Versions Compared

Old Version 21

changes.mady.by.user Former user

Saved on

compared with

New Version 22

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
typeflat

...

Valid tags and data tables

The full tag can have 4 or 5 levels. In some cases, there can be an optional level containing the process name and the process ID, which would occupy the fifth or the sixth level. The first two are fixed asadn.f5. The third level identifies the type of events sent, and the fourth, fifth, and sixth levels indicate the event subtypes. 

* Required or optional if it is a process name and ID.

** Optional. It is a process name and ID.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

F5’s BIG-IP

adn.f5.bigip.afm.nf.tmm[<PROC_ID>]

adn.f5.bigip.afm

  • adn.f5.bigip.apm.tmm[<PROC_ID>]

  • adn.f5.bigip.apm.apmd[<PROC_ID>]

  • adn.f5.bigip.apm.dummy

  • adn.f5.bigip.apm

adn.f5.bigip.apm

  • adn.f5.bigip.asm.perl[<PROC_ID>]

  • adn.f5.bigip.asm.iprepd[<PROC_ID>]

  • adn.f5.bigip.asm

adn.f5.bigip.asm

  • adn.f5.bigip.audit.tmsh[<PROC_ID>]

  • adn.f5.bigip.audit.mcpd[<PROC_ID>]

  • adn.f5.bigip.audit.httpd[<PROC_ID>]

adn.f5.bigip.audit

  • adn.f5.bigip.dns.gtmd[<PROC_ID>]

  • adn.f5.bigip.dns.tmm[<PROC_ID>]

  • adn.f5.bigip.dns

adn.f5.bigip.dns

  • adn.f5.bigip.ltm

  • adn.f5.bigip.ltm.abc

  • adn.f5.bigip.ltm.mcpd[<PROC_ID>]

  • adn.f5.bigip.ltm.tmm[<PROC_ID>]

adn.f5.bigip.ltm

adn.f5.bigip.pktfilter.tmm1[<PROC_ID>]

adn.f5.bigip.pktfilter

For more information, read more About Devo tags.

How is the data sent to Devo?

The F5 BigIp platform has two different mechanisms for sending data and/or management plane logs to remote syslog servers or a pool of them:

...

Logs generated by F5 must be sent to the Devo platform via theDevo Relay to secure communication. See the requiredrelay rulesbelow:

You must configure rules in the relay to correctly process and forward received events from BigIp’s different modules (LTM, ASM, AFM, APM, DNS -former GTM-), system authentication/monitoring option (audit), and traffic filtering option (pktfilter).  Rules for modules or options that are not used can be omitted. Set Devo Relay rules in the same order as stated here.

...

Devo Relay rules

ASM module (traffic) events

  • Source port - Any free port

  • Source data \s{0,1}ASM:.*

  • Sent without syslog tag -

  • Target tag adn.f5.bigip.asm.N/A[N/A]

  • Stop processing -

This rule will process ASM module traffic events (sent via local0 facility by default). These events don’t include $PROCESS[$PID] (thus, this level is set to N/A[N/A] in Target tagfor the sake of clarity when querying the adn.f5.bigip.asm table).

Devo Relay input event example:

Code Block
<134>Oct 22 09:58:57 testHost ASM:unit_hostname="testHost",management_ip_address="0.0.0.0",<key3="value3",key4="value4",...>

Devo Relay output event example:

Code Block
<134>Oct 22 09:58:57 testHost adn.f5.bigip.asm.N/A[N/A]: ASM:unit_hostname="testHost",management_ip_address="0.0.0.0",<key3="value3",key4="value4",...>

Order of <keyN="valueN"> pairs is not relevant.

APM module (authentication) events

  • Source port - Any free port

  • Source data - \s{0,1}\|[Login Event|Session Closed Event|Login 2\-Factor Message]+\\.*

  • Sent without syslog tag -

  • Target tag - adn.f5.bigip.apm.N/A[N/A]

  • Stop processing -

This rule will process APM module authentication events (sent via local0 facility by default). These events don’t include $PROCESS[$PID].

Relay input event example:

Code Block
<134>Oct 22 09:58:57 testHost |Login Event|<TAB>cat=deny<TAB>src=”0.0.0.0”<TAB><key3=value3<TAB>key4=value4<TAB>…>

Relay output event example:

Code Block
<134>Oct 22 09:58:57 testHost adn.f5.bigip.apm.N/A[N/A]: |Login Event|<TAB>cat=deny<TAB>src=”0.0.0.0”<TAB><key3=value3<TAB>key4=value4<TAB>…>

Order of <keyN=valueN> pairs is not relevant.

AFM module (Protocol Security) events

  • Source port - Any free port

  • Source data - \s{0,1}PSM:.*

  • Sent without syslog tag -

  • Target tag - adn.f5.bigip.afm.ps.N/A[N/A]

  • Stop processing -

This rule will process AFM module protocol security events (sent via local0 facility by default). These events don’t include $PROCESS[$PID].

Relay input event example:

Code Block
<134>Oct 22 09:58:57 testHost PSM:protocol=”testHost”,management_ip_address=”0.0.0.0”,<key3=”value3”,key4=”value4”,…>

Relay output event example:

Code Block
<134>Oct 22 09:58:57 testHost adn.f5.bigip.afm.ps.N/A[N/A]: PSM:protocol=”testHost”,management_ip_address=”0.0.0.0”,<key3=”value3”,key4=”value4”,…>

Order of <keyN="valueN"> pairs is not relevant.

AFM module (Dos Protection) events

  • Source port - Any free port

  • Source data - .*[Network | Application] DoS Event.*

  • Sent without syslog tag -

  • Target tag - adn.f5.bigip.afm.dp.N/A[N/A]

  • Stop processing -

This rule will process AFM module DoS protection events (sent via local0 facility by default). These events don’t include $PROCESS[$PID].

Relay input event example:

Code Block
<134>Oct 22 09:58:57 testHost action=”Blocking”,errdefs_msg_name=”Network DoS Event”,<key3=”value3”,key4=”value4”,…>

Relay output event example:

Code Block
<134>Oct 22 09:58:57 testHost adn.f5.bigip.afm.dp.N/A[N/A]: action=”Blocking”,errdefs_msg_name=”Network DoS Event”,<key3=”value3”,key4=”value4”,…>

Order of <keyN="valueN"> pairs is not relevant.

AFM module (Network Firewall) events

  • Source port - Any free port

  • Source data - .*Advanced Firewall Module.*

  • Sent without syslog tag -

  • Target tag - adn.f5.bigip.afm.nf.N/A[N/A]

  • Stop processing -

This rule will process AFM module network firewall events (sent via local0 facility by default). These events don’t include $PROCESS[$PID].

Relay input event example:

Code Block
<134>Oct 22 09:58:57 testHost action=”Blocking”,device_product=”Advanced Firewall Module”,<key3=”value3”,key4=”value4”,…>

Relay output event example:

Code Block
<134>Oct 22 09:58:57 testHost adn.f5.bigip.afm.nf.N/A[N/A]: action=”Blocking”,device_product=”Advanced Firewall Module”,<key3=”value3”,key4=”value4”,…>

Order of <keyN="valueN"> pairs is not relevant.

AUDIT option events

  • Source port - Any free port

  • Source data - \w+\s([^:]+):\s(.*AUDIT\s-\s.*)

  • Sent without syslog tag -

  • Target tag adn.f5.bigip.audit.\\D1

  • Target message - \\D2

  • Stop processing -

This rule will process system monitoring (local0 facility) and system authentication (authpriv facility) events.

Relay input event examples:

Code Block
<134>Oct 22 09:58:57 testHost info tmsh[10433]: 01420002:5: AUDIT - pid=10433 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=show sys mcp-state field-fmt
Code Block
<38>Oct 22 09:58:57 testHost info httpd[4711]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.43.159 attempts=1 start="Thu Oct 22 09:58:19 2021"

Relay output event examples:

Code Block
<134>Oct 22 09:58:57 testHost adn.f5.bigip.audit.tmsh[10433]: AUDIT - pid=10433 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=show sys mcp-state field-fmt
Code Block
<38>Oct 22 09:58:57 testHost adn.f5.bigip.audit.httpd[4711]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.43.159 attempts=1 start="Thu Oct 22 09:58:19 2021"

LTM module (system & traffic) events

  • Source port - Any free port

  • Source data \w+\s([^:]+):\s(.*)

  • Sent without syslog tag -

  • Source facility - LOCAL0

  • Target tag - adn.f5.bigip.ltm.\\D1

  • Target message - \\D2

  • Stop processing -

Relay input event examples:

Code Block
<134>Oct 22 09:58:57 testHost info tmm[8424]: 01010290:4: TCP: Memory pressure activated
Code Block
<134>Oct 22 09:58:57 testHost info tmm[12062]: Rule /Common/iRule-log <HTTP_REQUEST>: Client 10.10.10.10 request to www.example.com

Relay output event examples:

