Layer7 API Management

View Only

layer7 logs integration with Splunk

Vivek Tripathi posted Apr 27, 2023 10:29 AM

We are planning to ingest layer7 Gateways logs to Splunk

Can any one please confirm what option are available in layer7 gateways 10.0/10.1/11 and upcoming version?

HEC/REST API ----- are these options also available on layer7 gateways version (10.0/10.1/11/upcoming version)?

please help on this

Thanks
Vivek

Broadcom Employee Phil Mead posted May 01, 2023 05:58 PM

I have done HEC and log collection.
For HEC you set up a task to send the records to Splunk periodically, but it is easy to do - route via https works. The only thing you need to do is to get a HEC token.
But we chose to have Splunk collecting directly from the SSG and Audit logs - and some of the systems /var logs as well. You would need to install a Splunk Forwarder on the Layer7 Gateway. We then connected to the Splunk Deployment server and the collection information was pushed down.

Broadcom Employee Joseph Fry posted May 01, 2023 06:23 PM

In addition to what Phil said, you can also set up a syslog log/audit sink and send the logs directly to Splunk via syslog (or to an intermediate syslog server that gets indexed by splunk).

The gateway has some of the most flexible/powerful customizations for logging that I have ever seen. You can have different audit/log sinks for different services, policies, or folders of policies, by client IP, and many more filtering options. You can send different levels of logging to different sinks, for example sending warnings and above to syslog while including fine logging written to a log file.

I recommend reading through this section of the documentation to get a better idea of how this all works:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-1/security-configuration-in-policy-manager/tasks-menu-security-options/manage-log-audit-sinks.html