circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

BIG-IP Log Reference

hashtag
Log Samples

Learn what raw BIG-IP events look like before they're processed in Logpoint:

F5 ASM Reporting Server Format

<134>Nov 25 13:05:37 XXXXXX.XXXXXX.XXX ASM:unit_hostname="XXXXXX.XXXXXX.XXX",management_ip_address="XXX.XXX.XX.XXX",http_class_name="/Common/Internal",web_application_name="/Common/Internal",policy_name="/Common/Internal",policy_apply_date="2019-11-25 08:59:54",violations="",support_id="XXXXXXXXXXXXXXXXXXXXX",request_status="passed",response_code="XXX",ip_client="XXX.XX.XX.XX",route_domain="X",method="GET",protocol="HTTPS",query_string="...",x_forwarded_for_header_value="XXX.XX.XX.XX",sig_ids="",sig_names="",date_time="2019-11-25 13:05:37",severity="Informational",attack_type="",geo_location="N/A",ip_address_intelligence="N/A",username="N/A",session_id="XXXXXXXXXXXXXXXXXX",src_port="XXXXXX",dest_port="XXXX",dest_ip="XXX.XXX.XX.XX",sub_violations="",virus_name="N/A",violation_rating="0",websocket_direction="N/A",websocket_message_type="N/A",device_id="N/A",staged_sig_ids="",staged_sig_names="",blocking_exception_reason="N/A",captcha_result="not_received",uri="/XXXXXX.legacy/dcdocumentretrieveext.asp"

F5 ASM CEF Format

<131>Nov 25 16:50:28 logpoint.com ASM:CEF:0|F5|ASM|13.1.1|Illegal URL|Illegal URL|5|dvchost=logpoint.com dvc=XX.XX.XX.XX cs1=/Common/asm_policy_logpoint.com cs1Label=policy_name cs2=/Common/asm_policy_logpoint.com cs2Label=http_class_name deviceCustomDate1=Nov 25 2019 14:50:21 deviceCustomDate1Label=policy_apply_date externalId=XXXXXXXXXXXXXXXXXXXX act=alerted cn1=XXX cn1Label=response_code src=XX.X.XXX.XXX spt=XXXXX dst=XX.XX.XX.XXX dpt=XXX requestMethod=GET app=HTTPS cs5=XX.X.XXX.XXX, XX.X.XXX.XXX cs5Label=x_forwarded_for_header_value rt=Nov 25 2019 16:50:27 deviceExternalId=0 cs4=Forceful Browsing cs4Label=attack_type cs6=TR cs6Label=geo_location

F5 WAF (Web Application Firewall)

Jul 12 13:12:49 WAFLOGPOINT001 err tmm1[17208]: 01230140:3: RST sent from xxx.xxx.xxx.xxx:xxxxx to xxx.xxx.x.xx:xx,[0x299e18a:2598] {peer} TCP RST from remote system

F5 LTM (Local Traffic Manager)

[16/Jun/2020:08:59:23 +0200] REQUEST -> CLIENT = 1.1.1.1:1000, VS_NAME = /xxxx-xxxx-xxxx/xxxx-xxxx-xxxx_xxxxx.xxx.xxxxxxx.xxx_https, VIP = 1.1.1.1:xxx, HTTP_VERSION = HTTP/1.1, HTTP_METHOD = POST, HTTP_KEEPALIVE = Y, HTTP_PATH = /auth/oauth/check_token, HTTP_QUERY = , HTTP_REQUEST = POST /auth/oauth/check_token HTTP/1.1, HTTP_URI = /auth/oauth/check_token

F5 BIG-IP Access Policy Manager (APM)

<13>Sep 1 05:01:20 abc Sep 1 05:01:20 abc run-parts(/etc/cron.hourly)[22380]: finished iprepd_logrotate

hashtag
Log Source Labels

Learn how BIG-IP events are given their own labels in Logpoint.

LP_F5 Load Balancer v11_4_1 Labels

HTTP Status Code Labels:

Label
Description

Server,Error,Network,Authentication,Require

Events with the 511 server status.

Server,Error,HTTP,Version,Not,Support

Events with the 505 server status.

Server,Error,Gateway,Timeout

Events with the 504 server status.

Server,Error,Service,Unavailable

Events with the 503 server status.

Server,Error,Bad,Gateway

Events with the 502 server status.

Internal,Server,Error

Events with the 500 server status.

Client,Error,Expectation,Fail

Events with the 416 server status.

Client,Error,Media,Type,Not,Support

Events with the 415 server status.

Client,Error,Request,URL,Too,Long

Events with the 414 server status.

Client,Error,Precondition,Fail

Events with the 412 server status.

Client,Error,Length,Require

Events with the 411 server status.

Client,Error,Conflict

Events with the 409 server status.

Client,Error,Request,Timeout

Events with the 408 server status.

Client,Error,Proxy,Authentication,Require

Events with the 407 server status.

Client,Error,Not,Accept

Events with the 406 server status.

Client,Error,Method,Not,Allow

Events with the 405 server status.

Client,Error,Not,Find

Events with the 404 server status.

Client,Error,Forbidden

Events with the 403 server status.

Client,Error,Authorization,Fail

Events with the 401 server status.

Client,Error,Bad,Request

Events with the 400 server status.

Permanent,Redirect

Events with the 308 server status.

Temporary,Redirect

Events with the 307 server status.

Unused,Response,Code

Events with the 306 server status.

Use,Proxy

Events with the 305 server status.

Cache,Not,Modify

Events with the 304 server status.

Redirect,Other,URL

Events with the 303 server status.

Request,Resource,Not,Change

Events with the 302 server status.

Request,Resource,Change

Events with the 301 server status.

Multiple,Choice

Events with the 300 server status.

Partial,Content

Events with the 206 server status.

Reset,Content

Events with the 205 server status.

Empty,Content

Events with the 204 server status.

Not,Authoritative,Information

Events with the 203 server status.

Successful,Response,Create

Events with the 201 server status.

Request,Successful

Events with the 200 server status.

LP_F5 Load Balancer Labels

User Management and Audit Labels:

Label
Description

User,Create,Successful

Events with the create action, the Command Ok status and the userdb_entry string in raw log.

Delete,User,Successful

Events with the obj_delete action, the Command Ok status and the userdb_entry string in raw log.

Create,User,Role,Successful

Events with the create action, the Command Ok status and the user_role_partition string.

Change,Audit,Service,Stop,Successful

Events with the modify action, the Command Ok status and the db_variable string for config*auditing db_variable_name with disable db_variable_value in raw log.

Change,Audit,Service,Start,Successful

Events with the modify action, the Command Ok status and the db_variable string for config*auditing db_variable_name with enable db_variable_value in raw log.

Modify,Audit,Setting,Successful

Events with the modify action, the Command Ok status and the db_variable string for config*auditing db_variable_name with verbose db_variable_value in raw log.

Change,User,Successful

Events with the modify action, the Command Ok status and the userdb_entry string in all values of -userdb_entry_passwd in raw log.

Change,User,Password,Successful

Events with the modify action, the Command Ok status and the userdb_entry string in all values of userdb_entry_passwd in raw log.

Delete,User,Role,Successful

Events with the obj_delete action, the Command Ok status and the user_role_partition string in all values of user_role_partition_partition in raw log.

Last updated

Was this helpful?