...
Valid tags and data tables
The full tag can have 4 or 5 levels. In some cases, there can be an optional level containing the process name and the process ID, which would occupy the fifth or the sixth level. The first two are fixed asadn.f5. The third level identifies the type of events sent, and the fourth, fifth, and sixth levels indicate the event subtypes.
* Required or optional if it is a process name and ID.
** Optional. It is a process name and ID.
These are the valid tags and corresponding data tables that will receive the parsers' data:
...
For more information, read more About Devo tags.
How is the data sent to Devo?
The F5 BigIp platform has two different mechanisms for sending data and/or management plane logs to remote syslog servers or a pool of them:
...
Logs generated by F5 must be sent to the Devo platform via theDevo Relay to secure communication. See the requiredrelay rulesbelow:
You must configure rules in the relay to correctly process and forward received events from BigIp’s different modules (LTM, ASM, AFM, APM, DNS -former GTM-), system authentication/monitoring option (audit), and traffic filtering option (pktfilter). Rules for modules or options that are not used can be omitted. Set Devo Relay rules in the same order as stated here.
...
| Rw ui tabs macro |
|---|
| Anchor |
|---|
| adn.f5.bigip.afm |
|---|
| adn.f5.bigip.afm |
|---|
|
adn.f5.bigip.afmField | Type | Extra fields |
|---|
eventdate | timestamp
| | hostName | str
| | facility | str
| | logLevel | str
| | processName | str
| | processId | str
| | eventType | str
| | aclPolicyName | str
| | aclPolicyType | str
| | aclRuleName | str
| | aclRuleUuid | str
| | action | str
| | bigipHostname | str
| | bigipMgmtIp | ip4
| | contextName | str
| | contextType | str
| | dateTime | timestamp
| | destFqdn | str
| | destGeo | str
| | destIp | str
| | destIpIntCategories | str
| | destPort | str
| | deviceProduct | str
| | deviceVendor | str
| | deviceVersion | str
| | dropReason | str
| | errdefsMsgno | str
| | errdefsMsgName | str
| | flowId | str
| | ipProtocol | str
| | partitionName | str
| | protocol | str
| | routeDomain | str
| | saTranslationPool | str
| | saTranslationType | str
| | severity | str
| | srcFqdn | str
| | srcIp | str
| | srcPort | str
| | srcIpIntCategories | str
| | srcUser | str
| | srcUserGroup | str
| | srcGeo | str
| | translatedDestIp | ip4
| | translatedDestPort | str
| | translatedIpProtocol | str
| | translatedRouteDomain | str
| | translatedSrcIp | ip4
| | translatedSrcPort | str
| | translatedVlan | str
| | vlan | str
| | rawMessage | str
| ✓ | hostchain | str
| ✓ | tag | str
| ✓ |
| Anchor |
|---|
| adn.f5.bigip.apm |
|---|
| adn.f5.bigip.apm |
|---|
|
adn.f5.bigip.apmField | Type | Extra fields |
|---|
eventdate | timestamp
| | hostName | str
| | facility | str
| | logLevel | str
| | processName | str
| | processId | str
| | logId | str
| | eventType | str
| | partition | str
| | message | str
| | sessionId | str
| | bytesIn | int4
| | bytesOut | int4
| | rawMessage | str
| ✓ | hostchain | str
| ✓ | tag | str
| ✓ |
| Anchor |
|---|
| adn.f5.bigip.asm |
|---|
| adn.f5.bigip.asm |
|---|
|
adn.f5.bigip.asmField | Type | Extra fields |
|---|
eventdate | timestamp
| | hostName | str
| | facility | str
| | logLevel | str
| | processName | str
| | processId | str
| | logId | str
| | eventType | str
| | message | str
| | reportingProcess | str
| | reportingFunction | str
| | reportedError | str
| | rawMessage | str
| ✓ | hostchain | str
| ✓ | tag | str
| ✓ |
| Anchor |
|---|
| adn.f5.bigip.audit |
|---|
| adn.f5.bigip.audit |
|---|
|
adn.f5.bigip.auditField | Type | Extra fields |
|---|
eventdate | timestamp
| | hostName | str
| | facility | str
| | logLevel | str
| | processName | str
| | processId | str
| | logId | str
| | message | str
| | user | str
| | folder | str
| | module | str
| | status | str
| | cmdData | str
| | rawMessage | str
| ✓ | hostchain | str
| ✓ | tag | str
| ✓ |
| Anchor |
|---|
| adn.f5.bigip.dns |
|---|
| adn.f5.bigip.dns |
|---|
|
adn.f5.bigip.dnsField | Type | Extra fields |
|---|
eventdate | timestamp
| | hostName | str
| | facility | str
| | logLevel | str
| | processName | str
| | processId | str
| | logId | str
| | eventType | str
| | message | str
| | iqueryPeer | ip4
| | rawMessage | str
| ✓ | hostchain | str
| ✓ | tag | str
| ✓ |
| Anchor |
|---|
| adn.f5.bigip.ltm |
|---|
| adn.f5.bigip.ltm |
|---|
|
adn.f5.bigip.ltmField | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | facility | str
| | | log_level | str
| logLevel | | process_name | str
| processName | | process_id | str
| processId | | log_id | str
| logId | | message | str
| | | rule | str
| | | rule_type | str
| ruleType | | rule_message | str
| ruleMessage | | pool | str
| | | pool_member | str
| poolMember | | node | str
| | | node_ip | ip4
| nodeIp | | node_port | str
| nodePort | | route_domain_id | str
| routeDomainId | | status | str
| | | status_to | str
| | | status_from | str
| | | protocol | str
| | | instance_id | str
| | | virtual_ip | str
| | | group_device | str
| | | local_device | str
| | | error_code | str
| | | error_context | str
| | | error_description | str
| | | source_ip | str
| | | source_ipv4 | ip4
| | | source_port | str
| | | destination_ip | str
| | | destination_ipv4 | ip4
| | | destination_port | str
| | | rawMessage | str
| | ✓ | hostchain | str
| | ✓ | tag | str
| | ✓ |
| Anchor |
|---|
| adn.f5.bigip.pktfilter |
|---|
| adn.f5.bigip.pktfilter |
|---|
|
adn.f5.bigip.pktfilterField | Type | Extra fields |
|---|
eventdate | timestamp
| | hostName | str
| | facility | str
| | logLevel | str
| | processName | str
| | processId | str
| | logId | str
| | message | str
| | accessProfile | str
| | partition | str
| | sessionId | str
| | packet | ip4
| | filter | str
| | action | str
| | vlan | str
| | len | int4
| | srcIp | ip4
| | srcPort | str
| | dstIp | ip4
| | dstPort | str
| | protocol | str
| | rawMessage | str
| ✓ | hostchain | str
| ✓ | tag | str
| ✓ |
| Anchor |
|---|
| adn.f5.bigip.dns |
|---|
| adn.f5.bigip.dns |
|---|
|
adn.f5.bigip.dnsField | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | machine | str
| | | facility | str
| | | log_level | str
| logLevel | | process_name | str
| processName | | process_id | str
| processId | | log_id | str
| logId | | event_type | str
| eventType | | message | str
| | | query_ts | str
| queryTs | | client_ip | str
| | | client_ipv4 | ip4
| clientIp | | client_port | str
| clientPort | | view | str
| | | query_name | str
| queryName | | query_class | str
| queryClass | | query_type | str
| queryType | | query_flags | str
| queryFlags | | response_status | str
| responseStatus | | response_flags | str
| responseFlags | | response_ttl | str
| responseTtl | | response_record | str
| responseRecord | | dns_server_ip | str
| | | dns_server_ipv4 | ip4
| dnsServerIp | | server | str
| | | virtual_server | str
| | | virtual_ip | str
| | | virtual_ipv4 | ip4
| | | virtual_port | str
| | | iquery_peer | str
| | | iquery_peer_ipv4 | ip4
| iqueryPeer | | iquery_peer_port | str
| | | server_status | str
| serverStatus | | rule | str
| | | rule_type | str
| ruleType | | rule_message | str
| ruleMessage | | pool | str
| | | pool_member | str
| | | instance | str
| | | error_code | str
| | | error_description | str
| | | rawMessage | str
| | ✓ | hostchain | str
| | ✓ | tag | str
| | ✓ |
| Anchor |
|---|
| adn.f5.bigip.ltm |
|---|
| adn.f5.bigip.ltm |
|---|
|
adn.f5.bigip.ltmField | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | facility | str
| | | log_level | str
| logLevel | | process_name | str
| processName | | process_id | str
| processId | | log_id | str
| logId | | message | str
| | | rule | str
| | | rule_type | str
| ruleType | | rule_message | str
| ruleMessage | | pool | str
| | | pool_member | str
| poolMember | | node | str
| | | node_ip | ip4
| nodeIp | | node_port | str
| nodePort | | route_domain_id | str
| routeDomainId | | status | str
| | | status_to | str
| | | status_from | str
| | | protocol | str
| | | instance_id | str
| | | virtual_ip | str
| | | group_device | str
| | | local_device | str
| | | error_code | str
| | | error_context | str
| | | error_description | str
| | | source_ip | str
| | | source_ipv4 | ip4
| | | source_port | str
| | | destination_ip | str
| | | destination_ipv4 | ip4
| | | destination_port | str
| | | rawMessage | str
| | ✓ | hostchain | str
| | ✓ | tag | str
| | ✓ |
| Anchor |
|---|
| adn.f5.bigip.pktfilter |
|---|
| adn.f5.bigip.pktfilter |
|---|
|
adn.f5.bigip.pktfilterField | Type | Extra fields |
|---|
eventdate | timestamp
| | hostName | str
| | facility | str
| | logLevel | str
| | processName | str
| | processId | str
| | logId | str
| | message | str
| | accessProfile | str
| | partition | str
| | sessionId | str
| | packet | int4
| | filter | str
| | action | str
| | vlan | str
| | len | int4
| | srcIp | ip4
| | srcPort | str
| | dstIp | ip4
| | dstPort | str
| | protocol | str
| | rawMessage | str
| ✓ | hostchain | str
| ✓ | tag | str
| ✓ |
|
