Splunk for F5 Access guide?

dooshiant · ‎03-07-2012

Hello,

Using Splunk for F5 Access app and trying send logs from firepass to splunk on port 514.
However, the stats in the F5 Access Dashboard are incomplete. For example I can only see 4 or 5 users in the Connections by User in the last 24 hours chart, but on the firepass, it shows that there was over a 100 connected in the same timeframe..

Is there a configuration guide available for how to configure both the Splunk / F5 Access app and the Firepass device? - I want to verify if my config is correct.

Have tried Splunk support, but they haven't been very helpful and say there is no support for the F5 Access app.

Many thanks!

MarioM · ‎03-14-2012

there is :

getting started guide

MarioM · ‎03-17-2012

yes i know firepass is dedicated ssl vpn and the only thing to do is configure remote syslog on firepass to send to splunk (no other choice than udp 514) and set the sourcetype as firepass_log.
After the firepass dashboard is just an example then up to you to build your own.
Splunk is not about app but doing you own reports/dashboard...

dooshiant · ‎03-16-2012

Hi MarioM,

This guide is for APM which runs on the BigIP platform. Firepass is different and runs on another platform. I have set the sourcetype to firepass_log as stated in the pdf though, but getting only limited stats - not all users / events are being shown..

gnovak · ‎03-14-2012

I agree, I can't find a link to a manual anywhere.

Splunk for F5 Access guide?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases