An ingestion label identifies the parser which normalizes raw log data to
structured UDM format. The information in this document applies to the parser
with the F5_BIGIP_APM ingestion label.
Configure F5 BIG-IP APM
Sign in to the BIG-IP configuration utility portal using administrator
credentials.
In the Remote IP field, enter the Google Security Operations forwarder IP address.
In the Remote port field, enter a high port number.
Click Add.
Click Update.
For logs from APM, only the Berkeley Software Distribution (BSD) syslog
format is supported.
Based on the signatures in the APM, the collector processes only APM logs.
The F5 BIG-IP APM event collector supports multi-threading logs from LTM 11.6
to 12.1.1 device also.
If you are using iRule, use the recommended format of iRule. Google Security Operations supports the following iRule format only:
# log_header_requests
###################################################################################
#################################################
# Purpose: logs header information to Local Traffic log
# #
#
# Update-Log Date By Description
# Created 02/07/2020 E01961 Initial implementation
#
#
###################################################################################
################################################
when HTTP_REQUEST {
set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host]
[HTTP::uri]"
log local5. "================="
log local5. "$LogString (request)"
foreach aHeader [HTTP::header names] {
log local5. "$aHeader: [HTTP::header value $aHeader]"
}
# set UserID [URI::query "?[HTTP::payload]" "UserID"]
# log local0. "User $UserID attempted login from [IP::client_addr] and referer:
[HTTP::header "Referer"]"
# log local0. "============================================="
}
when HTTP_RESPONSE {
log local5. "=================="
log local5. "$LogString (response) - status: [HTTP::status]"
foreach aHeader [HTTP::header names] {
log local5. "$aHeader: [HTTP::header value $aHeader]"
}
# log local0. "============================================="
Configure F5 BIG-IP DNS
To configure F5 BIG-IP DNS, do the following tasks:
On the Main tab, select DNS>Delivery>Load balancing>Pools or local traffic>Pools.
In the Pool list window that appears, click Create.
In the New pool window that appears, in the Name field, provide a unique name for the pool.
In the New members section, add the IP address for each remote logging
server that you want to include in the pool:
In the Address field, enter the Google Security Operations forwarder
IP address or select a node address from the node list.
In the Service port field, type a service number or select a service
name from the list. Ensure that you have configured the correct remote logging
port.
Click Add, and then click Finished.
Create a remote high-speed log destination
On the Main tab, select System>Logs>Configuration>Log destinations.
In the Log destinations window that appears, click Create.
In the Name field, provide a unique and identifiable name for this destination.
In the Type list, select Remote high-speed log.
In the Pool name list, select the pool of remote log servers to which
you want the BIG-IP system to send log messages.
In the Protocol list, select the protocol used by the high-speed
logging pool members.
Click Finished.
Create a formatted remote high-speed log destination
On the Main tab, select System>Logs>Configuration>Log Destinations.
In the Log destinations window that appears, click Create.
In the Name field, provide a unique and identifiable name for this destination.
In the Type list, select a formatted logging destination as Remote syslog.
The BIG-IP system is now configured to send a formatted string of text to the
log servers.
In the Type list, select a format for the logs.
On the Forward To tab, select High-speed log destination list and
then select the destination that points to a pool of remote syslog servers to
which you want the BIG-IP system to send log messages.
Click Finished.
Create a publisher
On the Main tab, select System>Logs>Configuration>Log publishers.
In the Log publishers window that appears, click Create.
In the Name field, provide a unique and identifiable name for the publisher.
In the Log publisher list, from the available list select the destination
created previously.
To move the destination to the selected list, click << Move.
If you are using a formatted destination, select the newly-created destination
that matches your log servers, such as Remote syslog, Splunk, or ArcSight.
Click Finished.
Create a custom DNS logging profile
On the Main tab, select DNS>Delivery>Profiles>OtherDNS Logging or Local traffic>Profiles>Others>DNS logging.
In the DNS Logging profile list window that appears, click Create.
In the Name field, provide a unique name for the profile.
In the Log publisher list, select a destination to which the BIG-IP
system sends DNS log entries.
If you want the BIG-IP system:
To log all DNS queries, from the Log queries setting, ensure that the
enabled checkbox is selected.
To log all DNS responses, from the Log responses setting, select the
enabled checkbox.
To include the query ID sent by the client in the log messages, from the
Include query ID setting, select the enabled checkbox.
Click Finished.
Add a DNS logging profile to the listener
On the Main tab, select DNS>Delivery>Listeners>DNS listener.
In the Service section, from the DNS profile list, select the DNS
profile that you previously configured.
Click Update.
Configure the Google Security Operations forwarder to ingest F5 BIG-IP APM logs
Go to SIEM Settings>Forwarders.
Click Add new forwarder.
In the Forwarder Name field, enter a unique name for the forwarder.
Click Submit. The forwarder is added and the Add collector configuration
window appears.
In the Collector name field, type a name.
Select F5 BIGIP Access Policy Manager as the Log type.
Select Syslog as the Collector type.
Configure the following mandatory input parameters:
Protocol: specify the protocol.
Address: specify the target IP address or hostname where the collector
resides and addresses to the syslog data.
Port: specify the target port where the collector resides and listens
for syslog data.
This F5 BIG-IP APM parser extracts fields from syslog messages, categorizing them based on the application source (tmsh, tmm, apmd, httpd, or other). It then maps these extracted fields to the UDM, handling various log formats and enriching the data with metadata like severity, location, and user information.
UDM Mapping Table
Log Field
UDM Mapping
Logic
application
principal.application
The value is taken from the application field extracted by the grok filter.
bytes_in
network.received_bytes
The value is taken from the bytes_in field extracted by the grok filter and converted to unsigned integer.
bytes_out
network.sent_bytes
The value is taken from the bytes_out field extracted by the grok filter and converted to unsigned integer.
cmd_data
principal.process.command_line
The value is taken from the cmd_data field extracted by the kv filter.
destination_ip
target.ip
The value is taken from the destination_ip field extracted by the grok filter.
destination_port
target.port
The value is taken from the destination_port field extracted by the grok filter and converted to integer.
folder
principal.process.file.full_path
The value is taken from the folder field extracted by the kv filter.
geoCountry
principal.location.country_or_region
The value is taken from the geoCountry field extracted by the grok filter.
geoState
principal.location.state
The value is taken from the geoState field extracted by the grok filter.
inner_msg
security_result.description
The value is taken from the inner_msg field extracted by the grok filter when no other specific description is available.
ip_protocol
network.ip_protocol
The value is taken from the ip_protocol field extracted by the grok filter.
principal_hostname
principal.hostname
The value is taken from the principal_hostname field extracted by the grok filter.
principal_ip
principal.ip
The value is taken from the principal_ip field extracted by the grok filter.
process_id
principal.process.pid
The value is taken from the process_id field extracted by the grok filter.
role
user_role.name
The value is taken from the role field extracted by the grok filter. If the role field contains "admin" (case-insensitive), the value is set to "ADMINISTRATOR".
severity
security_result.severity_details
The original value from the syslog message is stored here. The value is derived from the severity field using conditional logic: CRITICAL -> CRITICAL ERR -> ERROR ALERT, EMERGENCY -> HIGH INFO, NOTICE -> INFORMATIONAL DEBUG -> LOW WARN -> MEDIUM
source_ip
principal.ip
The value is taken from the source_ip field extracted by the grok filter.
source_port
principal.port
The value is taken from the source_port field extracted by the grok filter and converted to integer.
status
security_result.summary
The value is taken from the status field extracted by the kv filter.
timestamp
metadata.event_timestamp, timestamp
The value is taken from the timestamp field extracted by the grok filter and parsed into a timestamp object. The timestamp field in the top level event object also gets this value.
user
principal.user.userid
The value is taken from the user field extracted by the grok filter, after removing "id\" or "ID\" prefixes. The value is derived based on the presence of other fields: If user exists: USER_UNCATEGORIZED If source_ip and destination_ip exist: NETWORK_CONNECTION If principal_ip or principal_hostname exist: STATUS_UPDATE Otherwise: GENERIC_EVENT Hardcoded to "BIGIP_APM". Hardcoded to "F5". If the result field is "failed", the value is set to "BLOCK".
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis document provides instructions on how to collect F5 BIG-IP Access Policy Manager (APM) logs using a Google Security Operations forwarder, which is compatible with the \u003ccode\u003eF5_BIGIP_APM\u003c/code\u003e ingestion label.\u003c/p\u003e\n"],["\u003cp\u003eThe configuration process involves setting up remote logging on the F5 BIG-IP APM, ensuring that only the Berkeley Software Distribution (BSD) syslog format is used, and specifying the Google Security Operations forwarder's IP and a high port number.\u003c/p\u003e\n"],["\u003cp\u003eTo configure F5 BIG-IP DNS, users must create a pool of remote logging servers, a remote high-speed log destination, a formatted remote high-speed log destination, a publisher, and a custom DNS logging profile, along with adding the DNS logging profile to the listener.\u003c/p\u003e\n"],["\u003cp\u003eSetting up the Google Security Operations forwarder requires adding a new forwarder, selecting "F5 BIGIP Access Policy Manager" as the log type, and specifying Syslog as the collector type along with defining the protocol, address, and port.\u003c/p\u003e\n"],["\u003cp\u003eThe F5 BIG-IP APM parser extracts and maps various fields from syslog messages to the UDM format, categorizing them by source and enriching them with metadata to provide detailed security information, including severity, user information, and network details.\u003c/p\u003e\n"]]],[],null,["# Collect F5 BIG-IP APM logs\n==========================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document describes how you can collect F5 BIG-IP Access Policy Manager (APM)\nlogs by using a Google Security Operations forwarder.\n\nFor more information, see [Data ingestion to Google Security Operations](/chronicle/docs/data-ingestion-flow).\n\nAn ingestion label identifies the parser which normalizes raw log data to\nstructured UDM format. The information in this document applies to the parser\nwith the `F5_BIGIP_APM` ingestion label.\n\nConfigure F5 BIG-IP APM\n-----------------------\n\n1. Sign in to the **BIG-IP configuration utility** portal using administrator credentials.\n2. Select **Main** \\\u003e **System** \\\u003e **Logs** \\\u003e **Configuration** \\\u003e **Remote logging**.\n3. In the **Properties** section, do the following:\n\n - In the **Remote IP** field, enter the Google Security Operations forwarder IP address.\n - In the **Remote port** field, enter a high port number.\n4. Click **Add**.\n\n5. Click **Update**.\n\n For logs from APM, only the Berkeley Software Distribution (BSD) syslog\n format is supported.\n\n Based on the signatures in the APM, the collector processes only APM logs.\n The F5 BIG-IP APM event collector supports multi-threading logs from LTM 11.6\n to 12.1.1 device also.\n\n If you are using iRule, use the recommended format of iRule. Google Security Operations supports the following iRule format only: \n\n # log_header_requests\n ###################################################################################\n #################################################\n # Purpose: logs header information to Local Traffic log\n # #\n #\n # Update-Log Date By Description\n # Created 02/07/2020 E01961 Initial implementation\n #\n #\n ###################################################################################\n ################################################\n when HTTP_REQUEST {\n set LogString \"Client [IP::client_addr]:[TCP::client_port] -\u003e [HTTP::host]\n [HTTP::uri]\"\n log local5. \"=================\"\n log local5. \"$LogString (request)\"\n foreach aHeader [HTTP::header names] {\n log local5. \"$aHeader: [HTTP::header value $aHeader]\"\n }\n # set UserID [URI::query \"?[HTTP::payload]\" \"UserID\"]\n # log local0. \"User $UserID attempted login from [IP::client_addr] and referer:\n [HTTP::header \"Referer\"]\"\n # log local0. \"=============================================\"\n }\n when HTTP_RESPONSE {\n log local5. \"==================\"\n log local5. \"$LogString (response) - status: [HTTP::status]\"\n foreach aHeader [HTTP::header names] {\n log local5. \"$aHeader: [HTTP::header value $aHeader]\"\n }\n # log local0. \"=============================================\"\n\nConfigure F5 BIG-IP DNS\n-----------------------\n\nTo configure F5 BIG-IP DNS, do the following tasks:\n\n- [Create a pool of remote logging servers](#create-pool-remote-servers).\n- [Create a remote high-speed log destination](#create-remote-high-speed-log-destination).\n- [Create a formatted remote high-speed log destination](#create-formatted-remote-log-destination).\n- [Create a publisher](#create-publisher).\n- [Create a custom DNS logging profile](#create-custom-dns).\n- [Add a DNS logging profile to the listener](#add-dns-logging).\n\n### Create a pool of remote logging servers\n\n1. On the **Main** tab, select **DNS** \\\u003e **Delivery** \\\u003e **Load balancing** \\\u003e **Pools or local traffic** \\\u003e **Pools**.\n2. In the **Pool list** window that appears, click **Create**.\n3. In the **New pool** window that appears, in the **Name** field, provide a unique name for the pool.\n4. In the **New members** section, add the IP address for each remote logging server that you want to include in the pool:\n 1. In the **Address** field, enter the Google Security Operations forwarder IP address or select a node address from the node list.\n 2. In the **Service port** field, type a service number or select a service name from the list. Ensure that you have configured the correct remote logging port.\n5. Click **Add** , and then click **Finished**.\n\n### Create a remote high-speed log destination\n\n1. On the **Main** tab, select **System** \\\u003e **Logs** \\\u003e **Configuration** \\\u003e **Log destinations**.\n2. In the **Log destinations** window that appears, click **Create**.\n3. In the **Name** field, provide a unique and identifiable name for this destination.\n4. In the **Type** list, select **Remote high-speed log**.\n5. In the **Pool name** list, select the pool of remote log servers to which you want the BIG-IP system to send log messages.\n6. In the **Protocol** list, select the protocol used by the high-speed logging pool members.\n7. Click **Finished**.\n\n### Create a formatted remote high-speed log destination\n\n1. On the **Main** tab, select **System** \\\u003e **Logs** \\\u003e **Configuration** \\\u003e **Log Destinations**.\n2. In the **Log destinations** window that appears, click **Create**.\n3. In the **Name** field, provide a unique and identifiable name for this destination.\n4. In the **Type** list, select a formatted logging destination as **Remote syslog**. The BIG-IP system is now configured to send a formatted string of text to the log servers.\n5. In the **Type** list, select a format for the logs.\n6. On the **Forward To** tab, select **High-speed log destination** list and then select the destination that points to a pool of remote syslog servers to which you want the BIG-IP system to send log messages.\n7. Click **Finished**.\n\n### Create a publisher\n\n1. On the **Main** tab, select **System** \\\u003e **Logs** \\\u003e **Configuration** \\\u003e **Log publishers**.\n2. In the **Log publishers** window that appears, click **Create**.\n3. In the **Name** field, provide a unique and identifiable name for the publisher.\n4. In the **Log publisher** list, from the available list select the destination created previously.\n5. To move the destination to the selected list, click **\\\u003c\\\u003c Move**.\n6. If you are using a formatted destination, select the newly-created destination that matches your log servers, such as **Remote syslog** , **Splunk** , or **ArcSight**.\n7. Click **Finished**.\n\n### Create a custom DNS logging profile\n\n1. On the **Main** tab, select **DNS** \\\u003e **Delivery** \\\u003e **Profiles** \\\u003e **Other** **DNS Logging** or **Local traffic** \\\u003e **Profiles** \\\u003e **Others** \\\u003e **DNS logging**.\n2. In the **DNS Logging profile list** window that appears, click **Create**.\n3. In the **Name** field, provide a unique name for the profile.\n4. In the **Log publisher** list, select a destination to which the BIG-IP system sends DNS log entries.\n5. If you want the BIG-IP system:\n - To log all DNS queries, from the **Log queries** setting, ensure that the enabled checkbox is selected.\n - To log all DNS responses, from the **Log responses** setting, select the enabled checkbox.\n - To include the query ID sent by the client in the log messages, from the **Include query ID** setting, select the enabled checkbox.\n6. Click **Finished**.\n\n### Add a DNS logging profile to the listener\n\n1. On the **Main** tab, select **DNS** \\\u003e **Delivery** \\\u003e **Listeners** \\\u003e **DNS listener**.\n2. In the **Service** section, from the **DNS profile** list, select the DNS profile that you previously configured.\n3. Click **Update**.\n\nConfigure the Google Security Operations forwarder to ingest F5 BIG-IP APM logs\n-------------------------------------------------------------------------------\n\n1. Go to **SIEM Settings** \\\u003e **Forwarders**.\n2. Click **Add new forwarder**.\n3. In the **Forwarder Name** field, enter a unique name for the forwarder.\n4. Click **Submit** . The forwarder is added and the **Add collector configuration** window appears.\n5. In the **Collector name** field, type a name.\n6. Select **F5 BIGIP Access Policy Manager** as the **Log type**.\n7. Select **Syslog** as the **Collector type**.\n8. Configure the following mandatory input parameters:\n - **Protocol**: specify the protocol.\n - **Address**: specify the target IP address or hostname where the collector resides and addresses to the syslog data.\n - **Port**: specify the target port where the collector resides and listens for syslog data.\n9. Click **Submit**.\n\nFor more information about the Google Security Operations forwarders, see [Manage forwarder configurations through the Google Security Operations UI](/chronicle/docs/install/forwarder-management-configurations).\n\nIf you encounter issues when you create forwarders, contact [Google Security Operations support](/chronicle/docs/getting-support).\n\nField mapping reference\n-----------------------\n\nThis F5 BIG-IP APM parser extracts fields from syslog messages, categorizing them based on the application source (tmsh, tmm, apmd, httpd, or other). It then maps these extracted fields to the UDM, handling various log formats and enriching the data with metadata like severity, location, and user information.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
