Collect F5 BIG-IP LTM logs
Supported in:
This document describes how you can collect F5 BIG-IP Local Traffic Manager (LTM) logs by using a Google Security Operations forwarder.
For more information, see Data ingestion to Google Security Operations .
An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the F5_BIGIP_LTM
ingestion label.
Configure F5 BIG-IP LTM
- Sign in to SSH using root credentials.
-
Sign in to the Traffic Management Shell (tmsh) with the following command:
tmsh -
Send filtered log messages to remote syslog servers with the following command:
modify /sys syslog remote-servers none -
Remove the remote-servers statement and then add a syslog
includestatement that defines a filter rule and the remote server. -
To define the required syslog filter that references the remote server, use the following command:
edit /sys syslog all-properties -
Replace the
include nonecommand with the following filter and add the IP address and port number.include " filter f_remote_loghost { level(debug..emerg); }; filter f_ssl_acc { not match(\"ssl_acc\"); }; filter f_ssl_req { not match(\"ssl_req\"); }; destination d_remote_loghost { udp( IP_ADDRESS PORT ); }; log { source(s_syslog_pipe); filter(f_remote_loghost); filter(f_ssl_acc); filter(f_ssl_req); destination(d_remote_loghost); }; "Replace IP_ADDRESS with the Google Security Operations forwarder IP address and port with the high port number.
-
To exit the text editor, press Esc and then enter wq! .
-
Save the configuration with the following command:
save /sys config
Configure Google Security Operations forwarder and syslog to ingest F5 BIG-IP LTM logs
- Go to SIEM Settings > Forwarders.
- Click Add new forwarder.
- In the Forwarder Namefield, enter a unique name for the forwarder.
- Click Submit. The forwarder is added and the Add collector configurationwindow appears.
- In the Collector namefield, type a name.
- Select F5 BIGIP LTMas the Log type.
- Select Syslogas the Collector type.
- Configure the following mandatory input parameters:
- Protocol: specify the protocol.
- Address: specify the Google Security Operations forwarder IP address.
- Port: specify the port.
- Click Submit.
For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation . For information about requirements for each forwarder type, see Forwarder configuration by type .
If you encounter issues when you create forwarders, contact Google Security Operations support .
Field mapping reference
This parser normalizes F5 BIG-IP Local Traffic Manager (LTM) logs, handling both key-value and syslog formats. It extracts fields like IP addresses, usernames, actions, and descriptions, mapping them to the UDM, and categorizes events based on log content and extracted fields, including network connections, user logins/logouts, and generic events.
UDM Mapping Table
| Log Field | UDM Mapping | Logic |
|---|---|---|
Access_Profile
|
event.idm.read_only_udm.additional.fields[].key:"Access_Profile", event.idm.read_only_udm.additional.fields[].value.string_value
|
Directly mapped from the Access_Profile
key in the parsed key-value pairs. |
Client_IP
|
event.idm.read_only_udm.principal.ip[], event.idm.read_only_udm.principal.asset.ip[]
|
Directly mapped from the Client_IP
key in the parsed key-value pairs. Also used to populate principal asset IP. Sets has_principal
to true. |
Country
|
event.idm.read_only_udm.principal.location.country_or_region
|
Directly mapped from the Country
key in the parsed key-value pairs. |
Listener
|
event.idm.read_only_udm.additional.fields[].key:"Listener", event.idm.read_only_udm.additional.fields[].value.string_value
|
Directly mapped from the Listener
key in the parsed key-value pairs. |
Session_ID
|
event.idm.read_only_udm.network.session_id
|
Directly mapped from the Session_ID
key in the parsed key-value pairs. |
State
|
event.idm.read_only_udm.principal.location.state
|
Directly mapped from the State
key in the parsed key-value pairs. |
Virtual_IP
|
event.idm.read_only_udm.target.ip[], event.idm.read_only_udm.target.asset.ip[]
|
Directly mapped from the Virtual_IP
key in the parsed key-value pairs. Also used to populate target asset IP. Sets has_target
to true. |
about
|
event.idm.read_only_udm.about
|
Populated from various fields like snat
, vs_name
, path
, query
, node
, pool_member
, vs
, client
, blade
, and device
if they are present in the raw log and successfully parsed. |
action_data
|
event.idm.read_only_udm.target.process.command_line
|
Directly mapped for scriptd
process logs. |
attack_type
|
event.idm.read_only_udm.security_result.category_details[]
|
Directly mapped. |
blade
|
event.idm.read_only_udm.about.resource.attribute.labels[].key:"blade", event.idm.read_only_udm.about.resource.attribute.labels[].value
|
Directly mapped from the blade
key in the parsed key-value pairs. |
bytes_in
|
event.idm.read_only_udm.network.received_bytes
|
Directly mapped, converted to unsigned integer. |
bytes_out
|
event.idm.read_only_udm.network.sent_bytes
|
Directly mapped, converted to unsigned integer. |
captcha_result
|
event.idm.read_only_udm.additional.fields[].key:"captcha_result", event.idm.read_only_udm.additional.fields[].value.string_value
|
Directly mapped. |
client
|
event.idm.read_only_udm.about.resource.attribute.labels[].key:"client", event.idm.read_only_udm.about.resource.attribute.labels[].value
|
Directly mapped from the client
key in the parsed key-value pairs. |
client_ip
|
event.idm.read_only_udm.principal.ip[], event.idm.read_only_udm.principal.asset.ip[]
|
Directly mapped. Also used to populate principal asset IP. Sets has_principal
to true. |
client_port
|
event.idm.read_only_udm.principal.port
|
Directly mapped, converted to integer. |
collection_time
|
event.timestamp
|
The Log Entry's timestamp is used as the event timestamp. |
command_line
|
event.idm.read_only_udm.target.process.command_line
|
Directly mapped for CROND
process logs and some logger
logs. |
data
|
message
|
The raw log message. This is parsed and used to populate various UDM fields. |
dgl_count
|
event.idm.read_only_udm.principal.resource.attribute.labels[].key:"DataGroup_Value", event.idm.read_only_udm.principal.resource.attribute.labels[].value
|
Directly mapped. |
dgl_value
|
event.idm.read_only_udm.principal.resource.attribute.labels[].key:"DataGroup_List", event.idm.read_only_udm.principal.resource.attribute.labels[].value
|
Directly mapped. |
description
|
event.idm.read_only_udm.metadata.description
, event.idm.read_only_udm.security_result.description
|
Directly mapped for some log types, or used as part of the security result description. |
device
|
event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname, event.idm.read_only_udm.about.resource.attribute.labels[].key:"device", event.idm.read_only_udm.about.resource.attribute.labels[].value
|
Directly mapped. Also used to populate principal asset hostname. Sets has_principal
to true. |
dest_ip
|
event.idm.read_only_udm.target.ip, event.idm.read_only_udm.target.asset.ip
|
Directly mapped. Also used to populate target asset IP. Sets has_principal
to true. |
dest_port
|
event.idm.read_only_udm.target.port
|
Directly mapped. |
dvc
|
event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname, event.idm.read_only_udm.intermediary.hostname
|
Parsed to extract hostname or IP. Used to populate principal hostname or intermediary hostname. |
errdefs_msgno
|
event.idm.read_only_udm.additional.fields[].key:"errdefs_msgno", event.idm.read_only_udm.additional.fields[].value.string_value
|
Directly mapped from the errdefs_msgno
key in the parsed key-value pairs. |
error_reason
|
event.idm.read_only_udm.principal.resource.attribute.labels[].key:"error_reason", event.idm.read_only_udm.principal.resource.attribute.labels[].value
|
Directly mapped. |
false_positive
|
event.idm.read_only_udm.additional.fields[].key:"false_positive", event.idm.read_only_udm.additional.fields[].value.string_value
|
Directly mapped. |
function_id
|
event.idm.read_only_udm.principal.resource.attribute.labels[].key:"function_id", event.idm.read_only_udm.principal.resource.attribute.labels[].value
|
Directly mapped. |
geoContinent
|
event.idm.read_only_udm.principal.location.continent
|
Not mapped in the provided example, but would map to continent if available. |
geoCountry
|
event.idm.read_only_udm.principal.location.country_or_region
|
Directly mapped. |
geoState
|
event.idm.read_only_udm.principal.location.state
|
Directly mapped. |
header.Referer
|
event.idm.read_only_udm.network.http.referral_url
|
Directly mapped. |
header.User-Agent
|
event.idm.read_only_udm.network.http.user_agent, event.idm.read_only_udm.network.http.parsed_user_agent
|
Directly mapped. Also converted to parsed user agent. |
header.X-Forwarded-For
|
event.idm.read_only_udm.principal.ip[], event.idm.read_only_udm.principal.asset.ip[]
|
Parsed to extract IPs and merge them into principal IP and principal asset IP. |
host
|
event.idm.read_only_udm.target.hostname, event.idm.read_only_udm.target.asset.hostname
|
Directly mapped. Also used to populate target asset hostname. Sets has_target
to true. |
http_host
|
event.idm.read_only_udm.target.hostname, event.idm.read_only_udm.target.asset.hostname
|
Directly mapped. Also used to populate target asset hostname. Sets has_target
to true. |
http_method
|
event.idm.read_only_udm.network.http.method
|
Directly mapped. Sets event_type
to NETWORK_HTTP
if present. |
ip_client
|
event.idm.read_only_udm.principal.ip[], event.idm.read_only_udm.principal.asset.ip[]
|
Directly mapped. Also used to populate principal asset IP. Sets has_principal
to true. |
kv_msg
|
Various fields | Parsed as key-value pairs and used to populate various UDM fields. |
Level
|
event.idm.read_only_udm.security_result.severity
|
Mapped to severity if the severity
field is not present. Converted to UDM severity values (e.g., "Info" -> "INFORMATIONAL"). |
Listener
|
event.idm.read_only_udm.additional.fields[].key:"Listener", event.idm.read_only_udm.additional.fields[].value.string_value
|
Directly mapped. |
log_message
|
event.idm.read_only_udm.principal.resource.attribute.labels[].value, event.idm.read_only_udm.security_result.description
|
Further parsed to extract request_uri
or description
. |
log_type
|
event.idm.read_only_udm.metadata.log_type
|
Directly mapped from the raw log's log_type
field. |
loglevel
|
event.idm.read_only_udm.security_result.severity
|
Mapped to severity. Converted to UDM severity values (e.g., "warning" -> "MEDIUM", "err" -> "HIGH"). Also used for alert/significant event logic. |
manage_ip_addr
|
event.idm.read_only_udm.principal.ip[], event.idm.read_only_udm.principal.asset.ip[]
|
Directly mapped. Also used to populate principal asset IP. Sets has_principal
to true. |
method
|
event.idm.read_only_udm.network.http.method
|
Directly mapped. Sets event_type
to NETWORK_HTTP
. |
method_req
|
event.idm.read_only_udm.network.http.method
|
Directly mapped. |
msg1
|
event.idm.read_only_udm.security_result.description
|
Used as the security result description if not parsed further. |
node
|
event.idm.read_only_udm.about.resource.attribute.labels[].key:"node", event.idm.read_only_udm.about.resource.attribute.labels[].value
|
Directly mapped from the node
key in the parsed key-value pairs. |
partition_name
|
event.idm.read_only_udm.additional.fields[].key:"partition_name", event.idm.read_only_udm.additional.fields[].value.string_value
|
Directly mapped. |
path
|
event.idm.read_only_udm.target.url, event.idm.read_only_udm.about.resource.attribute.labels[].key:"path", event.idm.read_only_udm.about.resource.attribute.labels[].value
|
Directly mapped. |
policy_name
|
event.idm.read_only_udm.security_result.detection_fields[].key:"policy_name", event.idm.read_only_udm.security_result.detection_fields[].value
|
Directly mapped. |
pool_member
|
event.idm.read_only_udm.about.resource.attribute.labels[].key:"pool_member", event.idm.read_only_udm.about.resource.attribute.labels[].value
|
Directly mapped from the pool_member
key in the parsed key-value pairs. |
principalHost
|
event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname
|
Directly mapped. Also used to populate principal asset hostname. Sets has_principal
to true. |
principalIp
|
event.idm.read_only_udm.principal.ip[], event.idm.read_only_udm.principal.asset.ip[], event.idm.read_only_udm.observer.ip
|
Directly mapped. Also used to populate principal asset IP and observer IP. Sets has_principal
to true. |
principalPort
|
event.idm.read_only_udm.principal.port
|
Directly mapped, converted to integer. |
process
|
event.idm.read_only_udm.target.application
|
Directly mapped. |
product_event_type
|
event.idm.read_only_udm.metadata.product_event_type
|
Directly mapped. |
proto
|
event.idm.read_only_udm.network.ip_protocol
|
Mapped to IP protocol after converting protocol number to protocol name using a lookup. |
query
|
event.idm.read_only_udm.about.resource.attribute.labels[].key:"query", event.idm.read_only_udm.about.resource.attribute.labels[].value
|
Directly mapped from the query
key in the parsed key-value pairs. |
query_string
|
event.idm.read_only_udm.additional.fields[].key:"query_string", event.idm.read_only_udm.additional.fields[].value.string_value
|
Directly mapped. |
reason
|
event.idm.read_only_udm.security_result.description
|
Directly mapped for apmd
process logs with warning or error loglevel. |
reason_code
|
event.idm.read_only_udm.principal.resource.attribute.labels[].key:"reason_code", event.idm.read_only_udm.principal.resource.attribute.labels[].value
|
Directly mapped. |
req_status
|
event.idm.read_only_udm.security_result.detection_fields[].key:"req_status", event.idm.read_only_udm.security_result.detection_fields[].value
|
Directly mapped. |
request
|
event.idm.read_only_udm.principal.resource.attribute.labels[].key:"request_type", event.idm.read_only_udm.principal.resource.attribute.labels[].value, event.idm.read_only_udm.network.application_protocol
|
Used to determine the application protocol (HTTP) and mapped as a label. |
request_status
|
event.idm.read_only_udm.additional.fields[].key:"request_status", event.idm.read_only_udm.additional.fields[].value.string_value
|
Directly mapped. |
request_uri
|
event.idm.read_only_udm.target.url
|
Directly mapped. |
resp_code
|
event.idm.read_only_udm.network.http.response_code
|
Directly mapped, converted to integer. |
response_code
|
event.idm.read_only_udm.network.http.response_code
|
Directly mapped, converted to integer. |
rule_name
|
event.idm.read_only_udm.security_result.rule_name
|
Directly mapped. |
sec_action
|
event.idm.read_only_udm.security_result.action[]
|
Mapped to action. "Continue" is converted to "ALLOW". Other values are converted to "BLOCK". |
security_result
|
event.idm.read_only_udm.security_result
|
Merged into the security_result object. |
session_id
|
event.idm.read_only_udm.network.session_id
|
Directly mapped. |
severity
|
event.idm.read_only_udm.security_result.severity
|
Mapped to severity. Converted to UDM severity values (e.g., "Error" -> "ERROR", "Informational" -> "INFORMATIONAL"). |
sig_ids
|
event.idm.read_only_udm.additional.fields[].key:"sig_ids", event.idm.read_only_udm.additional.fields[].value.string_value
|
Directly mapped. |
sig_names
|
event.idm.read_only_udm.additional.fields[].key:"sig_names", event.idm.read_only_udm.additional.fields[].value.string_value
|
Directly mapped. |
sni_host
|
event.idm.read_only_udm.network.tls.client.server_name
|
Directly mapped. |
snat
|
event.idm.read_only_udm.about.resource.attribute.labels[].key:"snat", event.idm.read_only_udm.about.resource.attribute.labels[].value
|
Directly mapped from the snat
key in the parsed key-value pairs. |
snat_ip
|
event.idm.read_only_udm.principal.nat_ip[]
|
Directly mapped. |
snat_port
|
event.idm.read_only_udm.principal.nat_port
|
Directly mapped, converted to integer. |
src_ip
|
event.idm.read_only_udm.principal.ip[], event.idm.read_only_udm.principal.asset.ip[]
|
Directly mapped. Also used to populate principal asset IP. |
src_port
|
event.idm.read_only_udm.principal.port
|
Directly mapped. |
ssl_cipher
|
event.idm.read_only_udm.network.tls.cipher
|
Directly mapped. |
ssl_function
|
event.idm.read_only_udm.principal.resource.attribute.labels[].key:"ssl_function", event.idm.read_only_udm.principal.resource.attribute.labels[].value
|
Directly mapped. |
ssl_version
|
event.idm.read_only_udm.network.tls.version_protocol
|
Directly mapped. |
staged_sig_ids
|
event.idm.read_only_udm.additional.fields[].key:"staged_sig_ids", event.idm.read_only_udm.additional.fields[].value.string_value
|
Directly mapped. |
staged_sig_names
|
event.idm.read_only_udm.additional.fields[].key:"staged_sig_names", event.idm.read_only_udm.additional.fields[].value.string_value
|
Directly mapped. |
staged_sig_set_names
|
event.idm.read_only_udm.additional.fields[].key:"staged_sig_set_names", event.idm.read_only_udm.additional.fields[].value.string_value
|
Directly mapped. |
staged_threat_campaign_names
|
event.idm.read_only_udm.additional.fields[].key:"staged_threat_campaign_names", event.idm.read_only_udm.additional.fields[].value.string_value
|
Directly mapped. |
status
|
event.idm.read_only_udm.security_result.summary
|
Directly mapped for scriptd
process logs. |
summary
|
event.idm.read_only_udm.security_result.summary
|
Directly mapped for some log types. |
support_id
|
event.idm.read_only_udm.additional.fields[].key:"Support_Id", event.idm.read_only_udm.additional.fields[].value.string_value
|
Directly mapped. |
systems
|
event.idm.read_only_udm.principal.asset.attribute.labels[].key, event.idm.read_only_udm.principal.asset.attribute.labels[].value
|
Parsed to extract system information and map it as labels to the principal asset. |
targetFile
|
event.idm.read_only_udm.target.file.full_path
|
Directly mapped for scriptd
process logs. |
targetIp
|
event.idm.read_only_udm.target.ip, event.idm.read_only_udm.target.asset.ip
|
Directly mapped. Also used to populate target asset IP. Sets has_target
to true. |
targetPort
|
event.idm.read_only_udm.target.port
|
Directly mapped, converted to integer. |
threat_campaign_names
|
event.idm.read_only_udm.additional.fields[].key:"threat_campaign_names", event.idm.read_only_udm.additional.fields[].value.string_value
|
Directly mapped. |
timestamp
|
event.timestamp
|
Directly mapped after parsing and rebasing. |
tls_version
|
event.idm.read_only_udm.network.tls.version
|
Directly mapped. |
tlsproto
|
event.idm.read_only_udm.network.tls.version_protocol
|
Directly mapped. If value is HTTP/1.1, then "HTTP" is mapped. |
unit_host
|
event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname
|
Directly mapped. Also used to populate principal asset hostname. Sets has_principal
to true. |
uri
|
event.idm.read_only_udm.target.url
|
Directly mapped. |
uri_path
|
event.idm.read_only_udm.target.url
|
Directly mapped, concatenated with uri_query
if present. |
url
|
event.idm.read_only_udm.principal.url
|
Directly mapped. |
url_string
|
event.idm.read_only_udm.network.http.referral_url
|
Directly mapped. |
user_agent
|
event.idm.read_only_udm.network.http.user_agent
|
Directly mapped. |
userId
|
event.idm.read_only_udm.principal.user.userid, event.idm.read_only_udm.target.user.userid
|
Directly mapped. Also used to populate target user ID. Sets has_principal_user
to true. |
vendor_name
|
event.idm.read_only_udm.metadata.vendor_name
|
Hardcoded to "F5". |
violations
|
event.idm.read_only_udm.security_result.detection_fields[].key:"violations", event.idm.read_only_udm.security_result.detection_fields[].value
|
Directly mapped. |
vs
|
event.idm.read_only_udm.about.resource.attribute.labels[].key:"vs", event.idm.read_only_udm.about.resource.attribute.labels[].value
|
Directly mapped from the vs
key in the parsed key-value pairs. |
vs_name
|
event.idm.read_only_udm.about.resource.attribute.labels[].key:"vs_name", event.idm.read_only_udm.about.resource.attribute.labels[].value
|
Directly mapped from the vs_name
key in the parsed key-value pairs. |
|
N/A
|
event.idm.read_only_udm.metadata.event_type
|
Determined by parser logic based on the presence of certain fields. Defaults to GENERIC_EVENT
. Can be NETWORK_CONNECTION
, USER_LOGIN
, USER_LOGOUT
, USER_UNCATEGORIZED
, STATUS_UPDATE
, or NETWORK_HTTP
. |
|
N/A
|
event.idm.read_only_udm.metadata.product_name
|
Hardcoded to "BIG-IP Local Traffic Manager (LTM)". |
|
N/A
|
event.idm.read_only_udm.metadata.vendor_name
|
Hardcoded to "F5". |
|
N/A
|
event.idm.read_only_udm.metadata.event_timestamp
|
Copied from the top-level event.timestamp
. |
|
N/A
|
event.idm.read_only_udm.security_result.severity
|
Determined by parser logic based on the severity
or Level
fields, if present. Defaults to UNKNOWN_SEVERITY
. Can be INFORMATIONAL
, LOW
, MEDIUM
, HIGH
, or CRITICAL
. |
|
N/A
|
event.idm.read_only_udm.security_result.summary
|
Set to "Authentication failure" for specific apmd
logs. |
|
N/A
|
event.idm.read_only_udm.extensions.auth.type
|
Set to "VPN" for specific apmd
and sshd
logs. Otherwise, set to AUTHTYPE_UNSPECIFIED
for USER_LOGIN
and USER_LOGOUT
events. |
|
N/A
|
event.idm.read_only_udm.network.ip_protocol
|
Defaults to "TCP" if proto
is not present. Otherwise, determined by the proto
field. |
Need more help? Get answers from Community members and Google SecOps professionals.
