Skip to content
View in the app

A better way to browse. Learn more.

hosang I.T.

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Splunk Request Logging

(0 reviews)

Assumptions:

Log volume will be huge and will only turn for critical applications that too in production. This can be tested in Dev/Pre-prod prior moving to the production but need to be turned off immediately.This will not cause performance issues because of High-speed logging HSL feature.

This logging feature can also be turned on for troubleshooting purposes if required.

Dependencies:

Enterprise splunk team should provision dedicated storage for the new applications with F5 logging feature turned on a permanent basis.

Estimation:

If we turn on logging for all applications in production, current rough estimate would be 1TB logs per day.

Introduction:

Request logging feature is inline F5 feature that replace the functionality of the splunk logging irule. This request logging feature provide metrics such as client-ip, elapsed time, request type & details, response code, pool member etc.These logs integrated to splunk will provide lot of details about a particular application behind  a single vip.

Alerts, dashboard and reports can also be generated based of the metrics available per application basis.

These logs will provide lot of help in troubleshooting and understanding more about the application for sustain teams.

Sample Log:

Quote

Mar  4 15:57:38 10.47.194.101 "Splunk Logging"|"txsat1slbdv03.thezah.corp"|"1551736658724"|"1551736658724868"|"10.7.156.86"|"63710"|"/Development/vs.dev.103867.aap-api-cit2.thezah.corp"|"10.47.37.242"|"443"|"/Development/pool.dev.103867.aap-api-cit2.thezah.corp"|"10.47.34.35"|"46235"|"10.47.49.66"|"12000"|"GET"|"/sa-health/f5chk.html"|"HTTP/1.1"|""|"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"|"304"|"2"|0|"2056"

Description of log fields:-

Time stamp of the log in splunk

3/4/2019 15:57

Device ip sending log

10.47.194.101

descriptive field for splunk queries

Splunk Logging

Device_hostname

txsat1slbdv03.thezah.corp

Requesttime_milli-sec

1551736658724

Requesttime_micro-sec

1551736658724868

Client_ip

10.7.156.86

Client_port

63710

vip_name

/Development/vs.dev.103867.aap-api-cit2.thezah.corp

vip_ip

10.47.37.242

vip_port

443

pool_name

/Development/pool.dev.103867.aap-api-cit2.thezah.corp"

snat_ip

10.47.34.35

snat_ip_port

46235

poolmember_ip

10.47.49.66

poolmember_port

12000

http_method

GET

http_uri

/sa-health/f5chk.html

http_version

HTTP/1.1

referrer

"  "

user-agent

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36

http_statuscode

304

Responsetime_milli-sec

2

response_size

0

Responsetime_micro-sec

2056

 

 

Procedure:-

Navigate to the following.

Local Traffic -> Profiles -> Other -> Request Logging -> Create as per below fields.

image2019-3-7_9-41-21.png?version=1&modi

Template contents from image:

"Splunk Logging"|"$BIGIP_HOSTNAME"|"$TIME_MSECS"|"$TIME_USECS"|"$CLIENT_IP"|"$CLIENT_PORT"|"$VIRTUAL_NAME"|"$VIRTUAL_IP"|"$VIRTUAL_PORT"|"$VIRTUAL_POOL_NAME"|"$SNAT_IP"|"$SNAT_PORT"|"$SERVER_IP"|"$SERVER_PORT"|"$HTTP_METHOD"|"$HTTP_URI"|"$HTTP_VERSION"|"$Referer"|"${User-agent}"|"$HTTP_STATCODE"|"$RESPONSE_MSECS"|$RESPONSE_SIZE|"$RESPONSE_USECS"

Once logfile is created, apply to virtual server that need this logging feature turned on as per below command.

#tmsh modify ltm virtual /Development/vs.dev.103867.aap-api-cit2.thezah.corp profiles add { logprofile }

Note:- turning logprofile on would not cause any performance issues because of HSL logging feature used, it will only need additional storage assigned from splunk team to get the logs indexed in splunk.

 

Verification:-

Check logs in F5 index ( index=infra_network )  to make sure transaction logs coming in.

index=infra_network “Splunk Logging” “aap-api-cit2.thezah.corp” latest=+15m

 

1 Comment

Recommended Comments

  • Administrators

SCENARIO

Walking through troubleshooting since the virtual server will show up, the pool will show up but going to the URL the application doesn't come up as long as on the logging profile you have Respond on error enabled and your logging pool has no available members.

BELOW IS AN EXAMPLE

VIRTUAL SERVER

ltm virtual /Integration/vs.sim1.102799.qa.enterpriseremarketing.int.thezah.com.443 {
    destination /Integration/10.46.65.206:443
    ip-protocol tcp
    last-modified-time 2021-11-15:10:18:54
    mask 255.255.255.255
    partition Integration
    persist {
        cookie {
            default yes
        }
    }
    pool /Integration/pool.sim1.102799.qa.enterpriseremarketing.int.thezah.com.443
    profiles {
        http { }
        logprofile { }
        oneconnect { }
        serverssl {
            context serverside
        }
        ssl.client.qa.enterpriseremarketing.int.thezah.com {
            context clientside
        }
        tcp-lan-optimized { }
    }
    rules {
        /Integration/irule.qa.enterpriseremarketing.int.thezah.com.content.redirect
    }
    serverssl-use-sni disabled
    source 0.0.0.0/0
    source-address-translation {
        pool MOD_SNAT_POOL
        type snat
    }
    translate-address enabled
    translate-port enabled
    vs-index 1492
}

Run a tcpdump against the IP address of the Virtual Server to see what's going on since Virtual Server shows up, Pool shows up

tcpdump -s0 -nni 0.0:nnnp -vvv -w /var/tmp/qa.enterprise_20200312.pcap host 10.46.65.206

In order to utilize the Wireshark F5 plugin, you need to flag the tcpdump command appropriately with -s0 and setting the level of noise by flagging the interface with a colon followed by a single, double, or triple n for, respectively, low, medium, and high details.

request_logging_capture.png

In Wireshark use the display filter: f5ethtrailer.rstcausetxt in order to get the same screen as show above

So from this you can see the F5 is RESETTING the connection (F5RST) and come to find out its because of the below setting in an attached logprofile

request_logging_setting.png

Now the when a virtual server has the logprofile attached it sends an extreme amount of data to Splunk so it only gets turned on critical applications or if you are troubleshooting an application so you can get more log data to help find out whats going on exactly.

With Respond on Error = Enabled it means when the Splunk Servers go down then the application also goes down.  With Respond on Error = Disabled (which is the default setting) then when the logging server goes down, the applications will continue to function.

Easy CLI command to change this to disable is

tmsh modify ltm profile request-log logprofile proxy-respond-on-logging-error no

Hope you find this helpful.  Also note that the wireshark capture above to get the F5RST to be displayed you have to either install the wireshark plugin on Wireshark 2.5 and older and on Wireshark 2.6 and newer you just need to enable it via Analyze - Enabled Protocols - F5 Ethernet trailer - f5ethtrailer

request_logging_wireshark_f5plugin.png

Now you can 

Guest
Add a comment...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.