Did you try to configure F5 data sources as syslog devices? I saw, that all available F5 data sources have "(ASP)" suffix in ther names, so it should work with normal syslog.
I tried to configure the f5 devices as Syslog and I am receiving logs only related to the appliance.Nothing related to the f5- ASM (traffic Logs)logs are being detected and then under data source properties ,I enabled "Support Generic Syslog" .After enabling this option i was able to see the ASM - traffic Log messages but as a generic syslog.I think the ASP rule for traffice messages isn't able to parse the messages.
On further comparison at the Rule Level "F5_ASM Violation/Successful Request Messages" and the Traffic Log that am getting, it looks that the Parser might have been build for 10.x version of ASM as we are using the latest version i.e 11.x and the PCRE doesn't match the Sample log format that f5 is generating for this particular message.
Nearly 3 years later, i'm having this exact problem. It seems improbable to me that the log samples wouldn't have been updated, which implies this isn't the answer to the problem; surely i've got something misconfigured here?
F5 appliance with the ASM license is: BIG-IP 11.6.0 Build 4.0.420 Hotfix HF4
SIEM is: McAfee ESM 9.5.0 MR7 20150908
When configuring the logging profile on the F5, it gives a "storage format" option with a list of fields to send and an optional delimiter to define. I selected all fields and left the default (comma) delimiter, is it possible that's not what the parsing rule on the SIEM is expecting?
On the SIEM in the datasource properties, i've selected "BIG-IP Application Security Manager - CEF (ASP)" as the datasource model, and "default" as the data format. Is it possible somewhere to see a list of what McAfee used as the "default" format in this datasource model, to make sure the output selected on the F5 matches it?
You set in the F5 setting the delimiter to comma but the SIEM expected that the delimiter is in CEF Format [ (|) / (Pipe) ]. If you are not sure aboute the format than set this configuration on "Support generic syslog" on Log unkown syslog event. Now the SIEm logs all Logs from the F% Logs that can be parsed and Logs that cant be parsed.
The default is the format you chose herer CEF because you set this to the default.