Document toolboxDocument toolbox

adn.f5

Introduction

The tags beginning with adn.f5 identify events generated by F5. 

Valid tags and data tables

The full tag can have 4 or 5 levels. In some cases, there can be an optional level containing the process name and the process ID, which would occupy the fifth or the sixth level.  The first two are fixed as adn.f5. The third level identifies the type of events sent, and the fourth, fifth, and sixth levels indicate the event subtypes. 

Technology

Brand

Type

Subtype 1

Subtype 2 *

Subtype 3 **

Technology

Brand

Type

Subtype 1

Subtype 2 *

Subtype 3 **

adn

f5

bigip



  • afm

  • apm

  • ltm

  • dns

  • asm

  • pkfilter

  • audit

  • pktfilter

  • nf

  • tmm[<PROC_ID>]

  • apmd[<PROC_ID>]

  • dummy

  • abc

  • mcpd[<PROC_ID>]

  • gtmd[<PROC_ID>]

  • perl[<PROC_ID>]

  • iprepd[<PROC_ID>]

  • tmm1[<PROC_ID>]

  • tmsh[<PROC_ID>]

  • mcpd[<PROC_ID>]

  • httpd[<PROC_ID>]

  • tmm[<PROC_ID>]

* Required or optional if it is a process  name and ID.

** Optional. It is a process  name and ID.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

Tag

Data table

adn.f5.bigip.afm.nf.tmm[<PROC_ID>]

adn.f5.bigip.afm

adn.f5.bigip.afm.nf

adn.f5.bigip.afm.nf

  • adn.f5.bigip.apm.tmm[<PROC_ID>]

  • adn.f5.bigip.apm.apmd[<PROC_ID>]

  • adn.f5.bigip.apm.dummy

  • adn.f5.bigip.apm

adn.f5.bigip.apm

  • adn.f5.bigip.ltm

  • adn.f5.bigip.ltm.abc

  • adn.f5.bigip.ltm.mcpd[<PROC_ID>]

  • adn.f5.bigip.ltm.tmm[<PROC_ID>]

adn.f5.bigip.ltm

  • adn.f5.bigip.dns.gtmd[<PROC_ID>]

  • adn.f5.bigip.dns.tmm[<PROC_ID>]

  • adn.f5.bigip.dns

adn.f5.bigip.dns

  • adn.f5.bigip.asm.perl[<PROC_ID>]

  • adn.f5.bigip.asm.iprepd[<PROC_ID>]

  • adn.f5.bigip.asm

adn.f5.bigip.asm

adn.f5.bigip.pktfilter.tmm1[<PROC_ID>]

adn.f5.bigip.pktfilter

  • adn.f5.bigip.audit.tmsh[<PROC_ID>]

  • adn.f5.bigip.audit.mcpd[<PROC_ID>]

  • adn.f5.bigip.audit.httpd[<PROC_ID>]

adn.f5.bigip.audit

How is the data sent to Devo?

F5 BigIp platform has two different mechanisms for sending data and/or management plane logs to remote syslog servers or a pool of them:

  1. Configuring embedded Syslog-ng server. This is a legacy way to send.

  2. Using the High-Speed Logging subsystem. This is way is recommended by F5.

Devo platform can be set as the destination syslog server for any of these remote logging mechanisms. F5 BigIp remote logging configuration tweaking required for tagging and TLS encryption.

Alternatively, which is the preferred option, a Devo Relay can be set up as the destination syslog server and it will properly tag and forward events to Devo platform. Devo expects events (logs) conforming to the following format:

<$PRI>$DATE $HOST adn.f5.bigip.<module>.$PROCESS[$PID]: $MSG.

In regard to formatting, the module’s possible values are: ltm, asm, afm, apm, dns, audit, pktfilter (audit and pktfilter are not modules but options of the LTM module). For afm module, a 5th level must be included in the tag identifying the event type (nf, ps or dp). Here is an example: 

<$PRI>$DATE $HOST adn.f5.bigip.afm.nf.$PROCESS[$PID]: $MSG

.$PROCESS[$PID] is an optional level and can also be defined as just .$PROCESS

Logs generated by F5 must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:

You must configure rules in the relay to correctly process and forward received events from BigIp’s different modules (LTM, ASM, AFM, APM, DNS -former GTM-), system authentication/monitoring option (audit), and traffic filtering option (pktfilter).  Rules for modules or options that are not used can be omitted. Set Devo Relay rules in the same order as stated here.

Devo Relay rules

Relay screenshot

Devo Relay rules

Relay screenshot

ASM module (traffic) events

  • Rule name → (i.e. F5_BigIp_ASM_Traffic)

  • Source port → (i.e. 13011)

  • Source data → \s{0,1}ASM:.*

  • Sent without syslog tag → True

  • Target tag → adn.f5.bigip.asm.N/A[N/A]

  • Stop processing → True

This rule will process ASM module traffic events (sent via local0 facility by default). These events don’t include $PROCESS[$PID] (thus, this level is set to N/A[N/A] in Target tag for the sake of clarity when querying adn.f5.bigip.asm table).


Devo Relay input event example:

  • <134>Oct 22 09:58:57 testHost ASM:unit_hostname=”testHost”,management_ip_address=”0.0.0.0”,<key3=”value3”,key4=”value4”,…>

Devo Relay output event example:

  • <134>Oct 22 09:58:57 testHost adn.f5.bigip.asm.N/A[N/A]: ASM:unit_hostname=”testHost”,management_ip_address=”0.0.0.0”,<key3=”value3”,key4=”value4”,…>

Order of <keyN=”valueN”> pairs is not relevant.



ASM module (traffic) Relay rule

APM module (authentication) events

  • Rule name → (i.e. F5_BigIp_APM_Authentication)

  • Source port → (i.e. 13011)

  • Source data → \s{0,1}\|[Login Event|Session Closed Event|Login 2\-Factor Message]+\\.*

  • Sent without syslog tag → True

  • Target tag → adn.f5.bigip.apm.N/A[N/A]

  • Stop processing → True

This rule will process APM module authentication events (sent via local0 facility by default). These events don’t include $PROCESS[$PID].


Relay input event example:

  • <134>Oct 22 09:58:57 testHost |Login Event|<TAB>cat=deny<TAB>src=”0.0.0.0”<TAB><key3=value3<TAB>key4=value4<TAB>…>

Relay output event example:

  • <134>Oct 22 09:58:57 testHost adn.f5.bigip.apm.N/A[N/A]: |Login Event|<TAB>cat=deny<TAB>src=”0.0.0.0”<TAB><key3=value3<TAB>key4=value4<TAB>…>

Order of <keyN=valueN> pairs is not relevant.

APM module (authentication) Relay rule



AFM module (Protocol Security) events

  • Rule name → (i.e. F5_BigIp_AFM_Protocol Security)

  • Source port → (i.e. 13011)

  • Source data → \s{0,1}PSM:.*

  • Sent without syslog tag → True

  • Target tag → adn.f5.bigip.afm.ps.N/A[N/A]

  • Stop processing → True

This rule will process AFM module protocol security events (sent via local0 facility by default). These events don’t include $PROCESS[$PID].


Relay input event example:

  • <134>Oct 22 09:58:57 testHost PSM:protocol=”testHost”,management_ip_address=”0.0.0.0”,<key3=”value3”,key4=”value4”,…>

Relay output event example:

  • <134>Oct 22 09:58:57 testHost adn.f5.bigip.afm.ps.N/A[N/A]: PSM:protocol=”testHost”,management_ip_address=”0.0.0.0”,<key3=”value3”,key4=”value4”,…>

Order of <keyN=”valueN”> pairs is not relevant.



AFM module (Protocol Security) Relay rule

AFM module (Dos Protection) events

  • Rule name → (i.e. F5_BigIp_AFM_Dos Protection)

  • Source port → (i.e. 13011)

  • Source data → .*[Network | Application] DoS Event.*

  • Sent without syslog tag → True

  • Target tag → adn.f5.bigip.afm.dp.N/A[N/A]

  • Stop processing → True

This rule will process AFM module DoS protection events (sent via local0 facility by default). These events don’t include $PROCESS[$PID].


Relay input event example:

  • <134>Oct 22 09:58:57 testHost action=”Blocking”,errdefs_msg_name=”Network DoS Event”,<key3=”value3”,key4=”value4”,…>

Relay output event example:

  • <134>Oct 22 09:58:57 testHost adn.f5.bigip.afm.dp.N/A[N/A]: action=”Blocking”,errdefs_msg_name=”Network DoS Event”,<key3=”value3”,key4=”value4”,…>

Order of <keyN=”valueN”> pairs is not relevant.



AFM module (DoS Protection) Relay rule



AFM module (Network Firewall) events

  • Rule name → (i.e. F5_BigIp_AFM_Network Firewall)

  • Source port → (i.e. 13011)

  • Source data → .*Advanced Firewall Module.*

  • Sent without syslog tag → True

  • Target tag → adn.f5.bigip.afm.nf.N/A[N/A]

  • Stop processing → True

This rule will process AFM module network firewall events (sent via local0 facility by default). These events don’t include $PROCESS[$PID].


Relay input event example:

  • <134>Oct 22 09:58:57 testHost action=”Blocking”,device_product=”Advanced Firewall Module”,<key3=”value3”,key4=”value4”,…>

Relay output event example:

  • <134>Oct 22 09:58:57 testHost adn.f5.bigip.afm.nf.N/A[N/A]: action=”Blocking”,device_product=”Advanced Firewall Module”,<key3=”value3”,key4=”value4”,…>

Order of <keyN=”valueN”> pairs is not relevant.



AFM module (Network Firewall) Relay rule



AUDIT option events

  • Rule name → (i.e. F5_BigIp_AUDIT)

  • Source port → (i.e. 13011)

  • Source data → \w+\s([^:]+):\s(.*AUDIT\s-\s.*)

  • Sent without syslog tag → True

  • Target tag → adn.f5.bigip.audit.\\D1

  • Target message → \\D2

  • Stop processing → True

This rule will process system monitoring (local0 facility) and system authentication (authpriv facility) events.


Relay input event examples:

  • <134>Oct 22 09:58:57 testHost info tmsh[10433]: 01420002:5: AUDIT - pid=10433 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=show sys mcp-state field-fmt

  • <38>Oct 22 09:58:57 testHost info httpd[4711]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.43.159 attempts=1 start="Thu Oct 22 09:58:19 2021"

Relay output event examples:

  • <134>Oct 22 09:58:57 testHost adn.f5.bigip.audit.tmsh[10433]: AUDIT - pid=10433 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=show sys mcp-state field-fmt

  • <38>Oct 22 09:58:57 testHost adn.f5.bigip.audit.httpd[4711]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.43.159 attempts=1 start="Thu Oct 22 09:58:19 2021"



AUDIT option Relay rule

LTM module (system & traffic) events

  • Rule name → (i.e. F5_BigIp_LTM)

  • Source port → (i.e. 13011)

  • Source data → \w+\s([^:]+):\s(.*)

  • Sent without syslog tag → True

  • Source facility → LOCAL0

  • Target tag → adn.f5.bigip.ltm.\\D1

  • Target tag → \\D2

  • Stop processing → True


Relay input event examples:

  • <134>Oct 22 09:58:57 testHost info tmm[8424]: 01010290:4: TCP: Memory pressure activated

  • <134>Oct 22 09:58:57 testHost info tmm[12062]: Rule /Common/iRule-log <HTTP_REQUEST>: Client 10.10.10.10 request to www.example.com

Relay output event examples:

  • <134>Oct 22 09:58:57 testHost adn.f5.bigip.ltm.tmm[8424]: 01010290:4: TCP: Memory pressure activated

  • <134>Oct 22 09:58:57 testHost adn.f5.bigip.ltm.tmm[12062]: Rule /Common/iRule-log <HTTP_REQUEST>: Client 10.10.10.10 request to www.example.com



LTM module Relay rule



APM module (system) events

  • Rule name → (i.e. F5_BigIp_APM_System)

  • Source port → (i.e. 13011)

  • Source data → \w+\s([^:]+):\s(.*)

  • Sent without syslog tag → True

  • Source facility → LOCAL1

  • Target tag → adn.f5.bigip.apm.\\D1

  • Target tag → \\D2

  • Stop processing → True


Relay input event example:

  • <142>Oct 22 09:58:57 testHost info apmd[12729]: 01490266:7: /Common/headerauthaccprofile_Servicedev:Common:216081c7: ApmD.cpp: 'process_apd_request()': 1835: ** done with the request processing **

Relay output event example:

