adn.f5
Introduction
The tags beginning with adn.f5 identify events generated by F5.
Valid tags and data tables
The full tag can have 4 or 5 levels. In some cases, there can be an optional level containing the process name and the process ID, which would occupy the fifth or the sixth level. The first two are fixed as adn.f5. The third level identifies the type of events sent, and the fourth, fifth, and sixth levels indicate the event subtypes.
Technology | Brand | Type | Subtype 1 | Subtype 2 * | Subtype 3 ** |
---|---|---|---|---|---|
adn | f5 | bigip |
|
|
|
* Required or optional if it is a process name and ID.
** Optional. It is a process name and ID.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
---|---|
adn.f5.bigip.afm.nf.tmm[<PROC_ID>] | adn.f5.bigip.afm |
adn.f5.bigip.afm.nf | adn.f5.bigip.afm.nf |
| adn.f5.bigip.apm |
| adn.f5.bigip.ltm |
| adn.f5.bigip.dns |
| adn.f5.bigip.asm |
adn.f5.bigip.pktfilter.tmm1[<PROC_ID>] | adn.f5.bigip.pktfilter |
| adn.f5.bigip.audit |
How is the data sent to Devo?
F5 BigIp platform has two different mechanisms for sending data and/or management plane logs to remote syslog servers or a pool of them:
- Configuring embedded Syslog-ng server. This is a legacy way to send.
- Using the High-Speed Logging subsystem. This is way is recommended by F5.
Devo platform can be set as the destination syslog server for any of these remote logging mechanisms. F5 BigIp remote logging configuration tweaking required for tagging and TLS encryption.
Alternatively, which is the preferred option, a Devo Relay can be set up as the destination syslog server and it will properly tag and forward events to Devo platform. Devo expects events (logs) conforming to the following format:
<$PRI>$DATE $HOST adn.f5.bigip.<module>.$PROCESS[$PID]: $MSG.
In regard to formatting, the module’s possible values are: ltm, asm, afm, apm, dns, audit, pktfilter (audit and pktfilter are not modules but options of the LTM module). For afm
module, a 5th level must be included in the tag identifying the event type (nf, ps or dp). Here is an example:
<$PRI>$DATE $HOST adn.f5.bigip.afm.nf.$PROCESS[$PID]: $MSG
.$PROCESS[$PID]
is an optional level and can also be defined as just .$PROCESS
Logs generated by F5 must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:
You must configure rules in the relay to correctly process and forward received events from BigIp’s different modules (LTM, ASM, AFM, APM, DNS -former GTM-), system authentication/monitoring option (audit), and traffic filtering option (pktfilter). Rules for modules or options that are not used can be omitted. Set Devo Relay rules in the same order as stated here.
Devo Relay rules | Relay screenshot |
---|---|
ASM module (traffic) events
This rule will process ASM module traffic events (sent via local0 facility by default). These events don’t include Devo Relay input event example:
Devo Relay output event example:
Order of <keyN=”valueN”> pairs is not relevant. | ASM module (traffic) Relay rule |
APM module (authentication) events
This rule will process APM module authentication events (sent via local0 facility by default). These events don’t include Relay input event example:
Relay output event example:
Order of <keyN=valueN> pairs is not relevant. | APM module (authentication) Relay rule |
AFM module (Protocol Security) events
This rule will process AFM module protocol security events (sent via local0 facility by default). These events don’t include Relay input event example:
Relay output event example:
Order of <keyN=”valueN”> pairs is not relevant. | AFM module (Protocol Security) Relay rule |
AFM module (Dos Protection) events
This rule will process AFM module DoS protection events (sent via local0 facility by default). These events don’t include Relay input event example:
Relay output event example:
Order of <keyN=”valueN”> pairs is not relevant. | AFM module (DoS Protection) Relay rule |
AFM module (Network Firewall) events
This rule will process AFM module network firewall events (sent via local0 facility by default). These events don’t include Relay input event example:
Relay output event example:
Order of <keyN=”valueN”> pairs is not relevant. | AFM module (Network Firewall) Relay rule |
AUDIT option events
This rule will process system monitoring (local0 facility) and system authentication (authpriv facility) events. Relay input event examples:
Relay output event examples:
| AUDIT option Relay rule |
LTM module (system & traffic) events
Relay input event examples:
Relay output event examples:
| LTM module Relay rule |
APM module (system) events
Relay input event example:
Relay output event example:
| APM module (system) Relay rule |
DNS module (system & query/response) events
Relay input event examples:
Relay output event examples:
| DNS module Relay rule |
ASM module (system) events
Relay input event example:
Relay output event example:
| ASM module (system) Relay rule |
LTM module events (ITCM portal and server (iControl) specific messages)
| LTM module (iControl) Relay rule |
PKTFILTER option events
Relay input event example:
Relay output event example:
| PKTFILTER option Relay rule |
Note
Besides the above-stated Traffic Management Operating System (TMOS) logs, BigIp platform can send events from the Host Management Subsystem (HMS - running a modified version of the CentOS Linux operating system) and the embedded Apache web server. Specific Relay rules should be created (based on source logging facility) for sending these events to box.unix and web.apache.[access|error] tables respectively.
Log samples
The following are sample logs sent to each of the adn.f5 data tables. Also, find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.