Document toolboxDocument toolbox

cef0.f5.asm

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Jan 10, 2022Version comment
2 min read

Introduction

The table cef0.f5.asm identifies events in CEF format generated by F5 ASM.

Tag structure

Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.

In this case, the valid data tables are:

  • cef0.f5.asm

How is the data sent to Devo?

Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.

Log samples

The following are sample logs sent to cef0.f5.asm. Find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

cef0.f5.asm

<134>Mar 18 14:23:57 localhost ASM:CEF:0|F5|ASM|14.2.1|Successful Request|Successful Request|2|dvchost=02.tenant.local dvc=193.18.1.26 cs1=/Common/ASM_Internal_Portal cs1Label=policy_name cs2=/Common/ASM_Internal_Portal cs2Label=http_class_name deviceCustomDate1=Mar 04 2021 10:53:50 deviceCustomDate1Label=policy_apply_date externalId=16107276658888901278 act=passed cn1=200 cn1Label=response_code src=50.60.4.10 spt=5430 dst=1.5.1.118 dpt=443 requestMethod=GET app=HTTPS cs5=N/A cs5Label=x_forwarded_for_header_value rt=Mar 18 2021 14:23:56 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=SA cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4= c6a4Label=ip_address_intelligence msg=N/A suid=cfeed99b39e01237 suser=N/A cn2=0 cn2Label=violation_rating cn3=0 cn3Label=device_id microservice=N/A request=/correspondence.ui.admin/scripts/jquery.hoverintent.minified.js cs3Label=full_request cs3=GET /Correspondence.UI.Admin/Scripts/jquery.hoverIntent.minified.js HTTP/1.1\r\nHost: io.bog.gov.sa\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36\r\nAccept: */*\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Dest: script\r\nReferer: https://io.bog.gov.sa/Correspondence.UI.Admin/\r\nAccept-Encoding: gzip, 
2021-03-18 14:23:57.431904 IP (tos 0x0, ttl 61, id 34709, offset 0, flags [DF], proto TCP (6), length 506)

And this is how the log would be parsed:

Field

Value

Type

Extra fields

eventdate

Mar 18 14:23:57

eventdate


hostchain

localhost=127.0.0.1

str


hostname

localhost

str


priorityCode

22

str


ceftag

CEF

str


cefVersion

0

str


embDeviceVendor

F5

str


embDeviceProduct

ASM

str


deviceVersion

14.1.2

str


signatureID

Successful Request

str


name

Successful Request

srt


severity

2

str


extension

dvchost=02.tenant.local dvc=193.18.1.26 cs1=/Common/ASM_Internal_Portal cs1Label=policy_name cs2=/Common/ASM_Internal_Portal cs2Label=http_class_name deviceCustomDate1=Mar 04 2021 10:53:50 deviceCustomDate1Label=policy_apply_date externalId=16107276658888901278 act=passed cn1=200 cn1Label=response_code src=50.60.4.10 spt=5430 dst=1.5.1.118 dpt=443 requestMethod=GET app=HTTPS cs5=N/A cs5Label=x_forwarded_for_header_value rt=Mar 18 2021 14:23:56 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=SA cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4= c6a4Label=ip_address_intelligence msg=N/A suid=cfeed99b39e01237 suser=N/A cn2=0 cn2Label=violation_rating cn3=0 cn3Label=device_id microservice=N/A request=/correspondence.ui.admin/scripts/jquery.hoverintent.minified.js cs3Label=full_request cs3=GET /Correspondence.UI.Admin/Scripts/jquery.hoverIntent.minified.js HTTP/1.1\r\nHost: io.bog.gov.sa\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36\r\nAccept: */*\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Dest: script\r\nReferer: https://io.bog.gov.sa/Correspondence.UI.Admin/\r\nAccept-Encoding: gzip, 2021-03-18 14:23:57.431904 IP (tos 0x0, ttl 61, id 34709, offset 0, flags [DF], proto TCP (6), length 506)


str


dvchost

Customer.tenant.local

str


dvc

x.x.x.x

ip4


cs1

/path/path

str


cs1Label

policy_name

str


cs2

/path/path

str


cs2Label

http_class_name

str


deviceCustomDate1

2021-03-04 10:53:50.000

timestamp


deviceCustomDate1Label

policy_apply_date

str


externalId

16107276658888901278

str


act

passed

str


cn1

200L

str


cn1Label

response_code

str


src

x.x.x.x

ip4


spt

53430

str


dst

x.x.x.x

ip4


dpt

443

str


requestMethod

GET

str


app

HTTPS

str


cs5

N/A

str


cs5Label

x_forwarded_for_header_value

str


rt

2021-03-04 10:53:50.000

timestamp


deviceExternalId

0

str


cs4

N/A

str


cs4Label

attack_type

str


cs6

SA

str


cs6Label

geo_location

str


c6a1


str


c6a1Label

device_address

str


c6a2


str


c6a2Label

source_address

str


c6a3


str


c6a3Label

destination_address

str


c6a4


str


c6a4Label

ip_address_intelligence

str


msg

N/A

str


suid

cfeed99b01237

str


suser

N/A

str


cn2

OL

str


cn2Label

violation_rating

str


cn3

OL

str


cn3Label

device_id

str


microservice

N/A

str


request

/path/file.js

str


cs3Label

full_request

str


cs3

GET /Correspondence.UI.Admin/Scripts/jquery.hoverIntent.minified.js HTTP/1.1\r\nHost: io.bog.gov.sa\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36\r\nAccept: */*\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Dest: script\r\nReferer: https://io.bog.gov.sa/Correspondence.UI.Admin/\r\nAccept-Encoding: gzip, 2021-03-18 14:23:57.431904 IP (tos 0x0, ttl 61, id 34709, offset 0, flags [DF], proto TCP (6), length 506)

str


tag

CEF

str

✓

rawMessage

CEF: 0|F5|ASM|14.1.2|Successful Request|Successful Request|2|dvchost=BOG-DMZ-02.tenant.local dvc=192.168.1.246 cs1=/Common/BOG_ASM_Internal_Portal cs1Label=policy_name cs2=/Common/BOG_ASM_Internal_Portal cs2Label=http_class_name deviceCustomDate1=Mar 04 2021 10:53:50 deviceCustomDate1Label=policy_apply_date externalId=16107276658888901278 act=passed cn1=200 cn1Label=response_code src=x.x.x.x spt=53430 dst=10.5.13.118 dpt=443 requestMethod=GET app=HTTPS cs5=N/A cs5Label=x_forwarded_for_header_value rt=Mar 18 2021 14:23:56 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=SA cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4= c6a4Label=ip_address_intelligence msg=N/A suid=cfeed99b39e01237 suser=N/A cn2=0 cn2Label=violation_rating cn3=0 cn3Label=device_id microservice=N/A request=/correspondence.ui.admin/scripts/jquery.hoverintent.minified.js cs3Label=full_request cs3=GET /Correspondence.UI.Admin/Scripts/jquery.hoverIntent.minified.js HTTP/1.1\\r\\nHost: io.bog.gov.sa\\r\\nConnection: keep-alive\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36\\r\\nAccept: */*\\r\\nSec-Fetch-Site: same-origin\\r\\nSec-Fetch-Mode: no-cors\\r\\nSec-Fetch-Dest: script\\r\\nReferer: https://io.bog.gov.sa/Correspondence.UI.Admin/\\r\\nAccept-Encoding: gzip, 2021-03-18 14:23:57.431904 IP (tos 0x0, ttl 61, id 34709, offset 0, flags [DF], proto TCP (6), length 506)

str

✓