3 Replies Latest reply on Jan 29, 2015 9:30 AM by ryan.fitzpatrick

    Integrating F5 with SIEM McAfee


      Dear All,

      Who have experience about F5? pls, show me how to integrate F5 with SIEM McAfee? I configured F5 sent log to SIEM McAfee through syslog, but SIEM McAfee can't parse these logs. some people on forum recommend me "you should configure F5 to send log with NEDS format", but i don't have many experience about thi. pls help me, show me detail steps to send log with NEDS format?


      thanks and best regards,

      Sy Vu

        • 1. Re: Integrating F5 with SIEM McAfee



          Can you let me know which product of F5 are you using?


          I integrated F5 few weeks back, Not all events parsed but 60-70% of them did.





          • 2. Re: Integrating F5 with SIEM McAfee

            Dear vinaya,

            Thanks for your reply. can you show me your way. Now, i only configured to get log from F5 by creating iRule to send NEDS log to SIEM McAfee (but this way only configure with http protocol, and i want more logs). Now, im using ADM and LTM.


            Best regards,

            Sy Vu 

            • 3. Re: Integrating F5 with SIEM McAfee

              I believe F5 NEDS logs are tab delimited, and you can create a basic parser for anything delimited in some way via ([^\t]*)\t


              In this case, it's looking for the following;

              begin capture group (

              Open char match [

              negate char match ^

              find tab \t

              close char match ]

              match previous char match any number of times [^\t]* ( * is a greedy match)

              close capture group )

              look for tab \t


              Then copy and paste for each field in the logs (I believe it has like 15-16 fields) ([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\ t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)

              This is a very ugly, quick dirty parser to get data into the SIEM parsed quickly, but then each ([^\t]*)\t can be tuned and expanded based on data in the particular field.


              You will need to do the custom parser mappings based on where you want the data to be placed in regards to the SIEM database fields.