Code Block
<134>Oct 22 09:58:57 testHost adn.f5.bigip.ltm.tmm[8424]: 01010290:4: TCP: Memory pressure activated
Code Block
<134>Oct 22 09:58:57 testHost adn.f5.bigip.ltm.tmm[12062]: Rule /Common/iRule-log <HTTP_REQUEST>: Client 10.10.10.10 request to www.example.com

APM module (system) events

  • Source port - Any free port

  • Source data - \w+\s([^:]+):\s(.*)

  • Sent without syslog tag -

  • Source facility - LOCAL1

  • Target tag - adn.f5.bigip.apm.\\D1

  • Target message - \\D2

  • Stop processing -

Relay input event example:

Code Block
<142>Oct 22 09:58:57 testHost info apmd[12729]: 01490266:7: /Common/headerauthaccprofile_Servicedev:Common:216081c7: ApmD.cpp: 'process_apd_request()': 1835: ** done with the request processing **

Relay output event example:

Code Block
<142>Oct 22 09:58:57 testHost adn.f5.bigip.apm.apmd[12729]: 01490266:7: /Common/headerauthaccprofile_Servicedev:Common:216081c7: ApmD.cpp: 'process_apd_request()': 1835: ** done with the request processing **

DNS module (system & query/response) events

  • Source port - Any free port

  • Source data - \w+\s([^:]+):\s(.*)

  • Sent without syslog tag -

  • Source facility - LOCAL2

  • Target tag - adn.f5.bigip.dns.\\D1

  • Target message - \\D2

  • Stop processing -

Relay input event examples:

Code Block
<150>Oct 22 09:58:57 testHost info gtmd[11895]: 011a5003:1: SNMP_TRAP: Server /Common/ABC (ip=0.0.0.0) state change red --> green
Code Block
<150>Oct 22 09:58:57 testHost info tmm[22169]: 2019-03-01 04:12:32 bigip-dns.local from 192.168.0.1#1234 view none: query: www.example.com IN A +E (192.168.0.2)

Relay output event examples:

Code Block
<150>Oct 22 09:58:57 testHost adn.f5.bigip.dns.gtmd[11895]: 011a5003:1: SNMP_TRAP: Server /Common/ABC (ip=0.0.0.0) state change red --> green
Code Block
<150>Oct 22 09:58:57 testHost adn.f5.bigip.dns.tmm[22169]: 2019-03-01 04:12:32 bigip-dns.local from 192.168.0.1#1234 view none: query: www.example.com IN A +E (192.168.0.2)

ASM module (system) events

  • Source port - Any free port

  • Source data - \w+\s([^:]+):\s(.*)

  • Sent without syslog tag -

  • Source facility - LOCAL3

  • Target tag - adn.f5.bigip.asm.\\D1

  • Target message - \\D2

  • Stop processing -

Relay input event example:

Code Block
<158>Oct 22 09:58:57 testHost info iprepd[5226]: 015c0009:5: IP Reputation has no license currently

Relay output event example:

Code Block
<158>Oct 22 09:58:57 testHost adn.f5.bigip.asm.iprepd[5226]: 015c0009:5: IP Reputation has no license currently

LTM module events (ITCM portal and server (iControl) specific messages)

  • Source port - Any free port

  • Source data - \w+\s([^:]+):\s(.*)

  • Sent without syslog tag -

  • Source facility - LOCAL4

  • Target tag adn.f5.bigip.ltm.\\D1

  • Target message - \\D2

  • Stop processing -

PKTFILTER option events

  • Source port - Any free port

  • Source data - \w+\s([^:]+):\s(.*)

  • Sent without syslog tag -

  • Source facility - LOCAL5

  • Target tag - adn.f5.bigip.pktfilter.\\D1

  • Target message - \\D2

  • Stop processing -

Relay input event example:

Code Block
<172>Oct 22 09:58:57 testHost info tmm1[17719]: 01250001:5: /Common/VS1 (9516070): no action on /Common/Vlan1, len: 66 [IPv4 52 192.168.1.1 -> 10.10.1.1 TCP 61571 -> 80 S]

Relay output event example:

Code Block
<172>Oct 22 09:58:57 testHost adn.f5.bigip.pktfilter.tmm1[17719]: 01250001:5: /Common/VS1 (9516070): no action on /Common/Vlan1, len: 66 [IPv4 52 192.168.1.1 -> 10.10.1.1 TCP 61571 -> 80 S]

Besides the above-stated Traffic Management Operating System (TMOS) logs, BigIp platform can send events from the Host Management Subsystem (HMS - running a modified version of the CentOS Linux operating system) and the embedded Apache webserver. Specific relay rules should be created (based on the source logging facility) for sending these events to box.unix and web.apache.[access|error] tables respectively.

