...
Valid tags and data tables
The full tag can have 4 or 5 levels. In some cases, there can be an optional level containing the process name and the process ID, which would occupy the fifth or the sixth level. The first two are fixed asadn.f5
. The third level identifies the type of events sent, and the fourth, fifth, and sixth levels indicate the event subtypes.
* Required or optional if it is a process name and ID.
** Optional. It is a process name and ID.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|
F5’s BIG-IP | adn.f5.bigip.afm.nf.tmm[<PROC_ID>]
| adn.f5.bigip.afm
|
| adn.f5.bigip.apm
|
| adn.f5.bigip.asm
|
adn.f5.bigip.audit.tmsh[<PROC_ID>]
adn.f5.bigip.audit.mcpd[<PROC_ID>]
adn.f5.bigip.audit.httpd[<PROC_ID>]
| adn.f5.bigip.audit
|
| adn.f5.bigip.dns
|
| adn.f5.bigip.ltm
|
adn.f5.bigip.pktfilter.tmm1[<PROC_ID>]
| adn.f5.bigip.pktfilter
|
For more information, read more About Devo tags.
How is the data sent to Devo?
The F5 BigIp platform has two different mechanisms for sending data and/or management plane logs to remote syslog servers or a pool of them:
...
You must configure rules in the relay to correctly process and forward received events from BigIp’s different modules (LTM, ASM, AFM, APM, DNS -former GTM-), system authentication/monitoring option (audit), and traffic filtering option (pktfilter). Rules for modules or options that are not used can be omitted. Set Devo Relay rules in the same order as stated here.
...
Devo Relay rules |
---|
ASM module (traffic) eventsSource port - Any free port Source data - \s{0,1}ASM:.* Sent without syslog tag - ✓ Target tag - adn.f5.bigip.asm.N/A[N/A] Stop processing - ✓
This rule will process ASM module traffic events (sent via local0 facility by default). These events don’t include $PROCESS[$PID] (thus, this level is set to N/A[N/A] in Target tagfor the sake of clarity when querying the adn.f5.bigip.asm table).
Devo Relay input event example: Code Block |
---|
<134>Oct 22 09:58:57 testHost ASM:unit_hostname="testHost",management_ip_address="0.0.0.0",<key3="value3",key4="value4",...> |
Devo Relay output event example: Code Block |
---|
<134>Oct 22 09:58:57 testHost adn.f5.bigip.asm.N/A[N/A]: ASM:unit_hostname="testHost",management_ip_address="0.0.0.0",<key3="value3",key4="value4",...> |
Order of <keyN="valueN"> pairs is not relevant. |
APM module (authentication) eventsSource port - Any free port Source data - \s{0,1}\|[Login Event|Session Closed Event|Login 2\-Factor Message]+\\.* Sent without syslog tag - ✓ Target tag - adn.f5.bigip.apm.N/A[N/A] Stop processing - ✓
This rule will process APM module authentication events (sent via local0 facility by default). These events don’t include $PROCESS[$PID].
Relay input event example: Code Block |
---|
<134>Oct 22 09:58:57 testHost |Login Event|<TAB>cat=deny<TAB>src=”0.0.0.0”<TAB><key3=value3<TAB>key4=value4<TAB>…> |
Relay output event example: Code Block |
---|
<134>Oct 22 09:58:57 testHost adn.f5.bigip.apm.N/A[N/A]: |Login Event|<TAB>cat=deny<TAB>src=”0.0.0.0”<TAB><key3=value3<TAB>key4=value4<TAB>…> |
Order of <keyN=valueN> pairs is not relevant. |
AFM module (Protocol Security) eventsSource port - Any free port Source data - \s{0,1}PSM:.* Sent without syslog tag - ✓ Target tag - adn.f5.bigip.afm.ps.N/A[N/A] Stop processing - ✓
This rule will process AFM module protocol security events (sent via local0 facility by default). These events don’t include $PROCESS[$PID].
