Introduction
The table cef0.f5.asm identifies events in CEF format generated by F5 ASM.
Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.
In this case, the valid data tables are:
How is the data sent to Devo?
Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.
Log samples
The following are sample logs sent to cef0.f5.asm. Find how the information will be parsed in your data table under each sample log.
cef0.f5.asm
<134>Mar 18 14:23:57 localhost ASM:CEF:0|F5|ASM|14.2.1|Successful Request|Successful Request|2|dvchost=02.tenant.local dvc=193.18.1.26 cs1=/Common/ASM_Internal_Portal cs1Label=policy_name cs2=/Common/ASM_Internal_Portal cs2Label=http_class_name deviceCustomDate1=Mar 04 2021 10:53:50 deviceCustomDate1Label=policy_apply_date externalId=16107276658888901278 act=passed cn1=200 cn1Label=response_code src=50.60.4.10 spt=5430 dst=1.5.1.118 dpt=443 requestMethod=GET app=HTTPS cs5=N/A cs5Label=x_forwarded_for_header_value rt=Mar 18 2021 14:23:56 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=SA cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4= c6a4Label=ip_address_intelligence msg=N/A suid=cfeed99b39e01237 suser=N/A cn2=0 cn2Label=violation_rating cn3=0 cn3Label=device_id microservice=N/A request=/correspondence.ui.admin/scripts/jquery.hoverintent.minified.js cs3Label=full_request cs3=GET /Correspondence.UI.Admin/Scripts/jquery.hoverIntent.minified.js HTTP/1.1\r\nHost: io.bog.gov.sa\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36\r\nAccept: */*\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Dest: script\r\nReferer: https://io.bog.gov.sa/Correspondence.UI.Admin/\r\nAccept-Encoding: gzip,
2021-03-18 14:23:57.431904 IP (tos 0x0, ttl 61, id 34709, offset 0, flags [DF], proto TCP (6), length 506)
And this is how the log would be parsed:
Field | Value | Type | Extra fields |
---|
eventdate | Mar 18 14:23:57
| eventdate
|
|
hostchain | localhost=127.0.0.1
| str
|
|
hostname | localhost
| str
|
|
priorityCode | 22
| str
|
|
ceftag | CEF
| str
|
|
cefVersion | 0
| str
|
|
embDeviceVendor | F5
| str
|
|
embDeviceProduct | ASM
| str
|
|
deviceVersion | 14.1.2
| str
|
|
signatureID | Successful Request
| str
|
|
name | Successful Request
| srt
|
|
severity | 2
| str
|
|
extension | dvchost=02.tenant.local dvc=193.18.1.26 cs1=/Common/ASM_Internal_Portal cs1Label=policy_name cs2=/Common/ASM_Internal_Portal cs2Label=http_class_name deviceCustomDate1=Mar 04 2021 10:53:50 deviceCustomDate1Label=policy_apply_date externalId=16107276658888901278 act=passed cn1=200 cn1Label=response_code src=50.60.4.10 spt=5430 dst=1.5.1.118 dpt=443 requestMethod=GET app=HTTPS cs5=N/A cs5Label=x_forwarded_for_header_value rt=Mar 18 2021 14:23:56 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=SA cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4= c6a4Label=ip_address_intelligence msg=N/A suid=cfeed99b39e01237 suser=N/A cn2=0 cn2Label=violation_rating cn3=0 cn3Label=device_id microservice=N/A request=/correspondence.ui.admin/scripts/jquery.hoverintent.minified.js cs3Label=full_request cs3=GET /Correspondence.UI.Admin/Scripts/jquery.hoverIntent.minified.js HTTP/1.1\r\nHost: io.bog.gov.sa\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36\r\nAccept: */*\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Dest: script\r\nReferer: https://io.bog.gov.sa/Correspondence.UI.Admin/\r\nAccept-Encoding: gzip, 2021-03-18 14:23:57.431904 IP (tos 0x0, ttl 61, id 34709, offset 0, flags [DF], proto TCP (6), length 506)
| str
|
|
dvchost | Customer.tenant.local
| str
|
|
dvc | x.x.x.x
| ip4
|
|
cs1 | /path/path
| str
|
|
cs1Label | policy_name
| str
|
|
cs2 | /path/path
| str
|
|
cs2Label | http_class_name
| str
|
|
deviceCustomDate1 | 2021-03-04 10:53:50.000
| timestamp
|
|
deviceCustomDate1Label | policy_apply_date
| str
|
|
externalId | 16107276658888901278
| str
|
|
act | passed
| str
|
|
cn1 | 200L
| str
|
|
cn1Label | response_code
| str
|
|
src | x.x.x.x
| ip4
|
|
spt | 53430
| str
|
|
dst | x.x.x.x
| ip4
|
|
dpt | 443
| str
|
|
requestMethod | GET
| str
|
|
app | HTTPS
| str
|
|
cs5 | N/A
| str
|
|
cs5Label | x_forwarded_for_header_value
| str
|
|
rt | 2021-03-04 10:53:50.000
| timestamp
|
|
deviceExternalId | 0
| str
|
|
cs4 | N/A
| str
|
|
cs4Label | attack_type
| str
|
|
cs6 | SA
| str
|
|
cs6Label | geo_location
| str
|
|
c6a1 |
| str
|
|
c6a1Label | device_address
| str
|
|
c6a2 |
| str
|
|
c6a2Label | source_address
| str
|
|
c6a3 |
| str
|
|
c6a3Label | destination_address
| str
|
|
c6a4 |
| str
|
|
c6a4Label | ip_address_intelligence
| str
|
|
msg | N/A
| str
|
|
suid | cfeed99b01237
| str
|
|
suser | N/A
| str
|
|
cn2 | OL
| str
|
|
cn2Label | violation_rating
| str
|
|
cn3 | OL
| str
|
|
cn3Label | device_id
| str
|
|
microservice | N/A
| str
|
|
request | /path/file.js
| str
|
|
cs3Label | full_request
| str
|
|
cs3 | GET /Correspondence.UI.Admin/Scripts/jquery.hoverIntent.minified.js HTTP/1.1\r\nHost: io.bog.gov.sa\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36\r\nAccept: */*\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Dest: script\r\nReferer: https://io.bog.gov.sa/Correspondence.UI.Admin/\r\nAccept-Encoding: gzip, 2021-03-18 14:23:57.431904 IP (tos 0x0, ttl 61, id 34709, offset 0, flags [DF], proto TCP (6), length 506)
| str
|
|
tag | CEF
| str
| ✓ |
rawMessage | CEF: 0|F5|ASM|14.1.2|Successful Request|Successful Request|2|dvchost=BOG-DMZ-02.tenant.local dvc=192.168.1.246 cs1=/Common/BOG_ASM_Internal_Portal cs1Label=policy_name cs2=/Common/BOG_ASM_Internal_Portal cs2Label=http_class_name deviceCustomDate1=Mar 04 2021 10:53:50 deviceCustomDate1Label=policy_apply_date externalId=16107276658888901278 act=passed cn1=200 cn1Label=response_code src=x.x.x.x spt=53430 dst=10.5.13.118 dpt=443 requestMethod=GET app=HTTPS cs5=N/A cs5Label=x_forwarded_for_header_value rt=Mar 18 2021 14:23:56 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=SA cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4= c6a4Label=ip_address_intelligence msg=N/A suid=cfeed99b39e01237 suser=N/A cn2=0 cn2Label=violation_rating cn3=0 cn3Label=device_id microservice=N/A request=/correspondence.ui.admin/scripts/jquery.hoverintent.minified.js cs3Label=full_request cs3=GET /Correspondence.UI.Admin/Scripts/jquery.hoverIntent.minified.js HTTP/1.1\\r\\nHost: io.bog.gov.sa\\r\\nConnection: keep-alive\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36\\r\\nAccept: */*\\r\\nSec-Fetch-Site: same-origin\\r\\nSec-Fetch-Mode: no-cors\\r\\nSec-Fetch-Dest: script\\r\\nReferer: https://io.bog.gov.sa/Correspondence.UI.Admin/\\r\\nAccept-Encoding: gzip, 2021-03-18 14:23:57.431904 IP (tos 0x0, ttl 61, id 34709, offset 0, flags [DF], proto TCP (6), length 506)
| str
| ✓ |