F5BigLogProfile Reference

The F5BigLogProfile Custom Resource (CR) configuration parameters. Each heading below represents the top-level parameter element. For example, to set the profile name, use spec.name.

spec

Parameter Description
name The name of the security log profile in the system cconfiguration.
publisher Specifies the name of the log publisher used for log messages.

spec.algLogging

Parameter Description
enabled Enables logging of application layer gateway (ALG) event messages: true or false (default).
publisher Name of the log publisher to use for DNS log messages.
csvFormat Enable generating log entries in comma-separated-values (csv) format: true or false (default).

spec.algLogging.dataChannel

Parameter Description
start.mode Enables event log messages when the ALG data channel connection is established: disabled (default), or enabled.
start.includeDestAddrPort Include the destination IP address and port when dataChannel.start.mode is enabled: true (default) or false.
end.mode Enables event log messages when the ALG data channel connection is closed: disabled (default), or enabled.
end.includeDestAddrPort Include the destination IP address and port when dataChannel.start.mode is enabled: true (default) or false.

spec.algLogging.controlChannel

Parameter Description
start.mode Enables event log messages when the ALG data channel connection is established: disabled (default), or enabled.
start.includeDestAddrPort Include the destination IP address and port when controlChannel.start.mode is enabled: true (default) or false.
end.mode Enables event log messages when the ALG data channel connection is closed: disabled (default), or enabled.
end.includeDestAddrPort Include the destination IP address and port when controlChannel.start.mode is enabled: true (default) or false.

spec.dns

Parameter Description
enabled Enables logging of DNS event messages: true or false (default).
description User defined description for the logging profile.
queryLogging Enable DNS query logging: true (default) or false.
responseLogging Enable DNS response logging: true or false (default).
completeAnswer Include all the resource records in response log messages: true (default) or false.
queryId Include the query id in the query and response messages: true or false (default).
source Include the log message originator in the query and response messages: true (default) or false.
timeStamp Include the timestamp in the query and response messages: true (default) or false.
view Include the view in the query message: true (default) or false.
publisher Name of the log publisher to use for DNS log messages.

spec.firewall

Parameter Description
enabled Enables logging of firewall event messages: true or false (default).
flowspec.publisher Specifies the name of the log publisher to be used for the flowspec route injector log messages.

spec.firewall.ipIntelligence

Parameter Description
publisher Specifies the name of the log publisher used for IP Intelligence log messages.
geo Enables logging of geo location in shun IP Intelligence event: true or false (default).
rtbh Enables logging of Remote Triggered Black Hole (RTBH) IP Intelligence events: true or false (default).
scrubber Enables logging of scrubber IP Intelligence events: true or false (default).
shun Enables logging of shun IP Intelligence events: true or false (default).
translation Enables logging of translated server side fields in IP Intelligence log messages. Translated fields include Source Address/Port, Destination Address/Port, IP Protocol, Route Domain and Vlan: true or false (default).
aggregateRate Specifies the rate limit of all combined ipIntelligence log messages per second: 0 to 4294967295. The default is 4294967295.

spec.firewall.trafficStats

Parameter Description
activeFlows Enables logging the number of active flows on client side: true or false.
reapedFlows Enables logging the number of reaped flows on client side: true or false (default).
missedFlows Enables logging the number of TCP packets (non SYN/ACK) were dropped because of the flow table lookup failed: true or false (default).
synCookies Enables logging the number of syncookies generated, accepted and rejected in the context globally and per virtual server. These log messages will be generated periodically: true or false (default).
syncookiesWhitelist Enables logging the number of syncookies whitelist hits, accepted and rejected in the context globally and per virtual server. These log messages will be generated periodically: true or false (default).
publisher Specifies the name of the log publisher to be used for trafficStats log messages.

spec.firewall.network

Parameter Description
publisher Specifies the name of the log publisher to be used for network log messages.
aggregateRate Specifies the rate limit of all combined network log messages per second. Beyond this rate limit, log messages are not logged until the threshold drops below the specified rate: 0 to 4294967295. The default is 4294967295.
log.aclMatchAccept Enables logging the packets that match ACL rules configured with action = Accept or action = Accept Decisively: true or false (default).
events.aclMatchDrop Enables logging the packets that match ACL rules configured with action = Drop: true or false (default).
events.aclMatchReject Enables logging the packets that match ACL rules configured with action = Reject: true or false (default).
events.ipErrors Enables logging of IP error packets: true or false (default).
events.tcpErrors Enables logging of TCP error packets: true or false (default).
events.tcpEvents The default is false.
events.translationFields Enables logging of translated server side fields in ACL match and TCP events. Translated fields include Source Address/Port, Destination Address/Port, IP Protocol, Route Domain and Vlan: true or false (default).
log.geoAlways Enables logging the Geographic IP Location information fields in ACL match and TCP logging. Geographic information includes the country code of Source Address and Destination Address: true or false (default).
log.uuidField Enables logging the ACL rule UUID field in ACL match and TCP logging. If the acl_rule_uuid field is explicitly specified in field-list or user-defined formats, UUID value will be logged regardless of state of this option: true or false (default).
ratelimit.aclMatchAccept Specifies rate limits for the logging of packets that match ACL rules configured with action = Accept or action = Accept Decisively. This option is effective only if logging of this message type is enabled: 0 to 4294967295. The default is 4294967295.
ratelimit.aclMatchDrop Specifies rate limits for the logging of packets that match ACL rules configured with action = Drop. This option is effective only if logging of this message type is enabled: 0 to 4294967295. The default is 4294967295.
ratelimit.aclMatchReject Trate limits for the logging of packets that match ACL rules configured with action = Reject. This option is effective only if logging of this message type is enabled: 0 to 4294967295. The default is 4294967295.
ratelimit.logIpErrors Specifies rate limits for the logging of IP error packets. This option is effective only if logging of this message type is enabled: 0 to 4294967295. The default is 4294967295.
ratelimit.logTcpErrors Specifies rate limits for the logging of TCP error packets. This option is effective only if logging of this message type is enabled: 0 to 4294967295. The default is 4294967295.
ratelimit.logTcpEvents Specifies rate limits for the logging of TCP events on client side. This option is effective only if logging of this message type is enabled: 0 to 4294967295. The default is 4294967295.
format.fieldListDelimiter Specifies the delimiter string when storage format type is field-list. Special character $ should not be used in delimiter string as it is reserved for internal usage. The default value is ,.
format.type none (default), field-list, user-defined.
format.userDefinedFieldList Specifies the format of log message in form of user defined string. This option is valid when storage format type is user-defined. The default value is none.
format.networkFieldList Specifies a set of fields to be logged. This option is valid when storage format type is field-list.

spec.firewall.portMisuse

Parameter Description
publisher Specifies the name of the log publisher to be used for portMisuse log messages.
aggregateRate Specifies the rate limit of all combined portMisuse log messages per second. Beyond this rate limit, log messages are not logged until the threshold drops below the specified rate. The default value is 4294967295.

spec.nat

Parameter Description
enabled Enables logging of NAT event messages: true or false (default).
publisher Specifies the name of the log publisher used for logging Network Address Translation events.
lsnLegacyMode Enables LSN legacy CGNAT/LSN logging instead of the new Firewall NAT logging: true or false (default). LSN Legacy Mode can only log Dynamic PAT source translation events, cannot log Static NAT or Static PAT source translation events, cannot log Destination translation events, and does not support Firewall NAT logging features such as LocalDB, ArcSight, or Log Throttling.
logSubscriberID Enables logging of subscriber IDs associated with a subscriber IP address: true or false (default).
aggregateRateLimit Specifies the rate limit of all combined Network Address Translation log messages per second. The default value is 4294967295.

spec.nat.outbound

Parameter Description
start.mode Enables event log entries at start of the translation event for a NAT client: disabled (default), enabled, and backup.
start.includeDestAddrPort Include the destination IP address and port in the log message: true (default) or false.
start.ratelimit Specifies rate limits for logging Outbound Start and corresponding logging network events: 0 to 4294967295. The default is 4294967295.
start.formatType none (default), field-list, user-defined.
start.delimiter Specifies a delimiter when the storage format type is field-list. The special character dollar sign, $ should not be used in delimiter string as it is reserved for internal usage. The default value is ,.
start.fieldList Specifies a set of network fields to be logged: ["context_name","dest_ip","dest_port","event_name","protocol"].
start.userDefinedFieldList Specifies a set of network fields to be logged: ${context_name}${dest_ip}${dest_port}${event_name}${protocol}.
end.mode Enables event log entries at end of translation event for a NAT client: disabled (default), enabled, or backup.
end.includeDestAddrPort Include the destination IP address and port in the log message: true (default) or false.
end.ratelimit Specifies rate limits for logging Outbound End and cooresponding events: 0 to 4294967295. The default is 4294967295.
end.formatType none (default), field-list, usr-defined.
end.delimiter Specifies the delimiter when storage format type is field-list. The special character dollar sign, $ should not be used in delimiter string as it is reserved for internal usage. The default value is ,.
end.fieldList Specifies a set of network fields to be logged: ["context_name","dest_ip","dest_port","event_name","protocol"].
end.userDefinedFieldList User-Defined-List specifies a set of network fields to be logged: ${context_name}${dest_ip}${dest_port}${event_name}${protocol}.

