Storage format reference for the Splunk Add-on for F5 BIG-IP
If you use the Splunk Add-on for F5 BIG-IP to collect data from ASM, you need to set up a Logging Profile and configure a storage format that matches your version of F5 BIG-IP, as described in Prepare F5 servers to connect to the Splunk platform.
Splunk has three predefined storage formats for the three different versions of F5 BIG-IP.
Storage format for F5 BIG-IP 11.6.0 - 12.0.0:
f5_asm=Splunk-F5-ASM,attack_type="%attack_type%",date_time="%date_time%",dest_ip=%dest_ip%,dest_port=%dest_port%,geo_info="%geo_location%",headers="%headers%",http_class="%http_class_name%",ip_addr_intelli="%ip_address_intelligence%",ip_client=%ip_client%,ip_route_domain="%ip_with_route_domain%",is_trunct=%is_truncated%,manage_ip_addr=%management_ip_address%,method="%method%",policy_apply_date="%policy_apply_date%",policy_name="%policy_name%",protocol="%protocol%",query_str="%query_string%",req="%request%",req_status="%request_status%",resp="%response%",resp_code="%response_code%",route_domain="%route_domain%",session_id="%session_id%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",src_port="%src_port%",sub_violates="%sub_violations%",support_id="%support_id%",unit_host="%unit_hostname%",uri="%uri%",username="%username%",violate_details="%violation_details%",violate_rate="%violation_rating%",violations="%violations%",virus_name="%virus_name%",x_fwd_hdr_val="%x_forwarded_for_header_value%"
Storage format for F5 BIG-IP 11.1.0 - 11.5.x:
f5_asm=Splunk-F5-ASM,attack_type="%attack_type%",date_time="%date_time%",dest_ip=%dest_ip%,dest_port=%dest_port%,geo_info="%geo_location%",headers="%headers%",http_class="%http_class%",ip_addr_intelli="%ip_reputation%",ip_client=%ip_client%,ip_route_domain="%ip_with_route_domain%",manage_ip_addr=%management_ip_address%,method="%method%",policy_apply_date="%policy_apply_date%",policy_name="%policy_name%",protocol="%protocol%",query_str="%query_string%",req="%request%",req_status="%request_status%",resp="%response%",resp_code="%response_code%",route_domain="%route_domain%",session_id="%session_id%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",src_port="%src_port%",sub_violates="%sub_violations%",support_id="%support_id%",unit_host="%unit_hostname%",uri="%uri%",username="%username%",violate_details="%violation_details%",violations="%violations%",virus_name="%virus_name%",x_fwd_hdr_val="%x_forwarded_for_header_value%"
Storage format for F5 BIG-IP 10.1.x:
f5_asm=Splunk-F5-ASM,attack_type="%attack_type%",date_time="%date_time%",dest_ip=%dest_ip%,dest_port=%dest_port%,geo_info="%geo_location%",headers="%headers%",manage_ip_addr=%management_ip_address%,method="%method%",policy_apply_date="%policy_apply_date%",policy_name="%policy_name%",protocol="%protocol%",query_str="%query_string%",req="%request%",req_status="%request_status%",resp_code="%response_code%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",src_port="%src_port%",support_id="%support_id%",unit_host="%unit_hostname%",uri="%uri%",violations="%violations%",x_fwd_hdr_val="%x_forwarded_for_header_value%"
You can use these storage format definitions as they are. The table below describes how the original message names in F5 BIG-IP map to field names in the Splunk platform. This mapping is designed to minimize the storage format length due to limits in the BIG-IP configuration. Not all message names are included in the predefined storage formats due to F5's storage format length limitation. Change the storage format in F5 BIG-IP if you want to get more messages.
Format String Version | Field Name in Splunk | Message Name in F5 Big-IP | Description |
---|---|---|---|
v11.6 v11.1 |
attack_type | attack_type | List of comma separated names of suspected attacks identified in a transaction. Available in BIG-IP 10.1.0 and later. |
v11.6 v11.1 v10.1 |
date_time | date_time | The date and time information reported in the following format: YYYY-MM-DD HH:MM:SS This is the same format that is used in the Request page within the Configuration utility. Available in BIG-IP 10.0.0 and later. |
v11.6 v11.1 v10.1 |
dest_ip | dest_ip | IP address of the virtual server. Available in BIG-IP 10.1.0 and later. |
v11.6 v11.1 v10.1 |
dest_port | dest_port | The port used on the BIG-IP ASM local virtual server. Available in BIG-IP 10.1.0 and later. |
v11.6 v11.1 v10.1 |
geo_info | geo_location | A string indicating the geographic location from which the request originated. Available in BIG-IP 10.1.0 and later. |
v11.6 v11.1 v10.1 |
headers | headers | Request headers. This option is removed if the request option is selected because the request option automatically includes the request headers. |
v11.6 v11.1 |
http_class | http_class_name | The http_class_name option returns the name of the virtual server the security policy is attached to in BIG-IP 11.3.0 and later. In BIG-IP 11.1.0 through 11.2.1, this option provides the name of the http_class profile the security policy is attached to. |
v11.6 v11.1 |
ip_addr_intelli | ip_address_intelligence / ip_reputation | Logs the IP Intelligence information for the requesting client's IP Address. Requires an active IPI subscription for meaningful results. Available in BIG-IP 11.2.0 through 11.2.1 as ip_reputation. In BIG-IP 11.3.0 and later, it is renamed as ip_address_intelligence. |
v11.6 v11.1 |
ip_client | ip_client | Source IP of the client originating the request (Note: if a proxy is being used, this may differ from the IP in the X-forwarded-for header). Available in BIG-IP 10.2.0 and later. |
v11.6 v11.1 |
ip_route_domain | ip_with_route_domain | Source IP of the client originating the request with the Route Domain suffix appended. Available in BIG-IP 11.1.0 and later. |
v11.6 | is_trunct | is_truncated | Returns truncated if a request is truncated in ASM's logging. Available in BIG-IP 11.6.0 and later. |
v11.6 v11.1 v10.1 |
manage_ip_addr | management_ip_address | This option logs the BIG-IP ASM management IP address. This option is useful if multiple BIG-IP ASM systems within the network are logging to the same syslog server; available in BIG-IP 9.4.5 and later. |
v11.6 v11.1 v10.1 |
method | method | The method of request. For example, GET, POST, HEAD. |
v11.6 v11.1 v10.1 |
policy_apply_date | policy_apply_date | The date the BIG-IP ASM policy was applied. This option is useful for tracking policy changes; available in BIG-IP 9.4.5 and later. |
v11.6 v11.1 v10.1 |
policy_name | policy_name | The name of the BIG-IP ASM policy for which the violation was triggered; available in BIG-IP 9.4.5 and later. |
v11.6 v11.1 v10.1 |
protocol | protocol | The protocol used, HTTP or HTTPS if terminating SSL on the BIG-IP ASM. |
v11.6 v11.1 v10.1 |
query_str | query_string | The query string or query parameters found at the end of the URI. |
v11.6 v11.1 v10.1 |
req | request | The entire request including headers, query string, and data. When this option is selected, the headers option is removed from this list as it is automatically included. |
v11.6 v11.1 v10.1 |
req_status | request_status | The status of client request made to Web Application as assigned by the BIG-IP ASM.The possible values reported by this option are the following:blocked - The request was blocked due to a violation encountered. A blocking response page was returned to the client.alerted - The request contain violations but does not blocked (Typical in cases where the enforcement mode is set to transparent)passed - successful request with no any violationsThis option replaces the request_blocked option, available in BIG-IP 10.0.0 and later. |
v11.6 v11.1 |
resp | response | Returns the full response from the web server. If using UDP logging, a large response may be truncated, and any remote logging fields specified after the responseoption will not be present in the data sent to the remote logging server. Response Logging must be Enabled or this will return an empty string. Available in BIG-IP 11.1.0 and later. |
v11.6 v11.1 v10.1 |
resp_code | response_code | The response code returned by the server. |
v11.6 v11.1 |
route_domain | route_domain | Returns the Route Domain the Client IP is requesting in. Available in BIG-IP 11.1.0 and later. |
v11.6 v11.1 |
session_id | session_id | Returns the Session Identification Number of the request. This is a number internally assigned to all sessions for violation collation by the BIG-IP ASM. Available in BIG-IP 11.1.0 and later. |
v11.6 v11.1 v10.1 |
severity | severity | The severity level of the detected violation. |
v11.6 v11.1 v10.1 |
sig_ids | sig_ids | Signature ID value of the matching signature that resulted in the violation. Available in BIG-IP 10.0.0 and later. |
v11.6 v11.1 v10.1 |
sig_names | sig_names | Signature name of the matching signature that resulted in the violation. Available in BIG-IP 10.0.0 and later. |
v11.6 v11.1 v10.1 |
src_port | src_port | The source port of the client. Available in BIG-IP 10.1.0 and later. |
v11.6 v11.1 |
sub_violations | sub_violations | Refers to the sub-violations detected under the 'HTTP protocol compliance failed' and the 'Evasion technique detected' violations. Available in BIG-IP 10.2.0 and later. |
v11.6 v11.1 v10.1 |
support_id | support_id | The support ID is reported when a violation is triggered; available in BIG-IP 9.4.5 and later. |
v11.6 v11.1 v10.1 |
unit_host | unit_hostname | The hostname of the BIG-IP ASM. This option is useful if multiple BIG-IP ASM systems within the network are logging to the same syslog server; available in BIG-IP 9.4.5 and later. |
v11.6 v11.1 v10.1 |
uri | uri | The URI or Uniform Resource Identifier of the request. |
v11.6 v11.1 |
username | username | Displays the username that sent the request, if a username is associated with the session. Displays N/A if the username is not available to the system. Available in BIG-IP 11.1.0 and later. |
v11.1 v10.1 |
violations | violations | Any violation that occurs due to a clients request. |
v11.6 v11.1 |
violation_details | violation_details | In version 10.2.x specifies the virus found in conjunction with the 'Virus detected' violation. In version 11.x specifies complete violation details in XML. |
v11.6 | violate_rate | violation_rating | Returns the Severity Rating for any violations logged. Available in BIG-IP 11.6.0 and later. |
v11.6 v11.1 |
virus_name | virus_name | Specifies the virus found in conjunction with the 'Virus detected' violation. Available in BIG-IP 11.0.0 and later. |
N/A | web_application_name | web_application_name | The name of the Web Application that handled the request. This option is no longer available beginning in BIG-IP 11.1.0. |
v11.6 v11.1 v10.1 |
x_fwd_hdr_val | x_forwarded_for_header_value | X-Forwarding header information. This option is commonly used when proxies are involved to track the originator of the request; available in BIG-IP 9.4.5 and later. |
Create new templates for the Splunk Add-on for F5 BIG-IP | Lookups for the Splunk Add-on for F5 BIG-IP |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!