Splunk® Supported Add-ons

Splunk Add-on for F5 BIG-IP

Storage format reference for the Splunk Add-on for F5 BIG-IP

If you use the Splunk Add-on for F5 BIG-IP to collect data from ASM, you need to set up a Logging Profile and configure a storage format that matches your version of F5 BIG-IP, as described in Prepare F5 servers to connect to the Splunk platform.

Splunk has three predefined storage formats for the three different versions of F5 BIG-IP.

Storage format for F5 BIG-IP 11.6.0 - 12.0.0:

f5_asm=Splunk-F5-ASM,attack_type="%attack_type%",date_time="%date_time%",dest_ip=%dest_ip%,dest_port=%dest_port%,geo_info="%geo_location%",headers="%headers%",http_class="%http_class_name%",ip_addr_intelli="%ip_address_intelligence%",ip_client=%ip_client%,ip_route_domain="%ip_with_route_domain%",is_trunct=%is_truncated%,manage_ip_addr=%management_ip_address%,method="%method%",policy_apply_date="%policy_apply_date%",policy_name="%policy_name%",protocol="%protocol%",query_str="%query_string%",req="%request%",req_status="%request_status%",resp="%response%",resp_code="%response_code%",route_domain="%route_domain%",session_id="%session_id%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",src_port="%src_port%",sub_violates="%sub_violations%",support_id="%support_id%",unit_host="%unit_hostname%",uri="%uri%",username="%username%",violate_details="%violation_details%",violate_rate="%violation_rating%",violations="%violations%",virus_name="%virus_name%",x_fwd_hdr_val="%x_forwarded_for_header_value%"

Storage format for F5 BIG-IP 11.1.0 - 11.5.x:

f5_asm=Splunk-F5-ASM,attack_type="%attack_type%",date_time="%date_time%",dest_ip=%dest_ip%,dest_port=%dest_port%,geo_info="%geo_location%",headers="%headers%",http_class="%http_class%",ip_addr_intelli="%ip_reputation%",ip_client=%ip_client%,ip_route_domain="%ip_with_route_domain%",manage_ip_addr=%management_ip_address%,method="%method%",policy_apply_date="%policy_apply_date%",policy_name="%policy_name%",protocol="%protocol%",query_str="%query_string%",req="%request%",req_status="%request_status%",resp="%response%",resp_code="%response_code%",route_domain="%route_domain%",session_id="%session_id%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",src_port="%src_port%",sub_violates="%sub_violations%",support_id="%support_id%",unit_host="%unit_hostname%",uri="%uri%",username="%username%",violate_details="%violation_details%",violations="%violations%",virus_name="%virus_name%",x_fwd_hdr_val="%x_forwarded_for_header_value%"

Storage format for F5 BIG-IP 10.1.x:

f5_asm=Splunk-F5-ASM,attack_type="%attack_type%",date_time="%date_time%",dest_ip=%dest_ip%,dest_port=%dest_port%,geo_info="%geo_location%",headers="%headers%",manage_ip_addr=%management_ip_address%,method="%method%",policy_apply_date="%policy_apply_date%",policy_name="%policy_name%",protocol="%protocol%",query_str="%query_string%",req="%request%",req_status="%request_status%",resp_code="%response_code%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",src_port="%src_port%",support_id="%support_id%",unit_host="%unit_hostname%",uri="%uri%",violations="%violations%",x_fwd_hdr_val="%x_forwarded_for_header_value%"

You can use these storage format definitions as they are. The table below describes how the original message names in F5 BIG-IP map to field names in the Splunk platform. This mapping is designed to minimize the storage format length due to limits in the BIG-IP configuration. Not all message names are included in the predefined storage formats due to F5's storage format length limitation. Change the storage format in F5 BIG-IP if you want to get more messages.

Format String Version Field Name in Splunk Message Name in F5 Big-IP Description
v11.6

v11.1
v10.1

attack_type attack_type List of comma separated names of suspected attacks identified in a transaction. Available in BIG-IP 10.1.0 and later.
v11.6
v11.1
v10.1
date_time date_time The date and time information reported in the following format: YYYY-MM-DD HH:MM:SS This is the same format that is used in the Request page within the Configuration utility. Available in BIG-IP 10.0.0 and later.
v11.6
v11.1
v10.1
dest_ip dest_ip IP address of the virtual server. Available in BIG-IP 10.1.0 and later.
v11.6
v11.1
v10.1
dest_port dest_port The port used on the BIG-IP ASM local virtual server. Available in BIG-IP 10.1.0 and later.
v11.6
v11.1
v10.1
geo_info geo_location A string indicating the geographic location from which the request originated. Available in BIG-IP 10.1.0 and later.
v11.6
v11.1
v10.1
headers headers Request headers. This option is removed if the request option is selected because the request option automatically includes the request headers.
v11.6
v11.1
http_class http_class_name The http_class_name option returns the name of the virtual server the security policy is attached to in BIG-IP 11.3.0 and later. In BIG-IP 11.1.0 through 11.2.1, this option provides the name of the http_class profile the security policy is attached to.
v11.6
v11.1
ip_addr_intelli ip_address_intelligence / ip_reputation Logs the IP Intelligence information for the requesting client's IP Address. Requires an active IPI subscription for meaningful results. Available in BIG-IP 11.2.0 through 11.2.1 as ip_reputation. In BIG-IP 11.3.0 and later, it is renamed as ip_address_intelligence.
v11.6
v11.1
ip_client ip_client Source IP of the client originating the request (Note: if a proxy is being used, this may differ from the IP in the X-forwarded-for header). Available in BIG-IP 10.2.0 and later.
v11.6
v11.1
ip_route_domain ip_with_route_domain Source IP of the client originating the request with the Route Domain suffix appended. Available in BIG-IP 11.1.0 and later.
v11.6 is_trunct is_truncated Returns truncated if a request is truncated in ASM's logging. Available in BIG-IP 11.6.0 and later.
v11.6
v11.1
v10.1
manage_ip_addr management_ip_address This option logs the BIG-IP ASM management IP address. This option is useful if multiple BIG-IP ASM systems within the network are logging to the same syslog server; available in BIG-IP 9.4.5 and later.
v11.6
v11.1
v10.1
method method The method of request. For example, GET, POST, HEAD.
v11.6
v11.1
v10.1
policy_apply_date policy_apply_date The date the BIG-IP ASM policy was applied. This option is useful for tracking policy changes; available in BIG-IP 9.4.5 and later.
v11.6
v11.1
v10.1
policy_name policy_name The name of the BIG-IP ASM policy for which the violation was triggered; available in BIG-IP 9.4.5 and later.
v11.6
v11.1
v10.1
protocol protocol The protocol used, HTTP or HTTPS if terminating SSL on the BIG-IP ASM.
v11.6
v11.1
v10.1
query_str query_string The query string or query parameters found at the end of the URI.
v11.6
v11.1
v10.1
req request The entire request including headers, query string, and data. When this option is selected, the headers option is removed from this list as it is automatically included.
v11.6
v11.1
v10.1
req_status request_status The status of client request made to Web Application as assigned by the BIG-IP ASM.The possible values reported by this option are the following:blocked - The request was blocked due to a violation encountered. A blocking response page was returned to the client.alerted - The request contain violations but does not blocked (Typical in cases where the enforcement mode is set to transparent)passed - successful request with no any violationsThis option replaces the request_blocked option, available in BIG-IP 10.0.0 and later.
v11.6
v11.1
resp response Returns the full response from the web server. If using UDP logging, a large response may be truncated, and any remote logging fields specified after the responseoption will not be present in the data sent to the remote logging server. Response Logging must be Enabled or this will return an empty string. Available in BIG-IP 11.1.0 and later.
v11.6
v11.1
v10.1
resp_code response_code The response code returned by the server.
v11.6
v11.1
route_domain route_domain Returns the Route Domain the Client IP is requesting in. Available in BIG-IP 11.1.0 and later.
v11.6
v11.1
session_id session_id Returns the Session Identification Number of the request. This is a number internally assigned to all sessions for violation collation by the BIG-IP ASM. Available in BIG-IP 11.1.0 and later.
v11.6
v11.1
v10.1
severity severity The severity level of the detected violation.
v11.6
v11.1
v10.1
sig_ids sig_ids Signature ID value of the matching signature that resulted in the violation. Available in BIG-IP 10.0.0 and later.
v11.6
v11.1
v10.1
sig_names sig_names Signature name of the matching signature that resulted in the violation. Available in BIG-IP 10.0.0 and later.
v11.6
v11.1
v10.1
src_port src_port The source port of the client. Available in BIG-IP 10.1.0 and later.
v11.6
v11.1
sub_violations sub_violations Refers to the sub-violations detected under the 'HTTP protocol compliance failed' and the 'Evasion technique detected' violations. Available in BIG-IP 10.2.0 and later.
v11.6
v11.1
v10.1
support_id support_id The support ID is reported when a violation is triggered; available in BIG-IP 9.4.5 and later.
v11.6
v11.1
v10.1
unit_host unit_hostname The hostname of the BIG-IP ASM. This option is useful if multiple BIG-IP ASM systems within the network are logging to the same syslog server; available in BIG-IP 9.4.5 and later.
v11.6
v11.1
v10.1
uri uri The URI or Uniform Resource Identifier of the request.
v11.6
v11.1
username username Displays the username that sent the request, if a username is associated with the session. Displays N/A if the username is not available to the system. Available in BIG-IP 11.1.0 and later.
v11.1
v10.1
violations violations Any violation that occurs due to a clients request.
v11.6
v11.1
violation_details violation_details In version 10.2.x specifies the virus found in conjunction with the 'Virus detected' violation. In version 11.x specifies complete violation details in XML.
v11.6 violate_rate violation_rating Returns the Severity Rating for any violations logged. Available in BIG-IP 11.6.0 and later.
v11.6
v11.1
virus_name virus_name Specifies the virus found in conjunction with the 'Virus detected' violation. Available in BIG-IP 11.0.0 and later.
N/A web_application_name web_application_name The name of the Web Application that handled the request. This option is no longer available beginning in BIG-IP 11.1.0.
v11.6
v11.1
v10.1
x_fwd_hdr_val x_forwarded_for_header_value X-Forwarding header information. This option is commonly used when proxies are involved to track the originator of the request; available in BIG-IP 9.4.5 and later.
Last modified on 03 September, 2024
Create new templates for the Splunk Add-on for F5 BIG-IP   Lookups for the Splunk Add-on for F5 BIG-IP

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters