F5BigLogProfile Reference¶
The F5BigLogProfile Custom Resource (CR) configuration parameters. Each heading below represents the top-level parameter element. For example, to set the profile name, use spec.name.
spec.algLogging¶
| Parameter | Description |
|---|---|
enabled |
Enables logging of application layer gateway (ALG) event messages: true or false (default). |
publisher |
Name of the log publisher to use for DNS log messages. |
csvFormat |
Enable generating log entries in comma-separated-values (csv) format: true or false (default). |
spec.algLogging.dataChannel¶
| Parameter | Description |
|---|---|
start.mode |
Enables event log messages when the ALG data channel connection is established: disabled (default), or enabled. |
start.includeDestAddrPort |
Include the destination IP address and port when dataChannel.start.mode is enabled: true (default) or false. |
end.mode |
Enables event log messages when the ALG data channel connection is closed: disabled (default), or enabled. |
end.includeDestAddrPort |
Include the destination IP address and port when dataChannel.start.mode is enabled: true (default) or false. |
spec.algLogging.controlChannel¶
| Parameter | Description |
|---|---|
start.mode |
Enables event log messages when the ALG data channel connection is established: disabled (default), or enabled. |
start.includeDestAddrPort |
Include the destination IP address and port when controlChannel.start.mode is enabled: true (default) or false. |
end.mode |
Enables event log messages when the ALG data channel connection is closed: disabled (default), or enabled. |
end.includeDestAddrPort |
Include the destination IP address and port when controlChannel.start.mode is enabled: true (default) or false. |
spec.dns¶
| Parameter | Description |
|---|---|
enabled |
Enables logging of DNS event messages: true or false (default). |
description |
User defined description for the logging profile. |
queryLogging |
Enable DNS query logging: true (default) or false. |
responseLogging |
Enable DNS response logging: true or false (default). |
combinedLogging |
Enable and combine both DNS query and response logging in single logging message, overrides individual options.: true or false (default). |
completeAnswer |
Include all the resource records in response log messages: true (default) or false. |
queryId |
Include the query id in the query and response messages: true or false (default). |
source |
Include the log message originator in the query and response messages: true (default) or false. |
timeStamp |
Include the timestamp in the query and response messages: true (default) or false. |
view |
Include the view in the query message: true (default) or false. |
publisher |
Name of the log publisher to use for DNS log messages. |
spec.firewall¶
| Parameter | Description |
|---|---|
enabled |
Enables logging of firewall event messages: true or false (default). |
flowspec.publisher |
Specifies the name of the log publisher to be used for the flowspec route injector log messages. |
spec.firewall.ipIntelligence¶
| Parameter | Description |
|---|---|
publisher |
Specifies the name of the log publisher used for IP Intelligence log messages. |
geo |
Enables logging of geo location in shun IP Intelligence event: true or false (default). |
rtbh |
Enables logging of Remote Triggered Black Hole (RTBH) IP Intelligence events: true or false (default). |
scrubber |
Enables logging of scrubber IP Intelligence events: true or false (default). |
shun |
Enables logging of shun IP Intelligence events: true or false (default). |
translation |
Enables logging of translated server side fields in IP Intelligence log messages. Translated fields include Source Address/Port, Destination Address/Port, IP Protocol, Route Domain and Vlan: true or false (default). |
aggregateRate |
Specifies the rate limit of all combined ipIntelligence log messages per second: 0 to 4294967295. The default is 4294967295. |
spec.firewall.trafficStats¶
| Parameter | Description |
|---|---|
activeFlows |
Enables logging the number of active flows on client side: true or false. |
reapedFlows |
Enables logging the number of reaped flows on client side: true or false (default). |
missedFlows |
Enables logging the number of TCP packets (non SYN/ACK) were dropped because of the flow table lookup failed: true or false (default). |
synCookies |
Enables logging the number of syncookies generated, accepted and rejected in the context globally and per virtual server. These log messages will be generated periodically: true or false (default). |
syncookiesWhitelist |
Enables logging the number of syncookies whitelist hits, accepted and rejected in the context globally and per virtual server. These log messages will be generated periodically: true or false (default). |
publisher |
Specifies the name of the log publisher to be used for trafficStats log messages. |
spec.firewall.network¶
| Parameter | Description |
|---|---|
publisher |
Specifies the name of the log publisher to be used for network log messages. |
aggregateRate |
Specifies the rate limit of all combined network log messages per second. Beyond this rate limit, log messages are not logged until the threshold drops below the specified rate: 0 to 4294967295. The default is 4294967295. |
events.aclMatchAccept |
Enables logging the packets that match ACL rules configured with action = Accept or action = Accept Decisively: true or false (default). |
events.aclMatchDrop |
Enables logging the packets that match ACL rules configured with action = Drop: true or false (default). |
events.aclMatchReject |
Enables logging the packets that match ACL rules configured with action = Reject: true or false (default). |
events.ipErrors |
Enables logging of IP error packets: true or false (default). |
events.tcpErrors |
Enables logging of TCP error packets: true or false (default). |
events.tcpEvents |
Enables logging of open and close of TCP sessions: true or false (default). |
events.translationFields |
Enables logging of translated server side fields in ACL match and TCP events. Translated fields include Source Address/Port, Destination Address/Port, IP Protocol, Route Domain and Vlan: true or false (default). |
events.userAlways |
Enables logging of certain subscriber information: true or false (default). |
events.geoAlways |
Enables logging the Geographic IP Location information fields in ACL match and TCP logging. Geographic information includes the country code of Source Address and Destination Address: true or false (default). |
events.uuidField |
Enables logging the ACL rule UUID field in ACL match and TCP logging. If the acl_rule_uuid field is explicitly specified in field-list or user-defined formats, UUID value will be logged regardless of state of this option: true or false (default). |
events.aclToBoxDeny |
Enables logging of any packet that is dropped or denied by management port firewall rules: true or false (default). |
ratelimit.aclMatchAccept |
Specifies rate limits for the logging of packets that match ACL rules configured with action = Accept or action = Accept Decisively. This option is effective only if logging of this message type is enabled: 0 to 4294967295. The default is 4294967295. |
ratelimit.aclMatchDrop |
Specifies rate limits for the logging of packets that match ACL rules configured with action = Drop. This option is effective only if logging of this message type is enabled: 0 to 4294967295. The default is 4294967295. |
ratelimit.aclMatchReject |
Trate limits for the logging of packets that match ACL rules configured with action = Reject. This option is effective only if logging of this message type is enabled: 0 to 4294967295. The default is 4294967295. |
ratelimit.ipErrors |
Specifies rate limits for the logging of IP error packets. This option is effective only if logging of this message type is enabled: 0 to 4294967295. The default is 4294967295. |
ratelimit.tcpErrors |
Specifies rate limits for the logging of TCP error packets. This option is effective only if logging of this message type is enabled: 0 to 4294967295. The default is 4294967295. |
ratelimit.tcpEvents |
Specifies rate limits for the logging of TCP events on client side. This option is effective only if logging of this message type is enabled: 0 to 4294967295. The default is 4294967295. |
format.type |
Specifies the format type for log messages. The available values are none (default), field-list or user-defined. |
format.networkFieldList.items |
Specifies a set of fields in a specific order for logging messages. This option is valid when storage format type is field-list. Refer to networkFieldList to view the list of its available fields. |
format.networkFieldList.delimiter |
Specifies the delimiter string when storage format type is field-list. Special character $ should not be used in delimiter string as it is reserved for internal usage. The default value is ,. |
format.userDefinedFieldList |
Specifies the format of log message as a user-defined string. This option is valid when storage format type is user-defined. Refer to userDefinedFieldList to view the list of its available fields. |
spec.firewall.portMisuse¶
| Parameter | Description |
|---|---|
publisher |
Specifies the name of the log publisher to be used for portMisuse log messages. |
aggregateRate |
Specifies the rate limit of all combined portMisuse log messages per second. Beyond this rate limit, log messages are not logged until the threshold drops below the specified rate. The default value is 4294967295. |
spec.nat¶
| Parameter | Description |
|---|---|
enabled |
Enables logging of NAT event messages: true or false (default). |
publisher |
Specifies the name of the log publisher used for logging Network Address Translation events. |
lsnLegacyMode |
Enables LSN legacy CGNAT/LSN logging instead of the new Firewall NAT logging: true or false (default). LSN Legacy Mode can only log Dynamic PAT source translation events, cannot log Static NAT or Static PAT source translation events, cannot log Destination translation events, and does not support Firewall NAT logging features such as LocalDB, ArcSight, or Log Throttling. |
logSubscriberID |
Enables logging of subscriber IDs associated with a subscriber IP address: true or false (default). |
aggregateRateLimit |
Specifies the rate limit of all combined Network Address Translation log messages per second. The default value is 4294967295. |
spec.nat.outbound¶
| Parameter | Description |
|---|---|
start.mode |
Enables event log entries at start of the translation event for a NAT client: disabled (default), enabled or backup. |
start.includeDestAddrPort |
Include the destination IP address and port in the log message: true (default) or false. |
start.ratelimit |
Specifies rate limits for logging Outbound Start and corresponding logging network events: 0 to 4294967295. The default is 4294967295. |
start.formatType |
Specifies the format type for log messages. The available values are none (default), field-list or user-defined. |
start.fieldList.items |
Specifies a set of fields in a specific order for logging messages. The available values are context_name, dest_ip, dest_port, event_name, protocol, route_domain, src_ip, src_port, sub_id, timestamp, translated_dest_ip, translated_dest_port, translated_route_domain, translated_src_ip and translated_src_port. |
start.fieldList.delimiter |
Specifies a delimiter when the storage format type is field-list. The special character dollar sign, $ should not be used in delimiter string as it is reserved for internal usage. The default value is ,. |
start.userDefinedFieldList |
Specifies the format of log message as a user-defined string. The available values are context_name, dest_ip, dest_port, event_name, protocol, route_domain, src_ip, src_port, sub_id, timestamp, translated_dest_ip, translated_dest_port, translated_route_domain, translated_src_ip and translated_src_port. |
end.mode |
Enables event log entries at end of translation event for a NAT client: disabled (default), enabled, or backup. |
end.includeDestAddrPort |
Include the destination IP address and port in the log message: true (default) or false. |
end.ratelimit |
Specifies rate limits for logging Outbound End and cooresponding events: 0 to 4294967295. The default is 4294967295. |
end.formatType |
Specifies the format type for log messages. The available values are none (default), field-list or user-defined. |
end.fieldList.items |
Specifies a set of fields in a specific order for logging messages. The available values are context_name, dest_ip, dest_port, duration, event_name, protocol, route_domain, src_ip, src_port, sub_id, timestamp, translated_dest_ip, translated_dest_port, translated_route_domain, translated_src_ip and translated_src_port. |
end.fieldList.delimiter |
Specifies a delimiter when the storage format type is field-list. The special character dollar sign, $ should not be used in delimiter string as it is reserved for internal usage. The default value is ,. |
end.userDefinedFieldList |
Specifies the format of log message as a user-defined string. The available values are context_name, dest_ip, dest_port, duration, event_name, protocol, route_domain, src_ip, src_port, sub_id, timestamp, translated_dest_ip, translated_dest_port, translated_route_domain, translated_src_ip and translated_src_port. |
spec.nat.inbound¶
| Parameter | Description |
|---|---|
start.mode |
Enables log entries at the start of the incoming connection event for a translated endpoint: disabled (default), enabled, or backup. |
start.ratelimit |
Specifies rate limits for logging Inbound Start and cooresponding events: 0 to 4294967295. The default is 4294967295. |
start.formatType |
Specifies the format type for log messages. The available values are none (default), field-list or user-defined. |
start.fieldList.items |
Specifies a set of fields in a specific order for logging messages. The available values are context_name, dest_ip, dest_port, event_name, protocol, route_domain, src_ip, src_port, sub_id, timestamp, translated_dest_ip, translated_dest_port, translated_route_domain, translated_src_ip and translated_src_port. |
start.fieldList.delimiter |
Specifies a delimiter when the storage format type is field-list. The special character dollar sign, $ should not be used in delimiter string as it is reserved for internal usage. The default value is ,. |
start.userDefinedFieldList |
Specifies the format of log message as a user-defined string. The available values are context_name, dest_ip, dest_port, event_name, protocol, route_domain, src_ip, src_port, sub_id, timestamp, translated_dest_ip, translated_dest_port, translated_route_domain, translated_src_ip and translated_src_port. |
end.mode |
Enables event log entries at the end of the incoming connection event for a translated endpoint: disabled (default), enabled, backup. |
end.ratelimit |
Specifies rate limits for logging Inbound End and cooresponding events: 0 to 4294967295. The default is 4294967295. |
end.formatType |
Specifies the format type for log messages. The available values are none (default), field-list or user-defined. |
end.fieldlist.items |
Specifies a set of fields in a specific order for logging messages. The available values are context_name, dest_ip, dest_port, duration, event_name, protocol, route_domain, src_ip, src_port, sub_id, timestamp, translated_dest_ip, translated_dest_port, translated_route_domain, translated_src_ip and translated_src_port. |
end.fieldList.delimiter |
Specifies a delimiter when the storage format type is field-list. The special character dollar sign, $ should not be used in delimiter string as it is reserved for internal usage. The default value is ,. |
end.userDefinedFieldList |
Specifies the format of log message as a user-defined string. The available values are context_name, dest_ip, dest_port, duration, event_name, protocol, route_domain, src_ip, src_port, sub_id, timestamp, translated_dest_ip, translated_dest_port, translated_route_domain, translated_src_ip and translated_src_port. |
spec.nat.quotaExceeded¶
| Parameter | Description |
|---|---|
mode |
Enables event log entries when a NAT client exceeds allocated resources: disabled (default), enabled or backup. |
ratelimit |
Specifies the Quota Exceeded Rate Limit to set throttling rate limits for logging Quota exceeded network events: 0 to 4294967295. The default value is 4294967295. |
formatType |
Specifies the format type for log messages. The available values are none (default), field-list or user-defined. |
fieldList.items |
Specifies a set of fields in a specific order for logging messages. The available values are context_name, dest_ip, dest_port, event_name, protocol, route_domain, src_ip, src_port, sub_id, timestamp, translation_error and translation_object. |
fieldList.delimiter |
Specifies a delimiter when the storage format type is field-list. The special character dollar sign, $ should not be used in delimiter string as it is reserved for internal usage. The default value is ,. |
userDefinedFieldList |
Specifies the format of log message as a user-defined string. The available values are context_name, dest_ip, dest_port, event_name, protocol, route_domain, src_ip, src_port, sub_id, timestamp, translation_error and translation_object. |
spec.nat.errors¶
| Parameter | Description |
|---|---|
mode |
Enables event log entries when a NAT translation errors occur: disabled (default), enabled, or backup. |
ratelimit |
Specifies rate limits for the logging Errors network and cooresponding events. The default value is 4294967295. |
formatType |
Specifies the format type for log messages. The available values are none (default), field-list or user-defined. |
fieldList.items |
Specifies a set of fields in a specific order for logging messages. The available values are context_name, dest_ip, dest_port, event_name, protocol, route_domain, src_ip, src_port, sub_id, timestamp, translation_error and translation_object. |
fieldList.delimiter |
Specifies a delimiter when the storage format type is field-list. The special character dollar sign, $ should not be used in delimiter string as it is reserved for internal usage. The default value is ,. |
userDefinedFieldList |
Specifies the format of log message as a user-defined string. The available values are context_name, dest_ip, dest_port, event_name, protocol, route_domain, src_ip, src_port, sub_id, timestamp, translation_error and translation_object. |
spec.pe¶
| Parameter | Description |
|---|---|
reportingType |
Specifies the report type: session-reporting, flow-reporting or disabled (default). |
reportingFields |
Specifies a list of reporting fields. For example - "Source IP". For a full list, review the F5BigLogProfile Reporting Fields. |
formatScript |
Specifies a list of format scripts. For example src-ip:[PEM::flow stats reported src-ip]. For a full list, review the F5BigLogProfile Format Script. |
usageVolumeThreshold.downlink |
Specifies the downlink usage volume threshold. |
usageVolumeThreshold.uplink |
Specifies the uplink usage volume threshold. |
usageVolumeThreshold.total |
Specifies the total usage volume threshold. |
intervalThreshold |
Specifies the interval threshold. |
spec.protocolInspection¶
| Parameter | Description |
|---|---|
enabled |
Enables logging of protocol inspection event messages: true or false (default). |
publisher |
Name of the log publisher to use for DNS log messages. |
logPacket |
Enables logging the packet of any payload matching the protocol inspection profile: true or false (default). |