Relay input event example: Code Block |
---|
<134>Oct 22 09:58:57 testHost PSM:protocol=”testHost”,management_ip_address=”0.0.0.0”,<key3=”value3”,key4=”value4”,…> |
Relay output event example: Code Block |
---|
<134>Oct 22 09:58:57 testHost adn.f5.bigip.afm.ps.N/A[N/A]: PSM:protocol=”testHost”,management_ip_address=”0.0.0.0”,<key3=”value3”,key4=”value4”,…> |
Order of <keyN="valueN"> pairs is not relevant. |
AFM module (Dos Protection) eventsSource port - Any free port Source data - .*[Network | Application] DoS Event.* Sent without syslog tag - ✓ Target tag - adn.f5.bigip.afm.dp.N/A[N/A] Stop processing - ✓
This rule will process AFM module DoS protection events (sent via local0 facility by default). These events don’t include $PROCESS[$PID].
Relay input event example: Code Block |
---|
<134>Oct 22 09:58:57 testHost action=”Blocking”,errdefs_msg_name=”Network DoS Event”,<key3=”value3”,key4=”value4”,…> |
Relay output event example: Code Block |
---|
<134>Oct 22 09:58:57 testHost adn.f5.bigip.afm.dp.N/A[N/A]: action=”Blocking”,errdefs_msg_name=”Network DoS Event”,<key3=”value3”,key4=”value4”,…> |
Order of <keyN="valueN"> pairs is not relevant. |
AFM module (Network Firewall) eventsSource port - Any free port Source data - .*Advanced Firewall Module.* Sent without syslog tag - ✓ Target tag - adn.f5.bigip.afm.nf.N/A[N/A] Stop processing - ✓
This rule will process AFM module network firewall events (sent via local0 facility by default). These events don’t include $PROCESS[$PID].
Relay input event example: Code Block |
---|
<134>Oct 22 09:58:57 testHost action=”Blocking”,device_product=”Advanced Firewall Module”,<key3=”value3”,key4=”value4”,…> |
Relay output event example: Code Block |
---|
<134>Oct 22 09:58:57 testHost adn.f5.bigip.afm.nf.N/A[N/A]: action=”Blocking”,device_product=”Advanced Firewall Module”,<key3=”value3”,key4=”value4”,…> |
Order of <keyN="valueN"> pairs is not relevant. |
AUDIT option eventsSource port - Any free port Source data - \w+\s([^:]+):\s(.*AUDIT\s-\s.*) Sent without syslog tag - ✓ Target tag - adn.f5.bigip.audit.\\D1 Target message - \\D2 Stop processing - ✓
This rule will process system monitoring (local0 facility) and system authentication (authpriv facility) events.
Relay input event examples: Code Block |
---|
<134>Oct 22 09:58:57 testHost info tmsh[10433]: 01420002:5: AUDIT - pid=10433 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=show sys mcp-state field-fmt |
Code Block |
---|
<38>Oct 22 09:58:57 testHost info httpd[4711]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.43.159 attempts=1 start="Thu Oct 22 09:58:19 2021" |
Relay output event examples: Code Block |
---|
<134>Oct 22 09:58:57 testHost adn.f5.bigip.audit.tmsh[10433]: AUDIT - pid=10433 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=show sys mcp-state field-fmt |
Code Block |
---|
<38>Oct 22 09:58:57 testHost adn.f5.bigip.audit.httpd[4711]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.43.159 attempts=1 start="Thu Oct 22 09:58:19 2021" |
|
LTM module (system & traffic) eventsSource port - Any free port Source data - \w+\s([^:]+):\s(.*) Sent without syslog tag - ✓ Source facility - LOCAL0 Target tag - adn.f5.bigip.ltm.\\D1 Target message - \\D2 Stop processing - ✓
Relay input event examples: Code Block |
---|
<134>Oct 22 09:58:57 testHost info tmm[8424]: 01010290:4: TCP: Memory pressure activated |
Code Block |
---|
<134>Oct 22 09:58:57 testHost info tmm[12062]: Rule /Common/iRule-log <HTTP_REQUEST>: Client 10.10.10.10 request to www.example.com |
Relay output event examples: Code Block |
---|
<134>Oct 22 09:58:57 testHost adn.f5.bigip.ltm.tmm[8424]: 01010290:4: TCP: Memory pressure activated |
Code Block |
---|
