Console
    Start free

    Collect F5 Silverline logs

    Supported in:

    This document explains how to ingest F5 Silverline logs to Google Security Operations using Bindplane agent.

    F5 Silverline is a cloud-based security service platform that provides DDoS protection, Web Application Firewall (WAF), and IP Intelligence services. The platform protects applications and infrastructure from distributed denial-of-service attacks, web application exploits, and malicious traffic through F5's global scrubbing centers and security operations center.

    Before you begin

    Make sure you have the following prerequisites:

    • A Google SecOps instance
    • Windows Server 2016 or later, or Linux host with systemd
    • Network connectivity between the Bindplane agent and the internet
    • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
    • Access to the F5 Silverline portal with administrative privileges
    • Firewall rules allowing inbound TLS+TCP traffic on port 6514 to the Bindplane agent host

    Get Google SecOps ingestion authentication file

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Collection Agents.
    3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

    Get Google SecOps customer ID

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Profile.
    3. Copy and save the Customer IDfrom the Organization Detailssection.

    Install the Bindplane agent

    Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

    Windows installation

    1. Open Command Promptor PowerShellas an administrator.

    2. Run the following command:

        msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

    3. Wait for the installation to complete.

    4. Verify the installation by running:

       sc query observiq-otel-collector

    The service should show as RUNNING.

    Linux installation

    1. Open a terminal with root or sudo privileges.

    2. Run the following command:

       sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 " 
  
install_unix.sh

    3. Wait for the installation to complete.

    4. Verify the installation by running:

       sudo  
systemctl  
status  
observiq-otel-collector

    The service should show as active (running).

    Additional installation resources

    For additional installation options and troubleshooting, see Bindplane agent installation guide .

    Configure Bindplane agent to ingest syslog and send to Google SecOps

    Locate the configuration file

    • Linux:

       sudo  
nano  
/etc/bindplane-agent/config.yaml

    • Windows:

       notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

    Edit the configuration file

    • Replace the entire contents of config.yaml with the following configuration:

        receivers 
 : 
  
 tcplog 
 : 
  
 listen_address 
 : 
  
 "0.0.0.0:6514" 
 exporters 
 : 
  
 chronicle/f5_silverline 
 : 
  
 compression 
 : 
  
 gzip 
  
 creds_file_path 
 : 
  
 '<CREDS_FILE_PATH>' 
  
 customer_id 
 : 
  
 '<CUSTOMER_ID>' 
  
 endpoint 
 : 
  
< REGION_ENDPOINT 
>  
 log_type 
 : 
  
 F5_SILVERLINE 
  
 raw_log_field 
 : 
  
 body 
  
 ingestion_labels 
 : 
  
 env 
 : 
  
 production 
 service 
 : 
  
 pipelines 
 : 
  
 logs/silverline_to_chronicle 
 : 
  
 receivers 
 : 
  
 - 
  
 tcplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/f5_silverline

    Configuration parameters

    Replace the following placeholders:

    • <CREDS_FILE_PATH> : Full path to ingestion authentication file:
      • Linux: /etc/bindplane-agent/ingestion-auth.json
      • Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
    • <CUSTOMER_ID> : Your Google SecOps customer ID from the previous step
    • <REGION_ENDPOINT> : Regional endpoint URL:
      • US: malachiteingestion-pa.googleapis.com
      • Europe: europe-malachiteingestion-pa.googleapis.com
      • Asia: asia-southeast1-malachiteingestion-pa.googleapis.com

    Example configuration

    • Example configuration:

        receivers 
 : 
  
 tcplog 
 : 
  
 listen_address 
 : 
  
 "0.0.0.0:6514" 
 exporters 
 : 
  
 chronicle/f5_silverline 
 : 
  
 compression 
 : 
  
 gzip 
  
 creds_file_path 
 : 
  
 '/etc/bindplane-agent/ingestion-auth.json' 
  
 customer_id 
 : 
  
 'a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6' 
  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 log_type 
 : 
  
 F5_SILVERLINE 
  
 raw_log_field 
 : 
  
 body 
  
 ingestion_labels 
 : 
  
 env 
 : 
  
 production 
  
 source 
 : 
  
 silverline 
 service 
 : 
  
 pipelines 
 : 
  
 logs/silverline_to_chronicle 
 : 
  
 receivers 
 : 
  
 - 
  
 tcplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/f5_silverline

    Save the configuration file

    After editing, save the file:

    • Linux: Press Ctrl+O , then Enter , then Ctrl+X
    • Windows: Click File > Save

    Restart the Bindplane agent to apply the changes

    To restart the Bindplane agent in Linux, do the following:

    1. Run the following command:

       sudo  
systemctl  
restart  
observiq-otel-collector

    2. Verify the service is running:

       sudo  
systemctl  
status  
observiq-otel-collector

    3. Check logs for errors:

       sudo  
journalctl  
-u  
observiq-otel-collector  
-f

    To restart the Bindplane agent in Windows, do the following:

    1. Choose one of the following options:

      • Command Prompt or PowerShell as administrator:

         net stop observiq-otel-collector && net start observiq-otel-collector

      • Services console:

        1. Press Win+R , type services.msc , and press Enter.
        2. Locate observIQ OpenTelemetry Collector.
        3. Right-click and select Restart.

    2. Verify the service is running:

       sc query observiq-otel-collector

    3. Check logs for errors:

        type 
  
 "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

    Configure F5 Silverline syslog forwarding

    1. Sign in to the F5 Silverline portalat https://portal.f5silverline.com .
    2. Go to Config > Log Export.
    3. In the IP addressfield, enter the IP address of the Bindplane agent host.
    4. In the Portfield, enter 6514 .
    5. From the Protocollist, select TCP.
    6. From the Formatlist, select Auto.
    7. Click Saveto apply the configuration.

    Log types forwarded

    F5 Silverline forwards the following log types through syslog:

    • DDoS Mitigation Logs: Information about DDoS attacks, mitigation actions, and filtered traffic
    • WAF Logs: Web Application Firewall violation events, attack types, and blocked requests
    • IP Intelligence Logs: Threat intelligence data about malicious IP addresses
    • Network Traffic Logs: Network-level traffic analysis and anomaly detection
    • Proxy Logs: HTTP/HTTPS proxy events and connection details

    Verify log export

    1. In the F5 Silverline portal, go to Config > Log Export.
    2. Verify the connection status shows as Activeor Connected.

    3. Check the Bindplane agent logs to confirm syslog messages are being received:

      • Linux:

         sudo  
journalctl  
-u  
observiq-otel-collector  
-f

      • Windows:

          type 
  
 "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

    4. In the Google SecOps console, go to SIEM > Searchand search for metadata.log_type = "F5_SILVERLINE" to verify logs are being ingested.

    UDM mapping table

    Log field UDM mapping Logic
    content_length, geo_location, policy_apply_date, policy_name, flow_id, errdefs_msgno, ip_intelligence_threat_name, log_type, loglevel, msg_type, proxy_id, request_side, tmm_unit, disable_asm, disable_bot, policy_name, http_class_name, reason, protocol, mitigation, countermeasure, blacklisted, msg_type, proxy_id, request_side, route_domain, sa_translation_type, sa_translation_pool, translated_vlan, translated_source_port, translated_source_ip, translated_route_domain, translated_ip_protocol, translated_dest_port
    		 additional.fields Merged as labels into additional.fields if not empty
    app_protocol_output
    		 event.idm.read_only_udm.network.application_protocol Value copied directly if not empty
    method
    		 event.idm.read_only_udm.network.http.method Value copied directly
    response_code
    		 event.idm.read_only_udm.network.http.response_code Value copied directly
    source_ip, vs_ip
    		 event.idm.read_only_udm.src.asset.ip Value from vs_ip if not empty, else source_ip
    vs_port, src_port
    		 event.idm.read_only_udm.src.port Value from vs_port if not empty, else src_port
    x_forwarded_for_header_value, header_ip
    		 intermediary.asset.ip Value from header_ip if not empty, else x_forwarded_for_header_value
    x_forwarded_for_header_value, header_ip
    		 intermediary.ip Value from header_ip if not empty, else x_forwarded_for_header_value
    errdefs_msg_name
    		 metadata.description Value copied directly if not empty
    ts
    		 metadata.event_timestamp Parsed from ts using date match with format MMM dd HH:mm:ss or MMM d HH:mm:ss
    event_type
    		 metadata.event_type Value copied directly
    support_id
    		 metadata.product_log_id Value copied directly if not empty
    protocol
    		 network.application_protocol Set to protocol if equals HTTPS
    method, uri_data
    		 network.http.method Value from uri_data if not empty, else method
    response_code
    		 network.http.response_code Value copied directly, then converted to integer
    user_agent
    		 network.http.user_agent Value copied directly
    ip_protocol
    		 network.ip_protocol Set to "TCP" if matches tcp
    virtualserver
    		 network.tls.client.server_name Value copied directly if not empty
    web_application_name
    		 principal.application Value copied directly
    hostname
    		 principal.asset.hostname Value copied directly
    ip_client, source_ip, client_ip, addr, source_ip, vs_ip
    		 principal.asset.ip Value from ip_client if type=waf; source_ip if type=ipi; client_ip if type=irule; vs_ip if not empty in kvdata, else source_ip if not empty, else client_ip if not empty, else addr if not empty, else ip_client
    host, hostname
    		 principal.hostname Value from hostname if not empty, else host
    ip_client, source_ip, client_ip, addr, source_ip, vs_ip
    		 principal.ip Value from ip_client if type=waf; source_ip if type=ipi; client_ip if type=irule; vs_ip if not empty in kvdata, else source_ip if not empty, else client_ip if not empty, else addr if not empty, else ip_client
    geo_location, client_ip_geo_location
    		 principal.location.name Value from client_ip_geo_location if not empty, else geo_location
    snat_ip
    		 principal.nat_ip Value copied directly
    snat_port
    		 principal.nat_port Value copied directly, then converted to integer
    client_port, source_port, client_port
    		 principal.port Value from client_port if type=irule; source_port if not empty in kvdata, else client_port
    host, data.uri, client_request_uri
    		 principal.url Value from data.uri if type=irule; client_request_uri if not empty in kvdata, else host
    service_id
    		 principal.user.product_object_id Value copied directly
    sec_action
    		 security_result.action Set to BLOCK if request_status in [Blocking, blocked, drop, challenged] or action in [Blocking, blocked, drop]; ALLOW if request_status in [allow, Allow] or action in [allow, Allow, accept]; else UNKNOWN_ACTION
    action, request_status, data.action
    		 security_result.action_details Value from data.action if type=irule; request_status if kvdata; action if type=ipi
    attack_type
    		 security_result.category_details Value copied directly if not empty
    sub_violations, context_name, sub_violations
    		 security_result.description Value from sub_violations if type=waf or kvdata; context_name if type=ipi
    request_status
    		 security_result.detection_fields Added as label to security_result.detection_fields
    ip_intelligence_policy_name, irule, irule, ip_intelligence_policy_name
    		 security_result.rule_name Value from irule if type=irule or kvdata; ip_intelligence_policy_name if type=ipi or kvdata
    irule-version
    		 security_result.rule_version Value copied directly
    severity
    		 security_result.severity Set to CRITICAL if Critical; ERROR if Error; INFORMATIONAL if Informational; HIGH if 5
    violations, data.action
    		 security_result.summary Value from violations if type=waf; data.action if type=irule
    ip_intelligence_threat_name
    		 security_result.threat_name Value copied directly
    source_ip
    		 src.asset.ip Value copied directly
    src_port, source_port
    		 src.port Value copied directly, then converted to integer
    dest_ip, bigip_mgmt_ip, dest_ip, server_ip, bigip_mgmt_ip, dest_ip, t_ip
    		 target.asset.ip Value from dest_ip if type=waf; dest_ip if type=ipi; server_ip if type=irule; bigip_mgmt_ip if not empty in kvdata, else dest_ip if not empty, else t_ip
    dest_ip, bigip_mgmt_ip, dest_ip, server_ip, bigip_mgmt_ip, dest_ip, t_ip
    		 target.ip Value from dest_ip if type=waf; dest_ip if type=ipi; server_ip if type=irule; bigip_mgmt_ip if not empty in kvdata, else dest_ip if not empty, else t_ip
    dest_port, dest_port, server_port, dest_port, dst_port
    		 target.port Value copied directly, then converted to integer
    uri
    		 target.url Value copied directly
    		metadata.vendor_name Set to "SILVERLINE"
    		metadata.product_name Set to "SILVERLINE"

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: