Introduction
The tags beginning with adn.f5 identify events generated by F5.
Valid tags and data tables
The full tag can have 4 or 5 levels. In some cases, there can be an optional level containing the process name and the process ID, which would occupy the fifth or the sixth level. The first two are fixed as adn.f5. The third level identifies the type of events sent, and the fourth, fifth, and sixth levels indicate the event subtypes.
| | | | | |
|---|
adn | f5 | bigip
| afm apm ltm dns asm pkfilter audit pktfilter
| nf tmm[<PROC_ID>] apmd[<PROC_ID>] dummy abc mcpd[<PROC_ID>] gtmd[<PROC_ID>] perl[<PROC_ID>] iprepd[<PROC_ID>] tmm1[<PROC_ID>] tmsh[<PROC_ID>] mcpd[<PROC_ID>] httpd[<PROC_ID>]
| |
* Required or optional if it is a process name and ID.
** Optional. It is a process name and ID.
These are the valid tags and corresponding data tables that will receive the parsers' data:
| |
|---|
adn.f5.bigip.afm.nf.tmm[<PROC_ID>] | adn.f5.bigip.afm |
adn.f5.bigip.afm.nf | adn.f5.bigip.afm.nf |
| adn.f5.bigip.apm |
| adn.f5.bigip.ltm |
| adn.f5.bigip.dns |
| adn.f5.bigip.asm |
adn.f5.bigip.pktfilter.tmm1[<PROC_ID>] | adn.f5.bigip.pktfilter |
adn.f5.bigip.audit.tmsh[<PROC_ID>] adn.f5.bigip.audit.mcpd[<PROC_ID>] adn.f5.bigip.audit.httpd[<PROC_ID>]
| adn.f5.bigip.audit |
How is the data sent to Devo?
F5 BigIp platform has two different mechanisms for sending data and/or management plane logs to remote syslog servers or a pool of them:
Configuring embedded Syslog-ng server. This is a legacy way to send.
Using the High-Speed Logging subsystem. This is way is recommended by F5.
Devo platform can be set as the destination syslog server for any of these remote logging mechanisms. F5 BigIp remote logging configuration tweaking required for tagging and TLS encryption.
Alternatively, which is the preferred option, a Devo Relay can be set up as the destination syslog server and it will properly tag and forward events to Devo platform. Devo expects events (logs) conforming to the following format:
<$PRI>$DATE $HOST adn.f5.bigip.<module>.$PROCESS[$PID]: $MSG.In regard to formatting, the module’s possible values are: ltm, asm, afm, apm, dns, audit, pktfilter (audit and pktfilter are not modules but options of the LTM module). For afm module, a 5th level must be included in the tag identifying the event type (nf, ps or dp). Here is an example:
<$PRI>$DATE $HOST adn.f5.bigip.afm.nf.$PROCESS[$PID]: $MSG.$PROCESS[$PID] is an optional level and can also be defined as just .$PROCESS
Logs generated by F5 must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:
You must configure rules in the relay to correctly process and forward received events from BigIp’s different modules (LTM, ASM, AFM, APM, DNS -former GTM-), system authentication/monitoring option (audit), and traffic filtering option (pktfilter). Rules for modules or options that are not used can be omitted. Set Devo Relay rules in the same order as stated here.
| |
|---|
ASM module (traffic) eventsRule name → (i.e. F5_BigIp_ASM_Traffic) Source port → (i.e. 13011) Source data → \s{0,1}ASM:.* Sent without syslog tag → True Target tag → adn.f5.bigip.asm.N/A[N/A] Stop processing → True
This rule will process ASM module traffic events (sent via local0 facility by default). These events don’t include $PROCESS[$PID] (thus, this level is set to N/A[N/A] in Target tag for the sake of clarity when querying adn.f5.bigip.asm table).
Devo Relay input event example: <134>Oct 22 09:58:57 testHost ASM:unit_hostname=”testHost”,management_ip_address=”0.0.0.0”,<key3=”value3”,key4=”value4”,…>
Devo Relay output event example: <134>Oct 22 09:58:57 testHost adn.f5.bigip.asm.N/A[N/A]: ASM:unit_hostname=”testHost”,management_ip_address=”0.0.0.0”,<key3=”value3”,key4=”value4”,…>
Order of <keyN=”valueN”> pairs is not relevant.
| ASM module (traffic) Relay rule |
APM module (authentication) eventsRule name → (i.e. F5_BigIp_APM_Authentication) Source port → (i.e. 13011) Source data → \s{0,1}\|[Login Event|Session Closed Event|Login 2\-Factor Message]+\\.* Sent without syslog tag → True Target tag → adn.f5.bigip.apm.N/A[N/A] Stop processing → True
This rule will process APM module authentication events (sent via local0 facility by default). These events don’t include $PROCESS[$PID].
Relay input event example: Relay output event example: Order of <keyN=valueN> pairs is not relevant. | APM module (authentication) Relay rule
|
AFM module (Protocol Security) eventsRule name → (i.e. F5_BigIp_AFM_Protocol Security) Source port → (i.e. 13011) Source data → \s{0,1}PSM:.* Sent without syslog tag → True Target tag → adn.f5.bigip.afm.ps.N/A[N/A] Stop processing → True
This rule will process AFM module protocol security events (sent via local0 facility by default). These events don’t include $PROCESS[$PID].
Relay input event example: <134>Oct 22 09:58:57 testHost PSM:protocol=”testHost”,management_ip_address=”0.0.0.0”,<key3=”value3”,key4=”value4”,…>
Relay output event example: <134>Oct 22 09:58:57 testHost adn.f5.bigip.afm.ps.N/A[N/A]: PSM:protocol=”testHost”,management_ip_address=”0.0.0.0”,<key3=”value3”,key4=”value4”,…>
Order of <keyN=”valueN”> pairs is not relevant.
| AFM module (Protocol Security) Relay rule |
AFM module (Dos Protection) eventsRule name → (i.e. F5_BigIp_AFM_Dos Protection) Source port → (i.e. 13011) Source data → .*[Network | Application] DoS Event.* Sent without syslog tag → True Target tag → adn.f5.bigip.afm.dp.N/A[N/A] Stop processing → True
This rule will process AFM module DoS protection events (sent via local0 facility by default). These events don’t include $PROCESS[$PID].
Relay input event example: <134>Oct 22 09:58:57 testHost action=”Blocking”,errdefs_msg_name=”Network DoS Event”,<key3=”value3”,key4=”value4”,…>
Relay output event example: <134>Oct 22 09:58:57 testHost adn.f5.bigip.afm.dp.N/A[N/A]: action=”Blocking”,errdefs_msg_name=”Network DoS Event”,<key3=”value3”,key4=”value4”,…>
Order of <keyN=”valueN”> pairs is not relevant.
| AFM module (DoS Protection) Relay rule
|
AFM module (Network Firewall) eventsRule name → (i.e. F5_BigIp_AFM_Network Firewall) Source port → (i.e. 13011) Source data → .*Advanced Firewall Module.* Sent without syslog tag → True Target tag → adn.f5.bigip.afm.nf.N/A[N/A] Stop processing → True
This rule will process AFM module network firewall events (sent via local0 facility by default). These events don’t include $PROCESS[$PID].
Relay input event example: <134>Oct 22 09:58:57 testHost action=”Blocking”,device_product=”Advanced Firewall Module”,<key3=”value3”,key4=”value4”,…>
Relay output event example: <134>Oct 22 09:58:57 testHost adn.f5.bigip.afm.nf.N/A[N/A]: action=”Blocking”,device_product=”Advanced Firewall Module”,<key3=”value3”,key4=”value4”,…>
Order of <keyN=”valueN”> pairs is not relevant.
| AFM module (Network Firewall) Relay rule
|
AUDIT option eventsRule name → (i.e. F5_BigIp_AUDIT) Source port → (i.e. 13011) Source data → \w+\s([^:]+):\s(.*AUDIT\s-\s.*) Sent without syslog tag → True Target tag → adn.f5.bigip.audit.\\D1 Target message → \\D2 Stop processing → True
This rule will process system monitoring (local0 facility) and system authentication (authpriv facility) events.
Relay input event examples: <134>Oct 22 09:58:57 testHost info tmsh[10433]: 01420002:5: AUDIT - pid=10433 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=show sys mcp-state field-fmt <38>Oct 22 09:58:57 testHost info httpd[4711]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.43.159 attempts=1 start="Thu Oct 22 09:58:19 2021"
Relay output event examples: <134>Oct 22 09:58:57 testHost adn.f5.bigip.audit.tmsh[10433]: AUDIT - pid=10433 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=show sys mcp-state field-fmt <38>Oct 22 09:58:57 testHost adn.f5.bigip.audit.httpd[4711]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.43.159 attempts=1 start="Thu Oct 22 09:58:19 2021"
| AUDIT option Relay rule |
LTM module (system & traffic) eventsRule name → (i.e. F5_BigIp_LTM) Source port → (i.e. 13011) Source data → \w+\s([^:]+):\s(.*) Sent without syslog tag → True Source facility → LOCAL0 Target tag → adn.f5.bigip.ltm.\\D1 Target tag → \\D2 Stop processing → True
Relay input event examples: <134>Oct 22 09:58:57 testHost info tmm[8424]: 01010290:4: TCP: Memory pressure activated <134>Oct 22 09:58:57 testHost info tmm[12062]: Rule /Common/iRule-log <HTTP_REQUEST>: Client 10.10.10.10 request to www.example.com
Relay output event examples: <134>Oct 22 09:58:57 testHost adn.f5.bigip.ltm.tmm[8424]: 01010290:4: TCP: Memory pressure activated <134>Oct 22 09:58:57 testHost adn.f5.bigip.ltm.tmm[12062]: Rule /Common/iRule-log <HTTP_REQUEST>: Client 10.10.10.10 request to www.example.com
| LTM module Relay rule
|
APM module (system) eventsRule name → (i.e. F5_BigIp_APM_System) Source port → (i.e. 13011) Source data → \w+\s([^:]+):\s(.*) Sent without syslog tag → True Source facility → LOCAL1 Target tag → adn.f5.bigip.apm.\\D1 Target tag → \\D2 Stop processing → True
Relay input event example: Relay output event example: | APM module (system) Relay rule |
DNS module (system & query/response) eventsRule name → (i.e. F5_BigIp_DNS) Source port → (i.e. 13011) Source data → \w+\s([^:]+):\s(.*) Sent without syslog tag → True Source facility → LOCAL2 Target tag → adn.f5.bigip.dns.\\D1 Target tag → \\D2 Stop processing → True
Relay input event examples: <150>Oct 22 09:58:57 testHost info gtmd[11895]: 011a5003:1: SNMP_TRAP: Server /Common/ABC (ip=0.0.0.0) state change red --> green <150>Oct 22 09:58:57 testHost info tmm[22169]: 2019-03-01 04:12:32 bigip-dns.local from 192.168.0.1#1234 view none: query: www.example.com IN A +E (192.168.0.2)
Relay output event examples: <150>Oct 22 09:58:57 testHost adn.f5.bigip.dns.gtmd[11895]: 011a5003:1: SNMP_TRAP: Server /Common/ABC (ip=0.0.0.0) state change red --> green <150>Oct 22 09:58:57 testHost adn.f5.bigip.dns.tmm[22169]: 2019-03-01 04:12:32 bigip-dns.local from 192.168.0.1#1234 view none: query: www.example.com IN A +E (192.168.0.2)
| DNS module Relay rule |
ASM module (system) eventsRule name → (i.e. F5_BigIp_ASM_System) Source port → (i.e. 13011) Source data → \w+\s([^:]+):\s(.*) Sent without syslog tag → True Source facility → LOCAL3 Target tag → adn.f5.bigip.asm.\\D1 Target tag → \\D2 Stop processing → True
Relay input event example: Relay output event example:
| ASM module (system) Relay rule
|
LTM module events (ITCM portal and server (iControl) specific messages)Rule name → (i.e. F5_BigIp_LTM_iControl) Source port → (i.e. 13011) Source data → \w+\s([^:]+):\s(.*) Sent without syslog tag → True Source facility → LOCAL4 Target tag → adn.f5.bigip.ltm.\\D1 Target tag → \\D2 Stop processing → True
| LTM module (iControl) Relay rule
|
PKTFILTER option eventsRule name → (i.e. F5_BigIp_PKFILTER) Source port → (i.e. 13011) Source data → \w+\s([^:]+):\s(.*) Sent without syslog tag → True Source facility → LOCAL5 Target tag → adn.f5.bigip.pktfilter.\\D1 Is prefix → False Target tag → \\D2 Stop processing → True
Relay input event example: Relay output event example:
| PKTFILTER option Relay rule
|
Besides the above-stated Traffic Management Operating System (TMOS) logs, BigIp platform can send events from the Host Management Subsystem (HMS - running a modified version of the CentOS Linux operating system) and the embedded Apache webserver. Specific relay rules should be created (based on source logging facility) for sending these events to box.unix and web.apache.[access|error] tables respectively.
