Can you let me know which product of F5 are you using?
I integrated F5 few weeks back, Not all events parsed but 60-70% of them did.
Thanks for your reply. can you show me your way. Now, i only configured to get log from F5 by creating iRule to send NEDS log to SIEM McAfee (but this way only configure with http protocol, and i want more logs). Now, im using ADM and LTM.
I believe F5 NEDS logs are tab delimited, and you can create a basic parser for anything delimited in some way via ([^\t]*)\t
In this case, it's looking for the following;
begin capture group (
Open char match [
negate char match ^
find tab \t
close char match ]
match previous char match any number of times [^\t]* ( * is a greedy match)
close capture group )
look for tab \t
Then copy and paste for each field in the logs (I believe it has like 15-16 fields) ([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\ t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)
This is a very ugly, quick dirty parser to get data into the SIEM parsed quickly, but then each ([^\t]*)\t can be tuned and expanded based on data in the particular field.
You will need to do the custom parser mappings based on where you want the data to be placed in regards to the SIEM database fields.