Splunk for F5
Splunk for Use with F5 Networks Solutions
Splunk for Use with F5 Networks Solutions provides F5 Networks ASM users with advanced search and reporting capabilities. Some of the most serious network security threats come from attacks that target vulnerabilities in enterprise applications. These attacks are often difficult and costly to prevent and ignore conventional firewalls, intrusion-detection systems, and attack prevention methods.
You can find out more about ASM and F5 by visiting their website at: http://www.f5.com.
The Splunk for Use with F5 Networks Solutions application provides the following reports to users of F5 ASM and Firepass products:
- Top violations
- Top violations by protocol (HTTP, FTP, SMTP)
- Top HTTP violations by web application
- Top attackers
- Top attackers by protocol (HTTP, FTP, SMTP)
- Top web applications attacked, alerted or blocked
- Top web applications alerted by IP address
- Attacks by location
- Top response codes by web application
- Top alerted or blocked web application requests by time period
- Web application requests by method
- Custom ASM forensics filtering & search
Screenshots and Video
Setup
Download
If you don't have Splunk already installed, you can download a the Splunk/F5 partner bundle containing Splunk and the Splunk for Use with F5 Neworks Solutions app and take it for a test drive. To download, go to our F5 Download page on splunk.com.
Install
If you are running Windows, simply double click on the executable file to install Splunk. The installer will install the F5 app assets first, then proceed to install the Splunk application.
If you are running Linux or OSX, you will need to extract the Splunk tar.gz file and then move it into the destination install directory.
Example for OSX:
$ tar xvfz splunk4F5-3.3.4-43000-macosx-10.4-intel.tar.gz $ mv splunk /Applications/
Example for Linux:
$ tar xvfz splunk4F5-3.3.4-43000-Linux-i686.tgz $ mv splunk /opt/
Already Have Splunk?
If you have Splunk already installed, you can download the Splunk for F5 app by going to Admin section of your interface and then clicking on 'Applications' and 'Browse Splunkbase' and then selecting the F5 application from the list of apps.
Alternately, you can download the Splunk for Use with F5 Networks Solutions app directly from Splunkbase. Once you download the app rename it to include a .tar.gz extension on the end of it and then unzip it:
$ mv Splunk4F5.spl Splunk4F5.tar.gz $ tar xvfz Splunk4F5.tar.gz
Once you have the directory extracted, move the 'F5' directory to $SPLUNK_HOME/etc/apps. Assuming you have Splunk installed in /opt/, the command to move it would look something like this:
$ mv F5 /opt/splunk/etc/apps/
Note: If you are running the Windows version of Splunk, and don't install the F5 partner bundle, it is recommended you install the Splunk for Use with F5 solutions app using the admin interface inside your Splunk instance..
Generating Test Data
You can test the Splunk for Use with F5 Networks Solutions app by generating sample log data for Splunk to index. This allows you to test the application without having to go through the process of forwarding or copying your existing logfiles over to your Splunk install.
Unzip the generator, move it into the Splunk directory, and change your current directory:
$ tar xvfz f5_utils.tar.gz $ mv utils /opt/splunk/ $ cd /opt/splunk/utils/log_gen/
Note: Your mileage may vary based on where you installed Splunk and what OS you're running.
Next, you'll need to 'source' your Splunk install to get the correct environment variables set:
On Linux/OSX:
$ source /opt/splunk/bin/setSplunkEnv
On Windows:
C:\> "C:\Program Files\Splunk\splunk.exe" envvars > splunk_env.bat C:\> splunk_env.bat C:\> del splunk_env.bat
Now you can run the generator:
$ python f5_log_gen.py
This will create a logfile in the logs directory. You can tell Splunk to index this file by going into the 'Admin' interface inside your Splunk instance, and then adding a file to monitor under 'Data Inputs'.