Document toolboxDocument toolbox

waf.f5

Introduction

The tags beginning with waf.f5 identify events generated by F5 Distributed Cloud WAF belonging to F5.

Valid tags and data tables 

The full tag must have 3 levels. The first two are fixed as waf.f5 and the third identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

F5 Distributed Cloud WAF

waf.f5.distributed_cloud.events

waf.f5.distributed_cloud.events

waf.f5.events

waf.f5.events

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

waf.f5.distributed_cloud.events

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

at_timestamp

timestamp

 

visitor_id

str

 

action

str

 

api_endpoint

str

 

application

str

 

app_type

str

 

as_number

str

 

as_org

str

 

asn

str

 

authority

str

 

bot_info__classification

str

 

bot_info__name

str

 

bot_info__type

str

 

browser_type

str

 

city

str

 

cluster_name

str

 

content_type

str

 

country

str

 

device_type

str

 

domain

str

 

destination

str

 

destination_ipv4

ip4

 

destination_ipv6

ip6

 

destination_instance

str

 

destination_port

str

 

destination_site

str

 

hostname2

str

 

http_version

str

 

kubernetes__container_name

str

 

kubernetes__host

str

 

kubernetes__labels__app

str

 

kubernetes__namespace_name

str

 

kubernetes__pod_id

str

 

kubernetes__pod_name

str

 

latitude

str

 

longitude

str

 

messageid

str

 

method

str

 

namespace

str

 

network_ipv4

ip4

 

network_ipv6

ip6

 

no_active_detections

bool

 

original_path

str

 

file_path

str

 

recommended_action

str

 

region

str

 

req_headers

str

 

req_headers_size

int4

 

req_id

str

 

req_params

str

 

req_path

str

 

req_size

str

 

rsp_code

str

 

rsp_code_class

str

 

rsp_size

str

 

sec_event_name

str

 

sec_event_type

str

 

severity

str

 

site

str

 

sni

str

 

source

str

 

source_ipv4

ip4

 

source_ipv6

ip6

 

source_instance

str

 

source_port

str

 

source_site

str

 

stream

str

 

tag2

str

 

tenant

str

 

time

timestamp

 

tls_fingerprint

str

 

user

str

 

user_agent

str

 

vh_name

str

 

vhost_id

str

 

violation_rating

str

 

waf_mode

str

 

x_forwarded_for_ipv4

ip4

 

x_forwarded_for_ipv6

ip6

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

waf.f5.events

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

messageCode

str

 

productCode

str

 

subsetCode

str

 

messageNumber

str

 

severity

str

 

message

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