...

Rw ui tabs macro
Rw tab
title1-4

Anchor
adn.f5.bigip.afm
adn.f5.bigip.afm
adn.f5.bigip.afm

Field

Type

Extra fields

eventdate

timestamp

hostName

str

facility

str

logLevel

str

processName

str

processId

str

eventType

str

aclPolicyName

str

aclPolicyType

str

aclRuleName

str

aclRuleUuid

str

action

str

bigipHostname

str

bigipMgmtIp

ip4

contextName

str

contextType

str

dateTime

timestamp

destFqdn

str

destGeo

str

destIp

str

destIpIntCategories

str

destPort

str

deviceProduct

str

deviceVendor

str

deviceVersion

str

dropReason

str

errdefsMsgno

str

errdefsMsgName

str

flowId

str

ipProtocol

str

partitionName

str

protocol

str

routeDomain

str

saTranslationPool

str

saTranslationType

str

severity

str

srcFqdn

str

srcIp

str

srcPort

str

srcIpIntCategories

str

srcUser

str

srcUserGroup

str

srcGeo

str

translatedDestIp

ip4

translatedDestPort

str

translatedIpProtocol

str

translatedRouteDomain

str

translatedSrcIp

ip4

translatedSrcPort

str

translatedVlan

str

vlan

str

rawMessage

str

hostchain

str

tag

str

Anchor
adn.f5.bigip.apm
adn.f5.bigip.apm
adn.f5.bigip.apm

Field

Type

Extra fields

eventdate

timestamp

hostName

str

facility

str

logLevel

str

processName

str

processId

str

logId

str

eventType

str

partition

str

message

str

sessionId

str

bytesIn

int4

bytesOut

int4

rawMessage

str

hostchain

str

tag

str

Anchor
adn.f5.bigip.asm
adn.f5.bigip.asm
adn.f5.bigip.asm

Field

Type

Extra fields

eventdate

timestamp

hostName

str

facility

str

logLevel

str

processName

str

processId

str

logId

str

eventType

str

message

str

reportingProcess

str

reportingFunction

str

reportedError

str

rawMessage

str

hostchain

str

tag

str

Anchor
adn.f5.bigip.audit
adn.f5.bigip.audit
adn.f5.bigip.audit

Field

Type

Extra fields

eventdate

timestamp

hostName

str

facility

str

logLevel

str

processName

str

processId

str

logId

str

message

str

user

str

folder

str

module

str

status

str

cmdData

str

rawMessage

str

hostchain

str

tag

str

Rw tab
title5-7

Anchor
adn.f5.bigip.dns
adn.f5.bigip.dns
adn.f5.bigip.dns

Field

Type

Extra fields

eventdate

timestamp

hostName

str

facility

str

logLevel

str

processName

str

processId

str

logId

str

eventType

str

message

str

iqueryPeer

ip4

rawMessage

str

hostchain

str

tag

str

Anchor
adn.f5.bigip.ltm
adn.f5.bigip.ltm
adn.f5.bigip.ltm

Field

Type

Source field name

Extra fields

eventdate

timestamp

hostName

 

facility

str

facility

 

log_level

str

logLevel

process_name

str

processName

process_id

str

processId

log_id

str

logId

message

str

message

 

rule

str

 

rule_type

str

ruleType

rule_message

str

ruleMessage

str

node

str

nodeIp

ip4

routeDomainId

str

status

str

rawMessage

str

pool

str

poolMember

str

 

pool_member

str

poolMember

node

str

 

node_ip

ip4

nodeIp

node_port

str

nodePort

route_domain_id

str

routeDomainId

status

str

 

status_to

str

 

status_from

str

 

protocol

str

 

instance_id

str

 

virtual_ip

str

 

group_device

str

 

local_device

str

 

error_code

str

 

error_context

str

 

error_description

str

 

source_ip

str

 

source_ipv4

ip4

 

source_port

str

 

destination_ip

str

 

destination_ipv4

ip4

 

destination_port

str

 

rawMessage

str

 

hostchain

str

 

tag

str

 

Anchor
adn.f5.bigip.pktfilter
adn.f5.bigip.pktfilter
adn.f5.bigip.pktfilter

Field

Type

Extra fields

eventdate

timestamp

hostName

str

facility

str

logLevel

str

processName

str

processId

str

logId

str

message

str

accessProfile

str

partition

str

sessionId

str

packet

ip4

filter

str

action

str

vlan

str

len

int4

srcIp

ip4

srcPort

str

dstIp

ip4

dstPort

str

protocol

str

rawMessage

str

hostchain

str

tag

str