Community:Splunk for F5
From Splunk Wiki
Splunk for Use with F5 Networks Solutions
Splunk for Use with F5 Networks Solutions provides F5 Networks ASM users with advanced search and reporting capabilities. Some of the most serious network security threats come from attacks that target vulnerabilities in enterprise applications. These attacks are often difficult and costly to prevent and ignore conventional firewalls, intrusion-detection systems, and attack prevention methods.
You can find out more about ASM and F5 by visiting their website at: http://www.f5.com.
The Splunk for Use with F5 Networks Solutions application provides the following reports to users of F5 ASM and Firepass products:
- Top violations
- Top violations by protocol (HTTP, FTP, SMTP)
- Top HTTP violations by web application
- Top attackers
- Top attackers by protocol (HTTP, FTP, SMTP)
- Top web applications attacked, alerted or blocked
- Top web applications alerted by IP address
- Attacks by location
- Top response codes by web application
- Top alerted or blocked web application requests by time period
- Web application requests by method
- Custom ASM forensics filtering & search
Screenshots and Video
If you don't have Splunk already installed, download Splunk and then the F5 app from Splunkbase.com, install Splunk, and then F5 app. To download Splunk, go to our main download page on splunk.com. To download the F5 app on Splunkbase, go to its home on Splunkbase.
Please follow the directions contained in the respective downloads.
Already Have Splunk?
If you have Splunk already installed, you can download the Splunk for F5 app by going to Admin section of your interface and then clicking on 'Applications' and 'Browse Splunkbase' and then selecting the F5 application from the list of apps.
Alternately, you can download the Splunk for Use with F5 Networks Solutions app directly from Splunkbase. Once you download the app rename it to include a .tar.gz extension on the end of it and then unzip it:
$ mv Splunk4F5.spl Splunk4F5.tar.gz $ tar xvfz Splunk4F5.tar.gz
Once you have the directory extracted, move the 'F5' directory to $SPLUNK_HOME/etc/apps. Assuming you have Splunk installed in /opt/, the command to move it would look something like this:
$ mv F5 /opt/splunk/etc/apps/
Note: If you are running the Windows version of Splunk, and don't install the F5 partner bundle, it is recommended you install the Splunk for Use with F5 solutions app using the admin interface inside your Splunk instance..