Collect F5 Silverline logs

This document explains how to ingest F5 Silverline logs to Google Security Operations using Bindplane.

F5 Silverline is a cloud-based security service platform that provides DDoS protection, Web Application Firewall (WAF), and IP Intelligence services. The platform protects applications and infrastructure from distributed denial-of-service attacks, web application exploits, and malicious traffic through F5's global scrubbing centers and security operations center.

Before you begin

Make sure you have the following prerequisites:

• A Google SecOps instance
• Windows Server 2016 or later, or Linux host with systemd
• Network connectivity between the Bindplane agent and the internet
• If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
• Access to the F5 Silverline portal with administrative privileges
• Firewall rules allowing inbound TLS+TCP traffic on port 6514 to the Bindplane agent host

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer IDfrom the Organization Detailssection.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

1. Open Command Promptor PowerShellas an administrator.

2. Run the following command:

     msiexec 
     
    / 
    i 
     
    "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
     
    / 
    quiet 
    
   

3. Wait for the installation to complete.

4. Verify the installation by running:

    sc query observiq-otel-collector 
   

The service should show as RUNNING.

Linux installation

1. Open a terminal with root or sudo privileges.

2. Run the following command:

    sudo  
   sh  
   -c  
    " 
    $( 
   curl  
   -fsSlL  
   https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
    " 
     
   install_unix.sh 
   

3. Wait for the installation to complete.

4. Verify the installation by running:

    sudo  
   systemctl  
   status  
   observiq-otel-collector 
   

The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see Bindplane agent installation guide .

Configure the Bindplane agent to ingest syslog and send to Google SecOps

• Locate the configuration file

  • Linux:

     sudo  
    systemctl  
    status  
    observiq-otel-collector 
    

  • Windows:

     notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml" 
    

Edit the configuration file

• Replace the entire contents of config.yaml with the following configuration:

    receivers 
   : 
    
   tcplog 
   : 
    
   listen_address 
   : 
    
   "0.0.0.0:6514" 
   exporters 
   : 
    
   chronicle/f5_silverline 
   : 
    
   compression 
   : 
    
   gzip 
    
   creds_file_path 
   : 
    
   '<CREDS_FILE_PATH>' 
    
   customer_id 
   : 
    
   '<CUSTOMER_ID>' 
    
   endpoint 
   : 
    
  < REGION_ENDPOINT 
  >  
   log_type 
   : 
    
   F5_SILVERLINE 
    
   raw_log_field 
   : 
    
   body 
    
   ingestion_labels 
   : 
    
   env 
   : 
    
   production 
   service 
   : 
    
   pipelines 
   : 
    
   logs/silverline_to_chronicle 
   : 
    
   receivers 
   : 
    
   - 
    
   tcplog 
    
   exporters 
   : 
    
   - 
    
   chronicle/f5_silverline 
   
  

Configuration parameters

Replace the following placeholders:

• <CREDS_FILE_PATH> : Full path to ingestion authentication file:
  • Linux: /etc/bindplane-agent/ingestion-auth.json
  • Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
• <CUSTOMER_ID> : Your Google SecOps customer ID from the previous step
• <REGION_ENDPOINT> : Regional endpoint URL:
  • US: malachiteingestion-pa.googleapis.com
  • Europe: europe-malachiteingestion-pa.googleapis.com
  • Asia: asia-southeast1-malachiteingestion-pa.googleapis.com

• Example configuration

    receivers 
   : 
    
   tcplog 
   : 
    
   listen_address 
   : 
    
   "0.0.0.0:6514" 
   exporters 
   : 
    
   chronicle/f5_silverline 
   : 
    
   compression 
   : 
    
   gzip 
    
   creds_file_path 
   : 
    
   '/etc/bindplane-agent/ingestion-auth.json' 
    
   customer_id 
   : 
    
   'a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6' 
    
   endpoint 
   : 
    
   malachiteingestion-pa.googleapis.com 
    
   log_type 
   : 
    
   F5_SILVERLINE 
    
   raw_log_field 
   : 
    
   body 
    
   ingestion_labels 
   : 
    
   env 
   : 
    
   production 
    
   source 
   : 
    
   silverline 
   service 
   : 
    
   pipelines 
   : 
    
   logs/silverline_to_chronicle 
   : 
    
   receivers 
   : 
    
   - 
    
   tcplog 
    
   exporters 
   : 
    
   - 
    
   chronicle/f5_silverline 
   
  

Save the configuration file

• After editing, save the file:
  • Linux: Press Ctrl+O , then Enter , then Ctrl+X
  • Windows: Click File > Save

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux:

1. Run the following command:

    sudo  
   systemctl  
   restart  
   observiq-otel-collector 
   

2. Verify the service is running:

    sudo  
   systemctl  
   status  
   observiq-otel-collector 
   

3. Check logs for errors:

    sudo  
   journalctl  
   -u  
   observiq-otel-collector  
   -f 
   

To restart the Bindplane agent in Windows:

1. Choose one of the following options:

   • Command Prompt or PowerShell as administrator:

    net stop observiq-otel-collector && net start observiq-otel-collector 
   

   • Services console:
     1. Press Win+R , type services.msc , and press Enter.
     2. Locate observIQ OpenTelemetry Collector.
     3. Right-click and select Restart.

2. Verify the service is running:

    sc query observiq-otel-collector 
   

3. Check logs for errors:

     type 
     
    "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log" 
    
   

Configure F5 Silverline syslog forwarding

1. Sign in to the F5 Silverline portalat https://portal.f5silverline.com .
2. Go to Config > Log Export.
3. In the IP addressfield, enter the IP address of the Bindplane agent host.
4. In the Portfield, enter 6514 .
5. In the Protocoldropdown, select TCP.
6. In the Formatdropdown, select Auto.
7. Click Saveto apply the configuration.

Log types forwarded

F5 Silverline forwards the following log types through syslog:

• DDoS Mitigation Logs: Information about DDoS attacks, mitigation actions, and filtered traffic
• WAF Logs: Web Application Firewall violation events, attack types, and blocked requests
• IP Intelligence Logs: Threat intelligence data about malicious IP addresses
• Network Traffic Logs: Network-level traffic analysis and anomaly detection
• Proxy Logs: HTTP/HTTPS proxy events and connection details

Verify log export

1. In the F5 Silverline portal, go to Config > Log Export.
2. Verify the connection status shows as Activeor Connected.

3. Check the Bindplane agent logs to confirm syslog messages are being received:

   Linux:

    sudo  
   journalctl  
   -u  
   observiq-otel-collector  
   -f 
   

   Windows:

     type 
     
    "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log" 
    
   

4. In the Google SecOps console, go to SIEM > Searchand search for metadata.log_type = "F5_SILVERLINE" to verify logs are being ingested.

UDM mapping table

Change Log

View the Change Log for this parser

Need more help? Get answers from Community members and Google SecOps professionals.