F5 Firewall Pack

This F5 Firewall pack allows parsing and structuring of syslog messages from F5 Networks ASM (Application Security Manager).

  2 minute read  

Edge Delta Pipeline Pack for F5 Firewall

Overview

The F5 Firewall pack is used for parsing and structuring of syslog messages from F5 BIG-IP ASM (Application Security Manager). This pipeline extracts syslog header fields using Grok patterns and then parses embedded key-value pairs to produce clean, structured telemetry data. This structured output can be used for observability, alerting, and dashboarding security and traffic-related activity in F5 environments.

Pack Description

1. Parse Grok (Syslog Header Extraction)

This processor extracts the following syslog header fields: priority, timestamp, hostname, program name, and the raw message body.

Grok pattern used:

<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:syslog_hostname} %{WORD:syslog_program}:%{GREEDYDATA:message_body}

2. Parse Key-Value (Message Body Extraction)

This processor parses the message_body, which contains comma-separated key-value pairs (key="value" format).

Example:

software_version="14.1.0",current_mitigation="alarm",...

These are converted into top-level attributes.

3. Delete Message Body

After extracting all values, this processor removes the original message_body field to clean up the final output and avoid oversizing data.

Sample Log Input

<134>Jul 25 11:47:52 f5networks.asm.test ASM:software_version="14.1.0",current_mitigation="alarm",unit_hostname="f5networks.asm.test",management_ip_address="10.192.138.11",management_ip_address_2="",operation_mode="Transparent",date_time="2019-07-25 11:41:38",policy_apply_date="2019-07-23 15:24:21",policy_name="/Common/extranet_sonstige",vs_name="/Common/extranet-t.qradar.example.test_443",anomaly_attack_type="Distributed Attack",uri="/qradar.example.test",attack_status="ongoing",detection_mode="Number of Failed Logins Increased",severity="Emergency",mitigated_entity_name="username",mitigated_entity_value="exnyjtgk",mitigated_ipaddr_geo="N/A",attack_id="2508639270",mitigated_entity_failed_logins="0",mitigated_entity_failed_logins_threshold="3",mitigated_entity_total_mitigations="0",mitigated_entity_passed_challenges="0",mitigated_entity_passed_captchas="0",mitigated_entity_rejected_logins="0",leaked_username_login_attempts="0",leaked_username_failed_logins="0",leaked_username_time_of_last_login_attempt="2497667872",normal_failed_logins="78",detected_failed_logins="70",failed_logins_threshold="100",normal_login_attempts="91",detected_login_attempts="78",login_attempts_matching_leaked_credentials="0",total_mitigated_login_attempts="60",total_client_side_integrity_challenges="0",total_captcha_challenges="0",total_blocking_page_challenges="0",total_passed_client_side_integrity_challenges="0",total_passed_captcha_challenges="0",total_drops="0",total_successful_mitigations="0",protocol="HTTPS",login_attempts_matching_leaked_credentials_threshold="100",login_stress="73"

Sample Output (After Processing)

{
  "attributes": {
    "syslog_pri": "134",
    "syslog_timestamp": "Jul 25 11:47:52",
    "syslog_hostname": "f5networks.asm.test",
    "syslog_program": "ASM",
    "software_version": "14.1.0",
    "current_mitigation": "alarm",
    "unit_hostname": "f5networks.asm.test",
    "management_ip_address": "10.192.138.11",
    "management_ip_address_2": "",
    "operation_mode": "Transparent",
    "date_time": "2019-07-25 11:41:38",
    "policy_apply_date": "2019-07-23 15:24:21",
    "policy_name": "/Common/extranet_sonstige",
    "vs_name": "/Common/extranet-t.qradar.example.test_443",
    "anomaly_attack_type": "Distributed Attack",
    "uri": "/qradar.example.test",
    "attack_status": "ongoing",
    "detection_mode": "Number of Failed Logins Increased",
    "severity": "Emergency",
    "mitigated_entity_name": "username",
    "mitigated_entity_value": "exnyjtgk",
    "mitigated_ipaddr_geo": "N/A",
    "attack_id": "2508639270",
    "mitigated_entity_failed_logins": "0",
    "mitigated_entity_failed_logins_threshold": "3",
    "mitigated_entity_total_mitigations": "0",
    "mitigated_entity_passed_challenges": "0",
    "mitigated_entity_passed_captchas": "0",
    "mitigated_entity_rejected_logins": "0",
    "leaked_username_login_attempts": "0",
    "leaked_username_failed_logins": "0",
    "leaked_username_time_of_last_login_attempt": "2497667872",
    "normal_failed_logins": "78",
    "detected_failed_logins": "70",
    "failed_logins_threshold": "100",
    "normal_login_attempts": "91",
    "detected_login_attempts": "78",
    "login_attempts_matching_leaked_credentials": "0",
    "total_mitigated_login_attempts": "60",
    "total_client_side_integrity_challenges": "0",
    "total_captcha_challenges": "0",
    "total_blocking_page_challenges": "0",
    "total_passed_client_side_integrity_challenges": "0",
    "total_passed_captcha_challenges": "0",
    "total_drops": "0",
    "total_successful_mitigations": "0",
    "protocol": "HTTPS",
    "login_attempts_matching_leaked_credentials_threshold": "100",
    "login_stress": "73"
  }
}

Use Cases

  • Alerting based on severity or attack_status
  • Tracking login anomalies such as brute force attacks
  • Visualizing traffic trends by uri, vs_name, and protocol
  • Monitoring mitigation effectiveness and entity-specific metrics

Resources

Sample Input

<134>Jul 25 11:47:52 f5networks.asm.test ASM:software_version="14.1.0",current_mitigation="alarm",unit_hostname="f5networks.asm.test",management_ip_address="10.192.138.11",management_ip_address_2="",operation_mode="Transparent",date_time="2019-07-25 11:41:38",policy_apply_date="2019-07-23 15:24:21",policy_name="/Common/extranet_sonstige",vs_name="/Common/extranet-t.qradar.example.test_443",anomaly_attack_type="Distributed Attack",uri="/qradar.example.test",attack_status="ongoing",detection_mode="Number of Failed Logins Increased",severity="Emergency",mitigated_entity_name="username",mitigated_entity_value="exnyjtgk",mitigated_ipaddr_geo="N/A",attack_id="2508639270",mitigated_entity_failed_logins="0",mitigated_entity_failed_logins_threshold="3",mitigated_entity_total_mitigations="0",mitigated_entity_passed_challenges="0",mitigated_entity_passed_captchas="0",mitigated_entity_rejected_logins="0",leaked_username_login_attempts="0",leaked_username_failed_logins="0",leaked_username_time_of_last_login_attempt="2497667872",normal_failed_logins="78",detected_failed_logins="70",failed_logins_threshold="100",normal_login_attempts="91",detected_login_attempts="78",login_attempts_matching_leaked_credentials="0",total_mitigated_login_attempts="60",total_client_side_integrity_challenges="0",total_captcha_challenges="0",total_blocking_page_challenges="0",total_passed_client_side_integrity_challenges="0",total_passed_captcha_challenges="0",total_drops="0",total_successful_mitigations="0",protocol="HTTPS",login_attempts_matching_leaked_credentials_threshold="100",login_stress="73"