Collect F5 BIG-IP LTM logs
Supported in:
This document describes how you can collect F5 BIG-IP Local Traffic Manager (LTM) logs by using a Google Security Operations forwarder.
For more information, see Data ingestion to Google Security Operations.
An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the F5_BIGIP_LTM ingestion label.
Configure F5 BIG-IP LTM
- Sign in to SSH using root credentials.
Sign in to the Traffic Management Shell (tmsh) with the following command:
tmshSend filtered log messages to remote syslog servers with the following command:
modify /sys syslog remote-servers noneRemove the remote-servers statement and then add a syslog
includestatement that defines a filter rule and the remote server.To define the required syslog filter that references the remote server, use the following command:
edit /sys syslog all-propertiesReplace the
include nonecommand with the following filter and add the IP address and port number.include " filter f_remote_loghost { level(debug..emerg); }; filter f_ssl_acc { not match(\"ssl_acc\"); }; filter f_ssl_req { not match(\"ssl_req\"); }; destination d_remote_loghost { udp(IP_ADDRESS PORT); }; log { source(s_syslog_pipe); filter(f_remote_loghost); filter(f_ssl_acc); filter(f_ssl_req); destination(d_remote_loghost); }; "Replace IP_ADDRESS with the Google Security Operations forwarder IP address and port with the high port number.
To exit the text editor, press Esc and then enter wq!.
Save the configuration with the following command:
save /sys config
Configure Google Security Operations forwarder and syslog to ingest F5 BIG-IP LTM logs
- Go to SIEM Settings > Forwarders.
- Click Add new forwarder.
- In the Forwarder Name field, enter a unique name for the forwarder.
- Click Submit. The forwarder is added and the Add collector configuration window appears.
- In the Collector name field, type a name.
- Select F5 BIGIP LTM as the Log type.
- Select Syslog as the Collector type.
- Configure the following mandatory input parameters:
- Protocol: specify the protocol.
- Address: specify the Google Security Operations forwarder IP address.
- Port: specify the port.
- Click Submit.
For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation. For information about requirements for each forwarder type, see Forwarder configuration by type.
If you encounter issues when you create forwarders, contact Google Security Operations support.
Field mapping reference
This parser normalizes F5 BIG-IP Local Traffic Manager (LTM) logs, handling both key-value and syslog formats. It extracts fields like IP addresses, usernames, actions, and descriptions, mapping them to the UDM, and categorizes events based on log content and extracted fields, including network connections, user logins/logouts, and generic events.
UDM Mapping Table
| Log Field | UDM Mapping | Logic |
|---|---|---|
Access_Profile |
event.idm.read_only_udm.additional.fields[].key:"Access_Profile", event.idm.read_only_udm.additional.fields[].value.string_value |
Directly mapped from the Access_Profile key in the parsed key-value pairs. |
Client_IP |
event.idm.read_only_udm.principal.ip[], event.idm.read_only_udm.principal.asset.ip[] |
Directly mapped from the Client_IP key in the parsed key-value pairs. Also used to populate principal asset IP. Sets has_principal to true. |
Country |
event.idm.read_only_udm.principal.location.country_or_region |
Directly mapped from the Country key in the parsed key-value pairs. |
Listener |
event.idm.read_only_udm.additional.fields[].key:"Listener", event.idm.read_only_udm.additional.fields[].value.string_value |
Directly mapped from the Listener key in the parsed key-value pairs. |
Session_ID |
event.idm.read_only_udm.network.session_id |
Directly mapped from the Session_ID key in the parsed key-value pairs. |
State |
event.idm.read_only_udm.principal.location.state |
Directly mapped from the State key in the parsed key-value pairs. |
Virtual_IP |
event.idm.read_only_udm.target.ip[], event.idm.read_only_udm.target.asset.ip[] |
Directly mapped from the Virtual_IP key in the parsed key-value pairs. Also used to populate target asset IP. Sets has_target to true. |
about |
event.idm.read_only_udm.about |