  • <142>Oct 22 09:58:57 testHost adn.f5.bigip.apm.apmd[12729]: 01490266:7: /Common/headerauthaccprofile_Servicedev:Common:216081c7: ApmD.cpp: 'process_apd_request()': 1835: ** done with the request processing **

APM module (system) Relay rule

DNS module (system & query/response) events

  • Rule name → (i.e. F5_BigIp_DNS)

  • Source port → (i.e. 13011)

  • Source data → \w+\s([^:]+):\s(.*)

  • Sent without syslog tag → True

  • Source facility → LOCAL2

  • Target tag → adn.f5.bigip.dns.\\D1

  • Target tag → \\D2

  • Stop processing → True


Relay input event examples:

  • <150>Oct 22 09:58:57 testHost info gtmd[11895]: 011a5003:1: SNMP_TRAP: Server /Common/ABC (ip=0.0.0.0) state change red --> green

  • <150>Oct 22 09:58:57 testHost info tmm[22169]: 2019-03-01 04:12:32 bigip-dns.local from 192.168.0.1#1234 view none: query: www.example.com IN A +E (192.168.0.2)

Relay output event examples:

  • <150>Oct 22 09:58:57 testHost adn.f5.bigip.dns.gtmd[11895]: 011a5003:1: SNMP_TRAP: Server /Common/ABC (ip=0.0.0.0) state change red --> green

  • <150>Oct 22 09:58:57 testHost adn.f5.bigip.dns.tmm[22169]: 2019-03-01 04:12:32 bigip-dns.local from 192.168.0.1#1234 view none: query: www.example.com IN A +E (192.168.0.2)



DNS module Relay rule

ASM module (system) events

  • Rule name → (i.e. F5_BigIp_ASM_System)

  • Source port → (i.e. 13011)

  • Source data → \w+\s([^:]+):\s(.*)

  • Sent without syslog tag → True

  • Source facility → LOCAL3

  • Target tag → adn.f5.bigip.asm.\\D1

  • Target tag → \\D2

  • Stop processing → True


Relay input event example:

  • <158>Oct 22 09:58:57 testHost info iprepd[5226]: 015c0009:5: IP Reputation has no license currently

Relay output event example:

  • <158>Oct 22 09:58:57 testHost adn.f5.bigip.asm.iprepd[5226]: 015c0009:5: IP Reputation has no license currently



ASM module (system) Relay rule



LTM module events (ITCM portal and server (iControl) specific messages)

  • Rule name → (i.e. F5_BigIp_LTM_iControl)

  • Source port → (i.e. 13011)

  • Source data → \w+\s([^:]+):\s(.*)

  • Sent without syslog tag → True

  • Source facility → LOCAL4

  • Target tag → adn.f5.bigip.ltm.\\D1

  • Target tag → \\D2

  • Stop processing → True

LTM module (iControl) Relay rule



PKTFILTER option events

  • Rule name → (i.e. F5_BigIp_PKFILTER)

  • Source port → (i.e. 13011)

  • Source data → \w+\s([^:]+):\s(.*)

  • Sent without syslog tag → True

  • Source facility → LOCAL5

  • Target tag → adn.f5.bigip.pktfilter.\\D1

  • Is prefix → False

  • Target tag → \\D2

  • Stop processing → True


Relay input event example:

  • <172>Oct 22 09:58:57 testHost info tmm1[17719]: 01250001:5: /Common/VS1 (9516070): no action on /Common/Vlan1, len: 66 [IPv4 52 192.168.1.1 -> 10.10.1.1 TCP 61571 -> 80 S]

Relay output event example:

  • <172>Oct 22 09:58:57 testHost adn.f5.bigip.pktfilter.tmm1[17719]: 01250001:5: /Common/VS1 (9516070): no action on /Common/Vlan1, len: 66 [IPv4 52 192.168.1.1 -> 10.10.1.1 TCP 61571 -> 80 S]



PKTFILTER option Relay rule



Besides the above-stated Traffic Management Operating System (TMOS) logs, BigIp platform can send events from the Host Management Subsystem (HMS - running a modified version of the CentOS Linux operating system) and the embedded Apache webserver. Specific relay rules should be created (based on source logging facility) for sending these events to box.unix and web.apache.[access|error] tables respectively.