Document toolboxDocument toolbox

adn.f5

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
7 min read
[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 How is the data sent to Devo? ] [ 4 Table structure ]

Introduction

The tags beginning with adn.f5 identify events generated by F5. 

Valid tags and data tables

The full tag can have 4 or 5 levels. In some cases, there can be an optional level containing the process name and the process ID, which would occupy the fifth or the sixth level. The first two are fixed as adn.f5. The third level identifies the type of events sent, and the fourth, fifth, and sixth levels indicate the event subtypes. 

* Required or optional if it is a process name and ID.

** Optional. It is a process name and ID.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

F5’s BIG-IP

adn.f5.bigip.afm.nf.tmm[<PROC_ID>]

adn.f5.bigip.afm

  • adn.f5.bigip.apm.tmm[<PROC_ID>]

  • adn.f5.bigip.apm.apmd[<PROC_ID>]

  • adn.f5.bigip.apm.dummy

  • adn.f5.bigip.apm

adn.f5.bigip.apm

  • adn.f5.bigip.asm.perl[<PROC_ID>]

  • adn.f5.bigip.asm.iprepd[<PROC_ID>]

  • adn.f5.bigip.asm

adn.f5.bigip.asm

  • adn.f5.bigip.audit.tmsh[<PROC_ID>]

  • adn.f5.bigip.audit.mcpd[<PROC_ID>]

  • adn.f5.bigip.audit.httpd[<PROC_ID>]

adn.f5.bigip.audit

  • adn.f5.bigip.dns.gtmd[<PROC_ID>]

  • adn.f5.bigip.dns.tmm[<PROC_ID>]

  • adn.f5.bigip.dns

adn.f5.bigip.dns

  • adn.f5.bigip.ltm

  • adn.f5.bigip.ltm.abc

  • adn.f5.bigip.ltm.mcpd[<PROC_ID>]

  • adn.f5.bigip.ltm.tmm[<PROC_ID>]

adn.f5.bigip.ltm

adn.f5.bigip.pktfilter.tmm1[<PROC_ID>]

adn.f5.bigip.pktfilter

How is the data sent to Devo?

The F5 BigIp platform has two different mechanisms for sending data and/or management plane logs to remote syslog servers or a pool of them:

  1. Configuring embedded Syslog-ng server. This is a legacy way to send.

  2. Using the High-Speed Logging subsystem. This way is recommended by F5.

The Devo platform can be set as the destination syslog server for any of these remote logging mechanisms. F5 BigIp remote logging configuration tweaking is required for tagging and TLS encryption.

Alternatively, which is the preferred option, a Devo Relay can be set up as the destination syslog server and it will properly tag and forward events to the Devo platform. Devo expects events (logs) to conform to the following format:

<$PRI>$DATE $HOST adn.f5.bigip.<module>.$PROCESS[$PID]: $MSG.

In regard to formatting, the module’s possible values are: ltm, asm, afm, apm, dns, audit, pktfilter (audit and pktfilter are not modules but options of the LTM module). For afm module, a 5th level must be included in the tag identifying the event type (nf, ps or dp). Here is an example: 

<$PRI>$DATE $HOST adn.f5.bigip.afm.nf.$PROCESS[$PID]: $MSG

.$PROCESS[$PID] is an optional level and can also be defined as just .$PROCESS

Logs generated by F5 must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:

You must configure rules in the relay to correctly process and forward received events from BigIp’s different modules (LTM, ASM, AFM, APM, DNS -former GTM-), system authentication/monitoring option (audit), and traffic filtering option (pktfilter).  Rules for modules or options that are not used can be omitted. Set Devo Relay rules in the same order as stated here.

Devo Relay rules

Relay screenshot

Devo Relay rules

Relay screenshot

ASM module (traffic) events

  • Source port - Any free port

  • Source data \s{0,1}ASM:.*

  • Sent without syslog tag -

  • Target tag adn.f5.bigip.asm.N/A[N/A]

  • Stop processing -

This rule will process ASM module traffic events (sent via local0 facility by default). These events don’t include $PROCESS[$PID] (thus, this level is set to N/A[N/A] in Target tag for the sake of clarity when querying the adn.f5.bigip.asm table).

Devo Relay input event example:

<134>Oct 22 09:58:57 testHost ASM:unit_hostname="testHost",management_ip_address="0.0.0.0",<key3="value3",key4="value4",...>

Devo Relay output event example:

Order of <keyN="valueN"> pairs is not relevant.

