circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

BIG-IP

hashtag
Overview

BIG-IP ingests and normalizes logs from F5's BIG-IP application delivery and security platform in Logpoint. Once ingested, you can explore and analyze the data using Logpoint's search capabilities and available analytics for this integration, including dashboards. This gives you clear visibility into application security, load balancing, access policy management, web application firewall events, traffic distribution, user authentication, and threat detection, enabling faster detection, compliance, and response.

The integration includes:

  • Syslog Collector to retrieve raw logs from BIG-IP devices and ingest them into Logpoint for processing.

  • Syslog Parser to extract key fields from raw BIG-IP logs.

  • BigIPF5CompiledNormalizer (modularized) to convert the parsed logs into a standardized format for consistent analysis across Logpoint. The modularized normalizer includes specialized modules like F5AFMCEFNormalizer, F5ASMCEFCompiledNormalizer, and F5ASMNormalizer that handle specific BIG-IP components independently.

  • Dashboard packages (LP_F5 Load Balancer v11_6, LP_BIGIP ASM, LP_F5 Load Balancer v11_4_1), which provide a graphical and interactive overview of BIG-IP activities, highlighting patterns including authentication events, user agent tracking, web application attacks, malware detection, traffic distribution, virtual server metrics, and security policy enforcement. It allows you to quickly spot unusual behavior, monitor compliance, and track operational changes over time.

  • Label packages (LP_F5 Load Balancer v11_4_1, LP_F5 Load Balancer) that provide relevant reference data for enrichment and correlation.

hashtag
Supported Events

  • BIG-IP versions:

    • BIG-IP v11.x.x

    • BIG-IP v12.x.x

    • BIG-IP v13.x.x

    • F5 ASM (Application Security Manager)

    • F5 Load Balancer

  • BIG-IP log types:

    • Load Balancer Events: Virtual server traffic, client connections, server status, traffic distribution, content type routing, request/response handling

    • Application Security Manager (ASM) Events: Web application attacks, threat detection, security policy violations, malware scanning, attack geolocation, vulnerability exploitation

    • Access Policy Manager (APM) Events: User authentication, session management, device tracking, access policy enforcement, failed login attempts

    • Advanced Firewall Manager (AFM) Events: Network security, connection resets, TCP/UDP traffic, firewall policy enforcement

    • Local Traffic Manager (LTM) Events: HTTP requests, connection handling, virtual server metrics, pool member status

    • HTTP Status Events: Client errors (4xx), server errors (5xx), successful requests (2xx), redirects (3xx)

    • System Events: Process management, file access, system settings, audit logging

Last updated

Was this helpful?