<134>Oct 22 09:58:57 testHost adn.f5.bigip.ltm.tmm[12062]: Rule /Common/iRule-log <HTTP_REQUEST>: Client 10.10.10.10 request to www.example.com |
|
APM module (system) eventsSource port - Any free port Source data - \w+\s([^:]+):\s(.*) Sent without syslog tag - ✓ Source facility - LOCAL1 Target tag - adn.f5.bigip.apm.\\D1 Target message - \\D2 Stop processing - ✓
Relay input event example: Code Block |
---|
<142>Oct 22 09:58:57 testHost info apmd[12729]: 01490266:7: /Common/headerauthaccprofile_Servicedev:Common:216081c7: ApmD.cpp: 'process_apd_request()': 1835: ** done with the request processing ** |
Relay output event example: Code Block |
---|
<142>Oct 22 09:58:57 testHost adn.f5.bigip.apm.apmd[12729]: 01490266:7: /Common/headerauthaccprofile_Servicedev:Common:216081c7: ApmD.cpp: 'process_apd_request()': 1835: ** done with the request processing ** |
|
DNS module (system & query/response) eventsSource port - Any free port Source data - \w+\s([^:]+):\s(.*) Sent without syslog tag - ✓ Source facility - LOCAL2 Target tag - adn.f5.bigip.dns.\\D1 Target message - \\D2 Stop processing - ✓
Relay input event examples: Code Block |
---|
<150>Oct 22 09:58:57 testHost info gtmd[11895]: 011a5003:1: SNMP_TRAP: Server /Common/ABC (ip=0.0.0.0) state change red --> green |
Code Block |
---|
<150>Oct 22 09:58:57 testHost info tmm[22169]: 2019-03-01 04:12:32 bigip-dns.local from 192.168.0.1#1234 view none: query: www.example.com IN A +E (192.168.0.2) |
Relay output event examples: Code Block |
---|
<150>Oct 22 09:58:57 testHost adn.f5.bigip.dns.gtmd[11895]: 011a5003:1: SNMP_TRAP: Server /Common/ABC (ip=0.0.0.0) state change red --> green |
Code Block |
---|
<150>Oct 22 09:58:57 testHost adn.f5.bigip.dns.tmm[22169]: 2019-03-01 04:12:32 bigip-dns.local from 192.168.0.1#1234 view none: query: www.example.com IN A +E (192.168.0.2) |
|
ASM module (system) eventsSource port - Any free port Source data - \w+\s([^:]+):\s(.*) Sent without syslog tag - ✓ Source facility - LOCAL3 Target tag - adn.f5.bigip.asm.\\D1 Target message - \\D2 Stop processing - ✓
Relay input event example: Code Block |
---|
<158>Oct 22 09:58:57 testHost info iprepd[5226]: 015c0009:5: IP Reputation has no license currently |
Relay output event example: Code Block |
---|
<158>Oct 22 09:58:57 testHost adn.f5.bigip.asm.iprepd[5226]: 015c0009:5: IP Reputation has no license currently |
|
LTM module events (ITCM portal and server (iControl) specific messages)Source port - Any free port Source data - \w+\s([^:]+):\s(.*) Sent without syslog tag - ✓ Source facility - LOCAL4 Target tag - adn.f5.bigip.ltm.\\D1 Target message - \\D2 Stop processing - ✓
|
PKTFILTER option eventsSource port - Any free port Source data - \w+\s([^:]+):\s(.*) Sent without syslog tag - ✓ Source facility - LOCAL5 Target tag - adn.f5.bigip.pktfilter.\\D1 Target message - \\D2 Stop processing - ✓
Relay input event example: Code Block |
---|
<172>Oct 22 09:58:57 testHost info tmm1[17719]: 01250001:5: /Common/VS1 (9516070): no action on /Common/Vlan1, len: 66 [IPv4 52 192.168.1.1 -> 10.10.1.1 TCP 61571 -> 80 S] |
Relay output event example: Code Block |
---|
<172>Oct 22 09:58:57 testHost adn.f5.bigip.pktfilter.tmm1[17719]: 01250001:5: /Common/VS1 (9516070): no action on /Common/Vlan1, len: 66 [IPv4 52 192.168.1.1 -> 10.10.1.1 TCP 61571 -> 80 S] |
|
Besides the above-stated Traffic Management Operating System (TMOS) logs, BigIp platform can send events from the Host Management Subsystem (HMS - running a modified version of the CentOS Linux operating system) and the embedded Apache webserver. Specific relay rules should be created (based on the source logging facility) for sending these events to box.unix and web.apache.[access|error]
tables respectively.
...
Rw ui tabs macro |
---|
Anchor |
---|
| adn.f5.bigip.afm |
---|
| adn.f5.bigip.afm |
---|
| adn.f5.bigip.afmField | Type | Extra fields |
---|
eventdate | timestamp
| | hostName | str
| | facility | str
| | logLevel | str
| | processName | str
| | processId | str
| | eventType | str
| | aclPolicyName | str
| | aclPolicyType | str
| | aclRuleName | str
| | aclRuleUuid | str
| | action | str
| | bigipHostname | str
| | bigipMgmtIp | ip4
| | contextName | str
| | contextType | str
| | dateTime | timestamp
| | destFqdn | str
| | destGeo | str
| | destIp | str
| | destIpIntCategories | str
| | destPort | str
| | deviceProduct | str
| | deviceVendor | str
| | deviceVersion | str
| | dropReason | str
| | errdefsMsgno | str
| | errdefsMsgName | str
| | flowId | str
| | ipProtocol | str
| | partitionName | str
| | protocol | str
| | routeDomain | str
| | saTranslationPool | str
| | saTranslationType | str
| | severity | str
| | srcFqdn | str
| | srcIp | str
| | srcPort | str
| | srcIpIntCategories | str
| | srcUser | str
| | srcUserGroup | str
| | srcGeo | str
| | translatedDestIp | ip4
| | translatedDestPort | str
| | translatedIpProtocol | str
| | translatedRouteDomain | str
| | translatedSrcIp | ip4
| | translatedSrcPort | str
| | translatedVlan | str
| | vlan | str
| | rawMessage | str
| ✓ | hostchain | str
| ✓ | tag | str
| ✓ |
Anchor |
---|
| adn.f5.bigip.apm |
---|
| adn.f5.bigip.apm |
---|
| adn.f5.bigip.apmField | Type | Extra fields |
---|
eventdate | timestamp
| | hostName | str
| | facility | str
| | logLevel | str
| | processName | str
| | processId | str
| | logId | str
| | eventType | str
| | partition | str
| | message | str
| | sessionId | str
| | bytesIn | int4
| | bytesOut | int4
| | rawMessage | str
| ✓ | hostchain | str
| ✓ | tag | str
| ✓ |
Anchor |
---|
| adn.f5.bigip.asm |
---|
| adn.f5.bigip.asm |
---|
| adn.f5.bigip.asmField | Type | Extra fields |
---|
eventdate | timestamp
| | hostName | str
| | facility | str
| | logLevel | str
| | processName | str
| | processId | str
| | logId | str
| | eventType | str
| | message | str
| | reportingProcess | str
| | reportingFunction | str
| | reportedError | str
| | rawMessage | str
| ✓ | hostchain | str
| ✓ | tag | str
| ✓ |
Anchor |
---|
| adn.f5.bigip.audit |
---|
| adn.f5.bigip.audit |
---|
| adn.f5.bigip.auditField | Type | Extra fields |
---|
eventdate | timestamp
| | hostName | str
| | facility | str
| | logLevel | str
| | processName | str
| | processId | str
| | logId | str
| | message | str
| | user | str
| | folder | str
| | module | str
| | status | str
| | cmdData | str
| | rawMessage | str
| ✓ | hostchain | str
| ✓ | tag | str
| ✓ |
Anchor |
---|
| adn.f5.bigip.dns |
---|
| adn.f5.bigip.dns |
---|
| adn.f5.bigip.dnsField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| hostName | | machine | str
| | | facility | str
| | | log_level | str
| logLevel | | process_name | str
| processName | | process_id | str
| processId | | log_id | str
| logId | | event_type | str
| eventType |
str iqueryPeerip4 rawMessage | ✓ | hostchainqueryTs | | client_ip | str
| | | client_ipv4 | ip4
| clientIp | | client_port | str
| ✓tag✓ | adn.f5.bigip.ltm | adn.f5.bigip.ltm | adn.f5.bigip.ltmField | Type | Extra fields |
---|
eventdate | timestamp
| hostName | str
| facility | str
| logLevel | str
| processName | str
| processId | str
| logId | str
| message | str
| rule | str
| ruleType | str
| ruleMessage | str
| pool | str
| poolMember | str
| node | str
| nodeIp | ip4
| routeDomainId | str
| status | str
| rawMessage | str
| ✓ |
hostchain | str
| ✓ |
tag | str
| Anchor |
---|
query_name | str
| queryName | |
query_class | str
| queryClass | |
query_type | str
| queryType | |
query_flags | str
| queryFlags | |
response_status | str
| responseStatus | |
response_flags | str
| responseFlags | |
response_ttl | str
| responseTtl | |
response_record | str
| responseRecord | |
dns_server_ip | str
| | |
dns_server_ipv4 | ip4
| dnsServerIp | |
server | str
| | |
virtual_server | str
| | |
virtual_ip | str
| | |
virtual_ipv4 | ip4
| | |
virtual_port | str
| | |
iquery_peer | str
| | |
iquery_peer_ipv4 | ip4
| iqueryPeer | |
iquery_peer_port | str
| | |
server_status | str
| serverStatus | |
rule | str
| | |
rule_type | str
| ruleType | |
rule_message | str
| ruleMessage | |
pool | str
| | |
pool_member | str
| | |
instance | str
| | |
error_code | str
| | |
error_description | str
| | |
rawMessage | str
| | ✓ |
hostchain | str
| | ✓ |
tag | str
| | ✓ |
Anchor |
---|
| adn.f5.bigip.ltm |
---|
| adn.f5.bigip.ltm |
---|
|
adn.f5.bigip.ltmField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | |
facility | str
| | |
log_level | str
| logLevel | |
process_name | str
| processName | |
process_id | str
| processId | |
log_id | str
| logId | |
message | str
| | |
rule | str
| | |
rule_type | str
| ruleType | |
rule_message | str
| ruleMessage | |
pool | str
| | |
pool_member | str
| poolMember | |
node | str
| | |
node_ip | ip4
| nodeIp | |
node_port | str
| nodePort | |
route_domain_id | str
| routeDomainId | |
status | str
| | |
status_to | str
| | |
status_from | str
| | |
protocol | str
| | |
instance_id | str
| | |
virtual_ip | str
| | |
group_device | str
| | |
local_device | str
| | |
error_code | str
| | |
error_context | str
| | |
error_description | str
| | |
source_ip | str
| | |
source_ipv4 | ip4
| | |
source_port | str
| | |
destination_ip | str
| | |
destination_ipv4 | ip4
| | |
destination_port | str
| | |
rawMessage | str
| | ✓ |
hostchain | str
| | ✓ |
tag | str
| | ✓ |
Anchor |
---|
| adn.f5.bigip.pktfilter |
---|
| adn.f5.bigip.pktfilter |
---|
|
adn.f5.bigip.pktfilterField | Type | Extra fields |
---|
eventdate | timestamp
| |
hostName | str
| |
facility | str
| |
logLevel | str
| |
processName | str
| |
processId | str
| |
logId | str
| |
message | str
| |
accessProfile | str
| |
partition | str
| |
sessionId | str
| |
packet |
ip4
int4
| |
filter | str
| |
action | str
| |
vlan | str
| |
len | int4
| |
srcIp | ip4
| |
srcPort | str
| |
dstIp | ip4
| |
dstPort | str
| |
protocol | str
| |
rawMessage | str
| ✓ |
hostchain | str
| ✓ |
tag | str
| ✓ |