APM module (authentication) events

  • Source port - Any free port

  • Source data - \s{0,1}\|[Login Event|Session Closed Event|Login 2\-Factor Message]+\\.*

  • Sent without syslog tag -

  • Target tag - adn.f5.bigip.apm.N/A[N/A]

  • Stop processing -

This rule will process APM module authentication events (sent via local0 facility by default). These events don’t include $PROCESS[$PID].

Relay input event example:

Relay output event example:

Order of <keyN=valueN> pairs is not relevant.



AFM module (Protocol Security) events

  • Source port - Any free port

  • Source data - \s{0,1}PSM:.*

  • Sent without syslog tag -

  • Target tag - adn.f5.bigip.afm.ps.N/A[N/A]

  • Stop processing -

This rule will process AFM module protocol security events (sent via local0 facility by default). These events don’t include $PROCESS[$PID].

Relay input event example:

Relay output event example:

Order of <keyN="valueN"> pairs is not relevant.

AFM module (Dos Protection) events

  • Source port - Any free port

  • Source data - .*[Network | Application] DoS Event.*

  • Sent without syslog tag -

  • Target tag - adn.f5.bigip.afm.dp.N/A[N/A]

  • Stop processing -

This rule will process AFM module DoS protection events (sent via local0 facility by default). These events don’t include $PROCESS[$PID].

Relay input event example:

Relay output event example:

Order of <keyN="valueN"> pairs is not relevant.



AFM module (Network Firewall) events

  • Source port - Any free port

  • Source data - .*Advanced Firewall Module.*

  • Sent without syslog tag -

  • Target tag - adn.f5.bigip.afm.nf.N/A[N/A]

  • Stop processing -

This rule will process AFM module network firewall events (sent via local0 facility by default). These events don’t include $PROCESS[$PID].

Relay input event example:

Relay output event example:

Order of <keyN="valueN"> pairs is not relevant.



AUDIT option events

  • Source port - Any free port

  • Source data - \w+\s([^:]+):\s(.*AUDIT\s-\s.*)

  • Sent without syslog tag -

  • Target tag adn.f5.bigip.audit.\\D1

  • Target message - \\D2

  • Stop processing -

This rule will process system monitoring (local0 facility) and system authentication (authpriv facility) events.

Relay input event examples:

Relay output event examples:

LTM module (system & traffic) events

  • Source port - Any free port

  • Source data \w+\s([^:]+):\s(.*)

  • Sent without syslog tag -

  • Source facility - LOCAL0

  • Target tag - adn.f5.bigip.ltm.\\D1

  • Target message - \\D2

  • Stop processing -

Relay input event examples:

Relay output event examples:



APM module (system) events

  • Source port - Any free port

  • Source data - \w+\s([^:]+):\s(.*)

  • Sent without syslog tag -

  • Source facility - LOCAL1

  • Target tag - adn.f5.bigip.apm.\\D1

  • Target message - \\D2

  • Stop processing -

Relay input event example:

Relay output event example:

DNS module (system & query/response) events

  • Source port - Any free port

  • Source data - \w+\s([^:]+):\s(.*)

  • Sent without syslog tag -

  • Source facility - LOCAL2

  • Target tag - adn.f5.bigip.dns.\\D1

  • Target message - \\D2

  • Stop processing -

Relay input event examples:

Relay output event examples:

ASM module (system) events

  • Source port - Any free port

  • Source data - \w+\s([^:]+):\s(.*)

  • Sent without syslog tag -

  • Source facility - LOCAL3

  • Target tag - adn.f5.bigip.asm.\\D1

  • Target message - \\D2

  • Stop processing -

Relay input event example:

Relay output event example:



LTM module events (ITCM portal and server (iControl) specific messages)

  • Source port - Any free port

  • Source data - \w+\s([^:]+):\s(.*)

  • Sent without syslog tag -

  • Source facility - LOCAL4

  • Target tag adn.f5.bigip.ltm.\\D1

  • Target message - \\D2

  • Stop processing -

PKTFILTER option events

  • Source port - Any free port

  • Source data - \w+\s([^:]+):\s(.*)

  • Sent without syslog tag -

  • Source facility - LOCAL5

  • Target tag - adn.f5.bigip.pktfilter.\\D1

  • Target message - \\D2

  • Stop processing -

Relay input event example:

Relay output event example:



Besides the above-stated Traffic Management Operating System (TMOS) logs, BigIp platform can send events from the Host Management Subsystem (HMS - running a modified version of the CentOS Linux operating system) and the embedded Apache webserver. Specific relay rules should be created (based on the source logging facility) for sending these events to box.unix and web.apache.[access|error] tables respectively.

Table structure

These are the fields displayed in these tables: