Collect F5 BIG-IP LTM logs

This document explains how to ingest F5 BIG-IP LTM logs to Google Security Operations using the Bindplane agent.

Before you begin

Make sure you have the following prerequisites:

• A Google SecOps instance
• A Windows 2016 or later or Linux host with systemd
• If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
• Administrative access to the F5 BIG-IP LTM device (TMSH or web UI)

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File.
4. Save the file securely on the system where the Bindplane agent will be installed. For example, /opt/observiq-otel-collector/ingestion-auth.json .

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer IDfrom the Organization Detailssection.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

1. Open the Command Promptor PowerShellas an administrator.

2. Run the following command:

     msiexec 
     
    / 
    i 
     
    "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
     
    / 
    quiet 
    
   

Linux installation

1. Open a terminal with root or sudo privileges.

2. Run the following command:

    sudo  
   sh  
   -c  
    " 
    $( 
   curl  
   -fsSlL  
   https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
    " 
     
   install_unix.sh 
   

Additional installation resources

For additional installation options, see the Bindplane agent installation guide .

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

1. Access the configuration file:

   • Locate the config.yaml file. On Linux, the default path is /opt/observiq-otel-collector/config.yaml . On Windows, it's in the installation directory.
   • Open the file using a text editor (for example, nano , vi , or Notepad).

2. Edit the config.yaml file as follows:

     receivers 
    : 
     
    # UDP syslog listener (RFC 5424 over UDP) 
     
    udplog 
    : 
     
    listen_address 
    : 
     
    "0.0.0.0:514" 
    exporters 
    : 
     
    chronicle/chronicle_w_labels 
    : 
     
    compression 
    : 
     
    gzip 
     
    creds_file_path 
    : 
     
    "/opt/observiq-otel-collector/ingestion-auth.json" 
     
    customer_id 
    : 
     
    "<YOUR_CUSTOMER_ID>" 
     
    endpoint 
    : 
     
    "<YOUR_REGIONAL_ENDPOINT>" 
     
    log_type 
    : 
     
    "F5_BIGIP_LTM" 
     
    raw_log_field 
    : 
     
    body 
     
    ingestion_labels 
    : 
    service 
    : 
     
    pipelines 
    : 
     
    logs/f5ltm 
    : 
     
    receivers 
    : 
     
    [ 
    udplog 
    ] 
     
    exporters 
    : 
     
    [ 
    chronicle/chronicle_w_labels 
    ] 
    
   

   • Replace <YOUR_CUSTOMER_ID> with the actual Customer ID from Step 2.
   • Replace <CUSTOMER_REGION_ENDPOINT> with the appropriate regional endpoint from the Regional Endpoints documentation .
   • Update /opt/observiq-otel-collector/ingestion-auth.json to the path where the authentication file was saved in Step 1.

   Configuration notes:

   • The listen_address is set to 0.0.0.0:514 to accept syslog from any source. Adjust if you need to restrict to specific interfaces.
   • UDP port 514 is the standard syslog port. If port 514 requires root privileges, you may use a port higher than 1024 (for example, 5514 ) and adjust F5 configuration accordingly.
   • For TCPinstead of UDP, create a tcplog receiver and set the F5 Remote High-Speed Log protocol to tcp .

3. Save the file and exit the editor.

Restart the Bindplane agent to apply the changes

1. To restart the Bindplane agent in Linux, run the following command:

    sudo  
   systemctl  
   restart  
   observiq-otel-collector 
   

2. To restart the Bindplane agent in Windows, you can either use the Servicesconsole or enter the following command:

    net stop observiq-otel-collector && net start observiq-otel-collector 
   

Configure F5 BIG-IP LTM syslog forwarding

Option A: Using TMSH (Command Line Interface)

Step 1: Create pool for syslog destination

1. Connect to the F5 BIG-IP LTM device using SSH.

2. Run the following commands:

    tmsh  
   create  
   ltm  
   pool  
   f5_syslog_pool  
   members  
   add  
    { 
     
   <BINDPLANE_IP>:514  
    } 
     
   monitor  
   gateway_icmp 
   

   • Replace <BINDPLANE_IP> with the IP address of your Bindplane agent host.

Step 2: Create log destination

 tmsh  
create  
sys  
log-config  
destination  
remote-high-speed-log  
f5_hsl_dest  
protocol  
udp  
pool-name  
f5_syslog_pool

tmsh  
create  
sys  
log-config  
destination  
remote-syslog  
f5_remote_syslog_dest  
format  
rfc5424  
remote-high-speed-log  
f5_hsl_dest 

Step 3: Create log publisher

 tmsh  
create  
sys  
log-config  
publisher  
f5_log_publisher  
destinations  
add  
 { 
  
f5_remote_syslog_dest  
 } 
 

Step 4: Create request logging profile

 tmsh  
create  
ltm  
profile  
request-log  
f5_ltm_request_log  
 \ 
  
request-log-pool  
f5_syslog_pool  
request-log-protocol  
mds-udp  
 \ 
  
request-log-template  
 'event_source="request_logging",hostname="$BIGIP_HOSTNAME",client_ip="$CLIENT_IP",server_ip="$SERVER_IP",http_method="$HTTP_METHOD",http_uri="$HTTP_URI",http_host="${host}",virtual_name="$VIRTUAL_NAME",event_timestamp="$DATE_HTTP"' 
  
 \ 
  
request-logging  
enabled  
 \ 
  
response-log-pool  
f5_syslog_pool  
response-log-protocol  
mds-udp  
 \ 
  
response-log-template  
 'event_source="response_logging",hostname="$BIGIP_HOSTNAME",client_ip="$CLIENT_IP",server_ip="$SERVER_IP",http_method="$HTTP_METHOD",http_uri="$HTTP_URI",http_host="${host}",virtual_name="$VIRTUAL_NAME",http_statcode="$HTTP_STATCODE",event_timestamp="$DATE_HTTP"' 
  
 \ 
  
response-logging  
enabled 

Step 5: Apply logging profile to virtual server

 tmsh  
modify  
ltm  
virtual  
<VIRTUAL_SERVER_NAME>  
profiles  
add  
 { 
  
f5_ltm_request_log  
 } 
 

• Replace <VIRTUAL_SERVER_NAME> with the name of your virtual server.

Step 6: Save configuration

 tmsh  
save  
sys  
config 

Option B: Using F5 Web UI (Configuration Utility)

Step 1: Create pool for syslog destination

1. Sign in to the F5 BIG-IP LTMweb interface.
2. Go to Local Traffic > Pools > Pool List.
3. Click Create.
4. Provide the following configuration details:
   • Name: Enter f5_syslog_pool .
   • Health Monitors: Select gateway_icmp.
5. In the Resourcessection, under New Members:
   • Address: Enter the Bindplane agent IP address.
   • Service Port: Enter 514 .
6. Click Add.
7. Click Finished.

Step 2: Create remote high-speed log destination

1. Go to System > Logs > Configuration > Log Destinations.
2. Click Create.
3. Provide the following configuration details:
   • Name: Enter f5_hsl_dest .
   • Type: Select Remote High-Speed Log.
   • Protocol: Select UDP.
   • Pool Name: Select f5_syslog_pool .
4. Click Finished.

Step 3: Create remote syslog destination

1. Go to System > Logs > Configuration > Log Destinations.
2. Click Create.
3. Provide the following configuration details:
   • Name: Enter f5_remote_syslog_dest .
   • Type: Select Remote Syslog.
   • Syslog Format: Select RFC 5424.
   • Remote High-Speed Log: Select f5_hsl_dest .
4. Click Finished.

Step 4: Create log publisher

1. Go to System > Logs > Configuration > Log Publishers.
2. Click Create.
3. Provide the following configuration details:
   • Name: Enter f5_log_publisher .
   • Destinations: Move f5_remote_syslog_dest from Availableto Selected.
4. Click Finished.

Step 5: Create request logging profile

1. Go to Local Traffic > Profiles > Other > Request Logging.
2. Click Create.
3. Provide the following configuration details:
   • Name: Enter f5_ltm_request_log .
   • Parent Profile: Select request-log .

4. Under Request Settings:

   • Request Logging: Select Enabled.
   • Request Log Protocol: Select mds-udp.
   • Request Log Pool: Select f5_syslog_pool .

   • Request Log Template: Enter the following:

      event_source="request_logging",hostname="$BIGIP_HOSTNAME",client_ip="$CLIENT_IP",server_ip="$SERVER_IP",http_method="$HTTP_METHOD",http_uri="$HTTP_URI",http_host="${host}",virtual_name="$VIRTUAL_NAME",event_timestamp="$DATE_HTTP" 
     

5. Under Response Settings:

   • Response Logging: Select Enabled.
   • Response Log Protocol: Select mds-udp.
   • Response Log Pool: Select f5_syslog_pool .

   • Response Log Template: Enter the following:

      event_source="response_logging",hostname="$BIGIP_HOSTNAME",client_ip="$CLIENT_IP",server_ip="$SERVER_IP",http_method="$HTTP_METHOD",http_uri="$HTTP_URI",http_host="${host}",virtual_name="$VIRTUAL_NAME",http_statcode="$HTTP_STATCODE",event_timestamp="$DATE_HTTP" 
     

6. Click Finished.

Step 6: Apply request logging profile to virtual server

1. Go to Local Traffic > Virtual Servers > Virtual Server List.
2. Click the virtual server name to open its Propertiestab.
3. From the Configurationlist, select Advanced.
4. From the Request Logging Profilelist, select f5_ltm_request_log .
5. Click Update.

UDM mapping table

Log field	UDM mapping	Logic
blade_field	about.resource.attribute.labels	Merged
client_field	about.resource.attribute.labels	Merged
device_field	about.resource.attribute.labels	Merged
node_field	about.resource.attribute.labels	Merged
path_field	about.resource.attribute.labels	Merged
pool_member_field	about.resource.attribute.labels	Merged
query_field	about.resource.attribute.labels	Merged
snat_field	about.resource.attribute.labels	Merged
vs_field	about.resource.attribute.labels	Merged
vs_name_field	about.resource.attribute.labels	Merged
Access_Profile_field	additional.fields	Merged
Listener_field	additional.fields	Merged
captcha_result_field	additional.fields	Merged
errdefs_msgno_field	additional.fields	Merged
false_positive_field	additional.fields	Merged
http_uri_label	additional.fields	Merged
partition_name_field	additional.fields	Merged
process	additional.fields	Mapped: sshd → ssh_server_version_label , sshd → ssh_client_version_label
query_string_label	additional.fields	Merged
request_status_label	additional.fields	Merged
sig_ids_field	additional.fields	Merged
sig_names_field	additional.fields	Merged
sig_set_names_field	additional.fields	Merged
ssh_client_version_label	additional.fields	Merged
ssh_server_version_label	additional.fields	Merged
staged_sig_ids_field	additional.fields	Merged
staged_sig_names_field	additional.fields	Merged
staged_sig_set_names_field	additional.fields	Merged
staged_threat_campaign_names_field	additional.fields	Merged
support_id_label	additional.fields	Merged
threat_campaign_names_field	additional.fields	Merged
action_data	extensions.auth.type	Mapped: session opened → AUTHTYPE_UNSPECIFIED , session closed → AUTHTYPE_UNSPECIFIED
loglevel	extensions.auth.type	Mapped: warning → VPN
process	extensions.auth.type	Mapped: apmd → VPN , httpd → AUTHTYPE_UNSPECIFIED , sshd → AUTHTYPE_UNSPECIFIED
i_ip	intermediary.asset.ip	Merged
dvc	intermediary.hostname	Directly mapped
dvc_ip	intermediary.ip	Merged
i_ip	intermediary.ip	Merged
i_port	intermediary.port	Renamed/mapped
action_data	metadata.description	Directly mapped
desc	metadata.description	Directly mapped
description	metadata.description	Directly mapped
process	metadata.description	Directly mapped
timestamp	metadata.event_timestamp	Parsed as dd MMM yyyy HH:mm:ss
ts	metadata.event_timestamp	Parsed as MMM dd HH:mm:ss
event_type	metadata.event_type	Directly mapped
product_event_type	metadata.product_event_type	Directly mapped
producteventtype	metadata.product_event_type	Directly mapped
eventId	metadata.product_log_id	Directly mapped
protocol	network.application_protocol	Mapped: (?i)ssh → SSH , (?i)HTTPS → HTTPS
request	network.application_protocol	Mapped: (?i)(http) → HTTP
http_method	network.http.method	Directly mapped
method	network.http.method	Directly mapped
method_req	network.http.method	Directly mapped
header.User-Agent	network.http.parsed_user_agent	Renamed/mapped
header.Referer	network.http.referral_url	Directly mapped
url_string	network.http.referral_url	Directly mapped
resp_code	network.http.response_code	Renamed/mapped
response_code	network.http.response_code	Directly mapped
header.User-Agent	network.http.user_agent	Directly mapped
user_agent	network.http.user_agent	Directly mapped
ip_protocol_out	network.ip_protocol	Directly mapped
process	network.ip_protocol	Mapped values (five total, for example, tmm → TCP , httpd → TCP , sshd → TCP )
byte_code	network.received_bytes	Directly mapped
bytes_in	network.received_bytes	Directly mapped
process	network.received_bytes	Mapped: logger → uinteger
bytes_out	network.sent_bytes	Directly mapped
Session_ID	network.session_id	Directly mapped
session_id	network.session_id	Directly mapped
cipher	network.tls.cipher	Directly mapped
cipher_name	network.tls.cipher	Directly mapped
ssl_cipher	network.tls.cipher	Directly mapped
sni_host	network.tls.client.server_name	Directly mapped
tls_version	network.tls.version	Directly mapped
ssl_version	network.tls.version_protocol	Directly mapped
tlsproto	network.tls.version_protocol	Mapped: HTTP/1.1 → HTTP
principalHost	observer.hostname	Directly mapped
principalIp	observer.ip	Merged
process	observer.ip	Mapped: tmm → principalIp , sshd → principalIp
label	principal.asset.attribute.labels	Merged
process	principal.asset.attribute.labels	Mapped: tmm → label
device	principal.asset.hostname	Directly mapped
dvc	principal.asset.hostname	Directly mapped
host	principal.asset.hostname	Directly mapped
principalHost	principal.asset.hostname	Directly mapped
principal_ip	principal.asset.hostname	Directly mapped
unit_host	principal.asset.hostname	Directly mapped
Client_IP	principal.asset.ip	Merged
client_ip	principal.asset.ip	Merged
ip1	principal.asset.ip	Merged
ip_client	principal.asset.ip	Merged
loglevel	principal.asset.ip	Mapped: warning → src_ip
manage_ip_addr	principal.asset.ip	Merged
p_ip	principal.asset.ip	Merged
principalIp	principal.asset.ip	Merged
principal_ip	principal.asset.ip	Merged
process	principal.asset.ip	Mapped values (10 total, for example, apmd → src_ip , tmm → p_ip , tmm → src_ip )
src_ip	principal.asset.ip	Mapped: ip → x_ip
x_ip	principal.asset.ip	Merged
device	principal.hostname	Directly mapped
dvc	principal.hostname	Directly mapped
host	principal.hostname	Directly mapped
principalHost	principal.hostname	Directly mapped
principal_ip	principal.hostname	Directly mapped
unit_host	principal.hostname	Directly mapped
Client_IP	principal.ip	Merged
client_ip	principal.ip	Merged
ip1	principal.ip	Merged
ip_client	principal.ip	Merged
loglevel	principal.ip	Mapped: warning → src_ip
manage_ip_addr	principal.ip	Merged
p_ip	principal.ip	Merged
principalIp	principal.ip	Merged
principal_ip	principal.ip	Merged
process	principal.ip	Mapped values (10 total, for example, apmd → src_ip , tmm → p_ip , tmm → src_ip )
src_ip	principal.ip	Mapped: ip → x_ip
x_ip	principal.ip	Merged
Country	principal.location.country_or_region	Directly mapped
geoCountry	principal.location.country_or_region	Directly mapped
State	principal.location.state	Directly mapped
geoState	principal.location.state	Directly mapped
snat_ip	principal.nat_ip	Merged
snat_port	principal.nat_port	Directly mapped
client_port	principal.port	Directly mapped
p_port	principal.port	Renamed/mapped
prin_port	principal.port	Renamed/mapped
principalPort	principal.port	Renamed/mapped
source_parent_process_id	principal.process.parent_process.pid	Directly mapped
source_process_id	principal.process.pid	Directly mapped
bank_label	principal.resource.attribute.labels	Merged
dgl_count_label	principal.resource.attribute.labels	Merged
dgl_value_label	principal.resource.attribute.labels	Merged
error_reason_label	principal.resource.attribute.labels	Merged
function_id_label	principal.resource.attribute.labels	Merged
information_label	principal.resource.attribute.labels	Merged
operation_label	principal.resource.attribute.labels	Merged
process	principal.resource.attribute.labels	Mapped values (11 total, for example, tmm → bank_label , tmm → service_label , tmm → `operat...)
reason_code_label	principal.resource.attribute.labels	Merged
request_label	principal.resource.attribute.labels	Merged
service_label	principal.resource.attribute.labels	Merged
ssl_function_label	principal.resource.attribute.labels	Merged
url	principal.url	Directly mapped
process	principal.user.attribute.roles	Mapped: rest(pam_audit) → role
role	principal.user.attribute.roles	Merged
userRole	principal.user.attribute.roles	Mapped: (?i)Administrator → role
header.X-HackerOne	principal.user.userid	Directly mapped
principalId	principal.user.userid	Directly mapped
userId	principal.user.userid	Directly mapped
sr_label	security_result.about.resource.attribute.labels	Merged
action	security_result.action	Merged
process	security_result.action	Mapped: httpd → sec_action
sec_action	security_result.action	Merged
action_details	security_result.action_details	Directly mapped
security_category	security_result.category_details	Merged
description	security_result.description	Directly mapped
msg1	security_result.description	Directly mapped
reason	security_result.description	Directly mapped
detection_policy_name	security_result.detection_fields	Merged
event_source_label	security_result.detection_fields	Merged
module_label	security_result.detection_fields	Merged
req_status_label	security_result.detection_fields	Merged
status1_label	security_result.detection_fields	Merged
violations_field	security_result.detection_fields	Merged
policy	security_result.rule_name	Directly mapped
rule_name	security_result.rule_name	Directly mapped
loglevel	security_result.severity	Directly mapped
severity	security_result.severity	Mapped: (?i)(Info/Informational) → INFORMATIONAL , (?i)Error → ERROR , (?i)Warning →...
auth_status	security_result.summary	Directly mapped
loglevel	security_result.summary	Mapped: warning → Authentication failure
process	security_result.summary	Mapped: apmd → Authentication failure
status	security_result.summary	Directly mapped
summary	security_result.summary	Directly mapped
process	target.application	Directly mapped
dvc	target.asset.hostname	Directly mapped
host	target.asset.hostname	Directly mapped
http_host	target.asset.hostname	Directly mapped
Virtual_IP	target.asset.ip	Merged
process	target.asset.ip	Mapped: tmm → t_ip
server_ip	target.asset.ip	Merged
t_ip	target.asset.ip	Merged
targetIp	target.asset.ip	Directly mapped
target_ip	target.asset.ip	Merged
vip	target.asset.ip	Merged
File	target.file.full_path	Directly mapped
targetFile	target.file.full_path	Directly mapped
dvc	target.hostname	Directly mapped
host	target.hostname	Directly mapped
http_host	target.hostname	Directly mapped
Virtual_IP	target.ip	Merged
process	target.ip	Mapped: tmm → t_ip
server_ip	target.ip	Merged
t_ip	target.ip	Merged
target_ip	target.ip	Merged
vip	target.ip	Merged
server_port	target.port	Directly mapped
t_port	target.port	Renamed/mapped
targetPort	target.port	Renamed/mapped
action_data	target.process.command_line	Directly mapped
cmd_data	target.process.command_line	Directly mapped
command_line	target.process.command_line	Directly mapped
pid	target.process.pid	Directly mapped
virtual_name	target.resource.name	Directly mapped
path	target.url	Directly mapped
request_path	target.url	Directly mapped
uri	target.url	Directly mapped
uri_path	target.url	Directly mapped
uri_query	target.url	Directly mapped
process	target.user.attribute.roles	Mapped: httpd → role
role	target.user.attribute.roles	Merged
user	target.user.userid	Directly mapped
user2	target.user.userid	Directly mapped
userId	target.user.userid	Directly mapped
N/A	extensions.auth.type	Constant: VPN
N/A	metadata.product_name	Constant: BIG-IP Local Traffic Manager (LTM)
N/A	metadata.vendor_name	Constant: F5
N/A	network.application_protocol	Constant: HTTP
N/A	network.ip_protocol	Constant: TCP
N/A	network.tls.version_protocol	Constant: HTTP
N/A	security_result.severity	Constant: INFORMATIONAL
N/A	security_result.summary	Constant: Authentication failure

Need more help? Get answers from Community members and Google SecOps professionals.