Populated from various fields like snat, vs_name, path, query, node, pool_member, vs, client, blade, and device if they are present in the raw log and successfully parsed. |
action_data |
event.idm.read_only_udm.target.process.command_line |
Directly mapped for scriptd process logs. |
attack_type |
event.idm.read_only_udm.security_result.category_details[] |
Directly mapped. |
blade |
event.idm.read_only_udm.about.resource.attribute.labels[].key:"blade", event.idm.read_only_udm.about.resource.attribute.labels[].value |
Directly mapped from the blade key in the parsed key-value pairs. |
bytes_in |
event.idm.read_only_udm.network.received_bytes |
Directly mapped, converted to unsigned integer. |
bytes_out |
event.idm.read_only_udm.network.sent_bytes |
Directly mapped, converted to unsigned integer. |
captcha_result |
event.idm.read_only_udm.additional.fields[].key:"captcha_result", event.idm.read_only_udm.additional.fields[].value.string_value |
Directly mapped. |
client |
event.idm.read_only_udm.about.resource.attribute.labels[].key:"client", event.idm.read_only_udm.about.resource.attribute.labels[].value |
Directly mapped from the client key in the parsed key-value pairs. |
client_ip |
event.idm.read_only_udm.principal.ip[], event.idm.read_only_udm.principal.asset.ip[] |
Directly mapped. Also used to populate principal asset IP. Sets has_principal to true. |
client_port |
event.idm.read_only_udm.principal.port |
Directly mapped, converted to integer. |
collection_time |
event.timestamp |
The Log Entry's timestamp is used as the event timestamp. |
command_line |
event.idm.read_only_udm.target.process.command_line |
Directly mapped for CROND process logs and some logger logs. |
data |
message |
The raw log message. This is parsed and used to populate various UDM fields. |
dgl_count |
event.idm.read_only_udm.principal.resource.attribute.labels[].key:"DataGroup_Value", event.idm.read_only_udm.principal.resource.attribute.labels[].value |
Directly mapped. |
dgl_value |
event.idm.read_only_udm.principal.resource.attribute.labels[].key:"DataGroup_List", event.idm.read_only_udm.principal.resource.attribute.labels[].value |
Directly mapped. |
description |
event.idm.read_only_udm.metadata.description, event.idm.read_only_udm.security_result.description |
Directly mapped for some log types, or used as part of the security result description. |
device |
event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname, event.idm.read_only_udm.about.resource.attribute.labels[].key:"device", event.idm.read_only_udm.about.resource.attribute.labels[].value |
Directly mapped. Also used to populate principal asset hostname. Sets has_principal to true. |
dest_ip |
event.idm.read_only_udm.target.ip, event.idm.read_only_udm.target.asset.ip |
Directly mapped. Also used to populate target asset IP. Sets has_principal to true. |
dest_port |
event.idm.read_only_udm.target.port |
Directly mapped. |
dvc |
event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname, event.idm.read_only_udm.intermediary.hostname |
Parsed to extract hostname or IP. Used to populate principal hostname or intermediary hostname. |
errdefs_msgno |
event.idm.read_only_udm.additional.fields[].key:"errdefs_msgno", event.idm.read_only_udm.additional.fields[].value.string_value |
Directly mapped from the errdefs_msgno key in the parsed key-value pairs. |
error_reason |
event.idm.read_only_udm.principal.resource.attribute.labels[].key:"error_reason", event.idm.read_only_udm.principal.resource.attribute.labels[].value |
Directly mapped. |
false_positive |
event.idm.read_only_udm.additional.fields[].key:"false_positive", event.idm.read_only_udm.additional.fields[].value.string_value |
Directly mapped. |
function_id |
event.idm.read_only_udm.principal.resource.attribute.labels[].key:"function_id", event.idm.read_only_udm.principal.resource.attribute.labels[].value |
Directly mapped. |
geoContinent |
event.idm.read_only_udm.principal.location.continent |
Not mapped in the provided example, but would map to continent if available. |
geoCountry |
event.idm.read_only_udm.principal.location.country_or_region |
Directly mapped. |
geoState |
event.idm.read_only_udm.principal.location.state |
Directly mapped. |
header.Referer |
event.idm.read_only_udm.network.http.referral_url |
Directly mapped. |
header.User-Agent |
event.idm.read_only_udm.network.http.user_agent, event.idm.read_only_udm.network.http.parsed_user_agent |
Directly mapped. Also converted to parsed user agent. |
header.X-Forwarded-For |
event.idm.read_only_udm.principal.ip[], event.idm.read_only_udm.principal.asset.ip[] |
Parsed to extract IPs and merge them into principal IP and principal asset IP. |
host |
event.idm.read_only_udm.target.hostname, event.idm.read_only_udm.target.asset.hostname |
Directly mapped. Also used to populate target asset hostname. Sets has_target to true. |
http_host |
event.idm.read_only_udm.target.hostname, event.idm.read_only_udm.target.asset.hostname |
Directly mapped. Also used to populate target asset hostname. Sets has_target to true. |
http_method |
event.idm.read_only_udm.network.http.method |
Directly mapped. Sets event_type to NETWORK_HTTP if present. |
ip_client |
event.idm.read_only_udm.principal.ip[], event.idm.read_only_udm.principal.asset.ip[] |
Directly mapped. Also used to populate principal asset IP. Sets has_principal to true. |
kv_msg |
Various fields | Parsed as key-value pairs and used to populate various UDM fields. |
Level |
event.idm.read_only_udm.security_result.severity |
Mapped to severity if the severity field is not present. Converted to UDM severity values (e.g., "Info" -> "INFORMATIONAL"). |
Listener |
event.idm.read_only_udm.additional.fields[].key:"Listener", event.idm.read_only_udm.additional.fields[].value.string_value |
Directly mapped. |
log_message |
event.idm.read_only_udm.principal.resource.attribute.labels[].value, event.idm.read_only_udm.security_result.description |
Further parsed to extract request_uri or description. |
log_type |
event.idm.read_only_udm.metadata.log_type |
Directly mapped from the raw log's log_type field. |
loglevel |
event.idm.read_only_udm.security_result.severity |
Mapped to severity. Converted to UDM severity values (e.g., "warning" -> "MEDIUM", "err" -> "HIGH"). Also used for alert/significant event logic. |
manage_ip_addr |
event.idm.read_only_udm.principal.ip[], event.idm.read_only_udm.principal.asset.ip[] |
Directly mapped. Also used to populate principal asset IP. Sets has_principal to true. |
method |
event.idm.read_only_udm.network.http.method |
Directly mapped. Sets event_type to NETWORK_HTTP. |
method_req |
event.idm.read_only_udm.network.http.method |
Directly mapped. |
msg1 |
event.idm.read_only_udm.security_result.description |
Used as the security result description if not parsed further. |
node |
event.idm.read_only_udm.about.resource.attribute.labels[].key:"node", event.idm.read_only_udm.about.resource.attribute.labels[].value |
Directly mapped from the node key in the parsed key-value pairs. |
partition_name |
event.idm.read_only_udm.additional.fields[].key:"partition_name", event.idm.read_only_udm.additional.fields[].value.string_value |
Directly mapped. |
path |
event.idm.read_only_udm.target.url, event.idm.read_only_udm.about.resource.attribute.labels[].key:"path", event.idm.read_only_udm.about.resource.attribute.labels[].value |
Directly mapped. |
policy_name |
event.idm.read_only_udm.security_result.detection_fields[].key:"policy_name", event.idm.read_only_udm.security_result.detection_fields[].value |
Directly mapped. |
pool_member |
event.idm.read_only_udm.about.resource.attribute.labels[].key:"pool_member", event.idm.read_only_udm.about.resource.attribute.labels[].value |
Directly mapped from the pool_member key in the parsed key-value pairs. |
principalHost |
event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname |
Directly mapped. Also used to populate principal asset hostname. Sets has_principal to true. |
principalIp |
event.idm.read_only_udm.principal.ip[], event.idm.read_only_udm.principal.asset.ip[], event.idm.read_only_udm.observer.ip |
Directly mapped. Also used to populate principal asset IP and observer IP. Sets has_principal to true. |
principalPort |
event.idm.read_only_udm.principal.port |
Directly mapped, converted to integer. |
process |
event.idm.read_only_udm.target.application |
Directly mapped. |
product_event_type |
event.idm.read_only_udm.metadata.product_event_type |
Directly mapped. |
proto |
event.idm.read_only_udm.network.ip_protocol |
Mapped to IP protocol after converting protocol number to protocol name using a lookup. |
query |
event.idm.read_only_udm.about.resource.attribute.labels[].key:"query", event.idm.read_only_udm.about.resource.attribute.labels[].value |
Directly mapped from the query key in the parsed key-value pairs. |
query_string |
event.idm.read_only_udm.additional.fields[].key:"query_string", event.idm.read_only_udm.additional.fields[].value.string_value |
Directly mapped. |
reason |
event.idm.read_only_udm.security_result.description |
Directly mapped for apmd process logs with warning or error loglevel. |
reason_code |
event.idm.read_only_udm.principal.resource.attribute.labels[].key:"reason_code", event.idm.read_only_udm.principal.resource.attribute.labels[].value |
Directly mapped. |
req_status |
event.idm.read_only_udm.security_result.detection_fields[].key:"req_status", event.idm.read_only_udm.security_result.detection_fields[].value |
Directly mapped. |
request |
event.idm.read_only_udm.principal.resource.attribute.labels[].key:"request_type", event.idm.read_only_udm.principal.resource.attribute.labels[].value, event.idm.read_only_udm.network.application_protocol |
Used to determine the application protocol (HTTP) and mapped as a label. |
request_status |
event.idm.read_only_udm.additional.fields[].key:"request_status", event.idm.read_only_udm.additional.fields[].value.string_value |
Directly mapped. |
request_uri |
event.idm.read_only_udm.target.url |
Directly mapped. |
resp_code |
event.idm.read_only_udm.network.http.response_code |
Directly mapped, converted to integer. |
response_code |
event.idm.read_only_udm.network.http.response_code |
Directly mapped, converted to integer. |
rule_name |
event.idm.read_only_udm.security_result.rule_name |
Directly mapped. |
sec_action |
event.idm.read_only_udm.security_result.action[] |
Mapped to action. "Continue" is converted to "ALLOW". Other values are converted to "BLOCK". |
security_result |
event.idm.read_only_udm.security_result |
Merged into the security_result object. |
session_id |
event.idm.read_only_udm.network.session_id |
Directly mapped. |
severity |
event.idm.read_only_udm.security_result.severity |
Mapped to severity. Converted to UDM severity values (e.g., "Error" -> "ERROR", "Informational" -> "INFORMATIONAL"). |
sig_ids |
event.idm.read_only_udm.additional.fields[].key:"sig_ids", event.idm.read_only_udm.additional.fields[].value.string_value |
Directly mapped. |
sig_names |
event.idm.read_only_udm.additional.fields[].key:"sig_names", event.idm.read_only_udm.additional.fields[].value.string_value |
Directly mapped. |
sni_host |
event.idm.read_only_udm.network.tls.client.server_name |
Directly mapped. |
snat |
event.idm.read_only_udm.about.resource.attribute.labels[].key:"snat", event.idm.read_only_udm.about.resource.attribute.labels[].value |
Directly mapped from the snat key in the parsed key-value pairs. |
snat_ip |
event.idm.read_only_udm.principal.nat_ip[] |
Directly mapped. |
snat_port |
event.idm.read_only_udm.principal.nat_port |
Directly mapped, converted to integer. |
src_ip |
event.idm.read_only_udm.principal.ip[], event.idm.read_only_udm.principal.asset.ip[] |
Directly mapped. Also used to populate principal asset IP. |
src_port |
event.idm.read_only_udm.principal.port |
Directly mapped. |
ssl_cipher |
event.idm.read_only_udm.network.tls.cipher |
Directly mapped. |
ssl_function |
event.idm.read_only_udm.principal.resource.attribute.labels[].key:"ssl_function", event.idm.read_only_udm.principal.resource.attribute.labels[].value |
Directly mapped. |
ssl_version |
event.idm.read_only_udm.network.tls.version_protocol |
Directly mapped. |
staged_sig_ids |
event.idm.read_only_udm.additional.fields[].key:"staged_sig_ids", event.idm.read_only_udm.additional.fields[].value.string_value |
Directly mapped. |
staged_sig_names |
event.idm.read_only_udm.additional.fields[].key:"staged_sig_names", event.idm.read_only_udm.additional.fields[].value.string_value |
Directly mapped. |
staged_sig_set_names |
event.idm.read_only_udm.additional.fields[].key:"staged_sig_set_names", event.idm.read_only_udm.additional.fields[].value.string_value |
Directly mapped. |
staged_threat_campaign_names |
event.idm.read_only_udm.additional.fields[].key:"staged_threat_campaign_names", event.idm.read_only_udm.additional.fields[].value.string_value |
Directly mapped. |
status |
event.idm.read_only_udm.security_result.summary |
Directly mapped for scriptd process logs. |
summary |
event.idm.read_only_udm.security_result.summary |
Directly mapped for some log types. |
support_id |
event.idm.read_only_udm.additional.fields[].key:"Support_Id", event.idm.read_only_udm.additional.fields[].value.string_value |
Directly mapped. |
systems |
event.idm.read_only_udm.principal.asset.attribute.labels[].key, event.idm.read_only_udm.principal.asset.attribute.labels[].value |
Parsed to extract system information and map it as labels to the principal asset. |
targetFile |
event.idm.read_only_udm.target.file.full_path |
Directly mapped for scriptd process logs. |
targetIp |
event.idm.read_only_udm.target.ip, event.idm.read_only_udm.target.asset.ip |
Directly mapped. Also used to populate target asset IP. Sets has_target to true. |
targetPort |
event.idm.read_only_udm.target.port |
Directly mapped, converted to integer. |
threat_campaign_names |
event.idm.read_only_udm.additional.fields[].key:"threat_campaign_names", event.idm.read_only_udm.additional.fields[].value.string_value |
Directly mapped. |
timestamp |
event.timestamp |
Directly mapped after parsing and rebasing. |
tls_version |
event.idm.read_only_udm.network.tls.version |
Directly mapped. |
tlsproto |
event.idm.read_only_udm.network.tls.version_protocol |
Directly mapped. If value is HTTP/1.1, then "HTTP" is mapped. |
unit_host |
event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname |
Directly mapped. Also used to populate principal asset hostname. Sets has_principal to true. |
uri |
event.idm.read_only_udm.target.url |
Directly mapped. |
uri_path |
event.idm.read_only_udm.target.url |
Directly mapped, concatenated with uri_query if present. |
url |
event.idm.read_only_udm.principal.url |
Directly mapped. |
url_string |
event.idm.read_only_udm.network.http.referral_url |
Directly mapped. |
user_agent |
event.idm.read_only_udm.network.http.user_agent |
Directly mapped. |
userId |
event.idm.read_only_udm.principal.user.userid, event.idm.read_only_udm.target.user.userid |
Directly mapped. Also used to populate target user ID. Sets has_principal_user to true. |
vendor_name |
event.idm.read_only_udm.metadata.vendor_name |
Hardcoded to "F5". |
violations |
event.idm.read_only_udm.security_result.detection_fields[].key:"violations", event.idm.read_only_udm.security_result.detection_fields[].value |
Directly mapped. |
vs |
event.idm.read_only_udm.about.resource.attribute.labels[].key:"vs", event.idm.read_only_udm.about.resource.attribute.labels[].value |
Directly mapped from the vs key in the parsed key-value pairs. |
vs_name |
event.idm.read_only_udm.about.resource.attribute.labels[].key:"vs_name", event.idm.read_only_udm.about.resource.attribute.labels[].value |
Directly mapped from the vs_name key in the parsed key-value pairs. |
| N/A | event.idm.read_only_udm.metadata.event_type |
Determined by parser logic based on the presence of certain fields. Defaults to GENERIC_EVENT. Can be NETWORK_CONNECTION, USER_LOGIN, USER_LOGOUT, USER_UNCATEGORIZED, STATUS_UPDATE, or NETWORK_HTTP. |
| N/A | event.idm.read_only_udm.metadata.product_name |
Hardcoded to "BIG-IP Local Traffic Manager (LTM)". |
| N/A | event.idm.read_only_udm.metadata.vendor_name |
Hardcoded to "F5". |
| N/A | event.idm.read_only_udm.metadata.event_timestamp |
Copied from the top-level event.timestamp. |
| N/A | event.idm.read_only_udm.security_result.severity |
Determined by parser logic based on the severity or Level fields, if present. Defaults to UNKNOWN_SEVERITY. Can be INFORMATIONAL, LOW, MEDIUM, HIGH, or CRITICAL. |
| N/A | event.idm.read_only_udm.security_result.summary |
Set to "Authentication failure" for specific apmd logs. |
| N/A | event.idm.read_only_udm.extensions.auth.type |
Set to "VPN" for specific apmd and sshd logs. Otherwise, set to AUTHTYPE_UNSPECIFIED for USER_LOGIN and USER_LOGOUT events. |
| N/A | event.idm.read_only_udm.network.ip_protocol |
Defaults to "TCP" if proto is not present. Otherwise, determined by the proto field. |
Need more help? Get answers from Community members and Google SecOps professionals.