just guessing)

        set client "[IP::client_addr]\n"