spec.nat.inbound

Parameter Description
start.mode Enables log entries at the start of the incoming connection event for a translated endpoint: disabled (default), enabled, or backup.
start.ratelimit Specifies rate limits for logging Inbound Start and cooresponding events: 0 to 4294967295. The default is 4294967295.
start.formatType none (default), field-list, user-defined.
start.delimiter Specifies the delimiter when storage format type is field-list. Note: The special character dollar sign, $ should not be used in delimiter string as it is reserved for internal usage. The default value is ,.
start.fieldList Specifies a set of network fields to be logged: ["context_name","dest_ip","dest_port","event_name","protocol"].
start.userDefinedFieldList Specifies a set of network fields to be logged: ${context_name}${dest_ip}${dest_port}${event_name}${protocol}.
end.mode Enables event log entries at the end of the incoming connection event for a translated endpoint: disabled (default), enabled, backup.
end.ratelimit Specifies rate limits for logging Inbound End and cooresponding events: 0 to 4294967295. The default is 4294967295.
end.formatType none (default), field-list, user-defined.
end.delimiter Specifies the delimiter when storage format type is field-list. The special character dollar sign, $ should not be used in delimiter string as it is reserved for internal usage. The default value is ,.
end.fieldlist Specifies a set of network fields to be logged: ["context_name","dest_ip","dest_port","event_name","protocol"].
end.userDefinedFieldList Specifies a set of network fields to be logged: ${context_name}${dest_ip}${dest_port}${event_name}${protocol}.

spec.nat.quotaExceeded

Parameter Description
mode Enables event log entries when a NAT client exceeds allocated resources: disabled (default), enabled, or backup.
ratelimit Specifies the Quota Exceeded Rate Limit to set throttling rate limits for logging Quota exceeded network events: 0 to 4294967295. The default value is 4294967295.
formatType none (default), field-list, or user-defined.
delimiter Specifies a delimiter when storage format type is Field-List. Note: The special character dollar sign, $ should not be used in delimiter string as it is reserved for internal usage. The default value is ,.
fieldList Specifies a set of network fields to be logged: ["context_name","dest_ip","dest_port","event_name","protocol"].
userDefinedFieldList Specifies a set of network fields to be logged: ${context_name}${dest_ip}${dest_port}${event_name}${protocol}.

spec.nat.errors

Parameter Description
mode Enables event log entries when a NAT translation errors occur: disabled (default), enabled, or backup.
ratelimit Specifies rate limits for the logging Errors network and cooresponding events. The default value is 4294967295.
formatType none (default), field-list, or user-defined.
delimeter Delimiter is valid when storage format type is field-list. he special character dollar sign, $ should not be used in delimiter string as it is reserved for internal usage. The default value is ,.
fieldList Specifies a set of network fields to be logged: ["context_name","dest_ip","dest_port","event_name","protocol"].
userDefinedFieldList Specifies a set of user defined network fields to be logged: ${context_name}${dest_ip}${dest_port}${event_name}${protocol}.

spec.pe

Parameter Description
reportingType Specifies the report type: session-reporting or flow-reporting.
reportingFields Specifies a list of reporting fields. For example - "Source IP". For a full list, review the F5BigLogProfile Reporting Fields.
formatScript Specifies a list of format scripts. For example src-ip:[PEM::flow stats reported src-ip]. For a full list, review the F5BigLogProfile Format Script.
usageVolumeThreshold.downlink Specifies the downlink usage volume threshold.
usageVolumeThreshold.uplink Specifies the uplink usage volume threshold.
usageVolumeThreshold.total Specifies the total usage volume threshold.
intervalThreshold Specifies the interval threshold.

spec.protocolInspection

Parameter Description
enabled Enables logging of protocol inspection event messages: true or false (default).
publisher Name of the log publisher to use for DNS log messages.
logPacket Enables logging the packet of any payload matching the protocol inspection profile: true or false (default).