F5

Integration of F5 logs into XpoLog.

Prerequisites:

  A. Open the relevant ports (TCP\UDP) on the XpoLog machine.
  B. Create a syslog listener on the listeners tab in XpoLog that will listen and collect the log from the F5 machine.

F5 Configurations:

Configure F5 to send logs over Syslog to XpoLog defined listener

System Log - 

    I. For the syslog of the F5 log, set the logTypes of the syslog to ‘syslog,f5,audit’.

    II. Apply the following pattern on the log (default pattern):

XPLG:[{timestamp:Timestamp,MM/dd/yyyy HH:mm:ss.SSS}] [{text:Facility}] [{priority:Level,DEBUG;INFO;WARN;ERROR;FATAL}] [{text:Source Device}] {block,start,emptiness=true}{text:Application Name}[{text:Process Id}]: {block,end,emptiness=true}{block,start,emptiness=true}{text} {text:Process,ftype=eventSource;,}:{block,end,emptiness=true}{regexp:User,ftype=username;refName=Message,user=(\S+)}{regexp:Partition,refName=Message,partition=(\S+)}{regexp:Level,refName=Message,level=(\S+)}{regexp:tty,refName=Message,tty=(\S+)}{regexp:host,ftype=sourceip;refName=Message,host=(\S+)}{regexp:attempts,ftype=loginAttempts;refName=Message,attempts=(\S+)}{regexp:pid,refName=Message,pid=(\S+)}{regexp:folder,refName=Message,folder=(\S+)}{regexp:status,ftype=status;refName=Message,(Command OK |Syntax Error)}{regexp:Error,ftype=message;refName=Message,Syntax Error: ([^/]]*)}{regexp:cmd_data,ftype=eventName;refName=Message,cmd_data=(\S+)}{regexp:start,ftype=loginStart;refName=Message,start="([^"]*)}{regexp:end,ftype=loginEnd;refName=Message,end="([^"]*)}{string:Message}

For more information about the system log fields, see below the format Conversion Table: