Security_Log_Profile (object)

Configures a Security log profile

Properties (* = required):

name type(s) default allowed values description
/*/        
application object     Specifies, when enabled, that the system logs events from applications.
botDefense object     Specifies, when enabled, the system logs events from the Proactive Bot Defense mechanism.
class* string   “Security_Log_Profile”  
classification object     Specifies, when enabled, that the system logs events from the Classification engine.
dosApplication object     Specifies, when enabled, that the system logs detected application DoS attacks
dosNetwork object     Specifies, when enabled, that the system logs detected network DoS attacks
ipIntelligence object     Specifies, when enabled, that the system logs IP Intelligence events
label string   “^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$” Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML
nat object     Specifies, when enabled, that the system logs Firewall NAT events
network object     Specifies, when enabled, that the system logs ACL rule matches, TCP events, and/or TCP/IP errors sent to the network firewall
protocolDns object     Specifies, when enabled, that the system logs DNS security events
protocolDnsDos object     Specifies, when enabled, that the system logs detected DNS DoS attacks
protocolInspection object     Specifies, when enabled, that the system logs events from the Protocol Inspection engine
protocolSip object     Specifies, when enabled, that the system logs SIP protocol security events
protocolSipDos object     Specifies, when enabled, that the system logs detected SIP DoS attacks
protocolTransfer object     Specifies, when enabled, that the system logs HTTP, FTP, and SMTP protocol security events
remark string   “^[^x00-x1fx22x5cx7f]*$” Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks
sshProxy object     Specifies, when enabled, that the system logs SSH Proxy events

Security_Log_Profile.application (object)

Specifies, when enabled, that the system logs events from applications.

Properties (* = required):

name type(s) default allowed values description
facility string “local0” “local0”, “local1”, “local2”, “local3”, “local4”, “local5”, “local6”, “local7” Specifies the facility category of the logged traffic
guaranteeLoggingEnabled boolean false true, false Indicates whether to guarantee local logging
guaranteeResponseLoggingEnabled boolean false true, false Indicates whether to guarantee local response logging. guaranteeLoggingEnabled must be true and responseLogging must be illegal or all
localStorage boolean true true, false Enables or disabled local storage
maxEntryLength string “2k” “1k”, “2k”, “10k”, “64k” Specifies the maximum entry length
maxHeaderSize integer   1 - 2048 Specifies the maximum headers size
maxQuerySize integer   1 - 2048 Specifies the maximum query string size
maxRequestSize integer   1 - 2048 Specifies the maximum request size
protocol string “tcp” “udp”, “tcp”, “tcp-rfc3195” Specifies the protocol supported by the remote server
remoteStorage string   “remote”, “splunk”, “arcsight”, “bigiq” Specifies a remote storage type
reportAnomaliesEnabled boolean false true, false Indicates whether to report detected anomalies
responseLogging string “none” “none”, “illegal”, “all” Specifies a response logging type
servers array     Adds, deletes, or replaces a set of remote servers
storageFilter object {}   Adds, deletes, or replaces a set of request filters
storageFormat       Specifies a storage format

Security_Log_Profile.application.storageFilter (object)

Adds, deletes, or replaces a set of request filters

Default: {}

Properties (* = required):

name type(s) default allowed values description
httpMethods array     Specifies whether request logging is dependent on the HTTP methods
logicalOperation string “or” “and”, “or” Specifies the logical operation on associated filters
loginResults array     Specifies whether the request logging is dependent on the login results
protocols array     Specifies if request logging is dependent on the protocols
requestContains object     Specifies whether the request logging is dependent on s specific string and where to look for that string
requestType string “illegal” “all”, “illegal”, “illegal-including-staged-signatures” Specifies which kind of requests the system or server will log
responseCodes array     Specifies whether request logging is dependent on the response status codes

Security_Log_Profile.application.storageFilter.requestContains (object)

Specifies whether the request logging is dependent on s specific string and where to look for that string

Properties (* = required):

name type(s) default allowed values description
searchIn* string   “search-in-headers”, “search-in-post-data”, “search-in-query-string”, “search-in-request”, “search-in-uri” Where to look for the specified string
value* string     The specified string to look for

Security_Log_Profile.botDefense (object)

Specifies, when enabled, the system logs events from the Proactive Bot Defense mechanism.

Properties (* = required):

name type(s) default allowed values description
localPublisher object     Specifies, when enabled, a Log Publisher to log events to (Note: This publisher should have a single local-database destination),Reference to a log publisher
logAlarm boolean false true, false This option enables or disables the logging of requests with alarm mitigation. This feature is only supported in TMOS versions 14.1+
logBlock boolean false true, false This option enables or disables the logging of requests with block mitigation. This feature is only supported in TMOS versions 14.1+
logBotSignatureMatchedRequests boolean false true, false This option enables or disables the logging of reported bot signature requests
logBrowser boolean false true, false This option enables or disables the logging of requests with browser classification. This feature is only supported in TMOS versions 14.1+
logBrowserVerificationAction boolean false true, false This option enables or disables the logging of requests by browser verification action. This feature is only supported in TMOS versions 14.1+
logCaptcha boolean false true, false This option enables or disables the logging of requests with captcha mitigation. This feature is only supported in TMOS versions 14.1+
logCaptchaChallengedRequests boolean false true, false This option enables or disables the logging of captcha challenged requests
logChallengedRequests boolean false true, false This option enables or disables the logging of challenged requests
logChallengeFailureRequest boolean false true, false This option enables or disables the logging of requests by challenge failure. This feature is only supported in TMOS versions 15.0+
logDeviceIdCollectionRequest boolean false true, false This option enables or disables the logging of requests by device ID collection. This feature is only supported in TMOS versions 14.1+
logHoneyPotPage boolean false true, false This option enables or disables the logging of requests with honey pot page mitigation. This feature is only supported in TMOS versions 15.0+
logIllegalRequests boolean true true, false This option enables or disables the logging of illegal requests
logLegalRequests boolean false true, false This option enables or disables the logging of legal requests
logMaliciousBot boolean false true, false This option enables or disables the logging of requests with malicious bot classification. This feature is only supported in TMOS versions 14.1+
logMobileApplication boolean false true, false This option enables or disables the logging of requests with mobile application classification. This feature is only supported in TMOS versions 14.1+
logNone boolean false true, false This option enables or disables the logging of requests with no mitigation. This feature is only supported in TMOS versions 14.1+
logRateLimit boolean false true, false This option enables or disables the logging of requests with rate limit mitigation. This feature is only supported in TMOS versions 14.1+
logRedirectToPool boolean false true, false This option enables or disables the logging of requests with redirect to pool mitigation. This feature is only supported in TMOS versions 15.0+
logSuspiciousBrowser boolean false true, false This option enables or disables the logging of requests with suspicious browser classification. This feature is only supported in TMOS versions 14.1+
logTcpReset boolean false true, false This option enables or disables the logging of requests with TCP reset mitigation. This feature is only supported in TMOS versions 14.1+
logTrustedBot boolean false true, false This option enables or disables the logging of requests with trusted bot classification. This feature is only supported in TMOS versions 14.1+
logUnknown boolean true true, false This option enables or disables the logging of requests with unknown classification. This feature is only supported in TMOS versions 14.1+
logUntrustedBot boolean false true, false This option enables or disables the logging of requests with untrusted bot classification. This feature is only supported in TMOS versions 14.1+
remotePublisher object     Enables selecting a Log Publisher that has Splunk enabled,Reference to a log publisher

Security_Log_Profile.botDefense.localPublisher (object)

Specifies, when enabled, a Log Publisher to log events to (Note: This publisher should have a single local-database destination) Reference to a log publisher

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile.botDefense.remotePublisher (object)

Enables selecting a Log Publisher that has Splunk enabled Reference to a log publisher

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile.classification (object)

Specifies, when enabled, that the system logs events from the Classification engine.

Properties (* = required):

name type(s) default allowed values description
logAllMatches boolean false true, false This option enables or disables the logging of all matches
publisher object     Specifies where the system sends log messages

Security_Log_Profile.classification.publisher (object)

Specifies where the system sends log messages

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile.dosApplication (object)

Specifies, when enabled, that the system logs detected application DoS attacks

Properties (* = required):

name type(s) default allowed values description
localPublisher object     Specifies the local log publisher used for Application DoS attacks (Note: This publisher should have a single local-database destination)
remotePublisher object     Specifies the remote log publisher used for Application DoS attacks (Note: This publisher should have ArcSight or Splunk destinations)

Security_Log_Profile.dosApplication.localPublisher (object)

Specifies the local log publisher used for Application DoS attacks (Note: This publisher should have a single local-database destination)

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile.dosApplication.remotePublisher (object)

Specifies the remote log publisher used for Application DoS attacks (Note: This publisher should have ArcSight or Splunk destinations)

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile.dosNetwork (object)

Specifies, when enabled, that the system logs detected network DoS attacks

Properties (* = required):

name type(s) default allowed values description
publisher object     Specifies the name of the log publisher used for logging Network DoS events

Security_Log_Profile.dosNetwork.publisher (object)

Specifies the name of the log publisher used for logging Network DoS events

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile.ipIntelligence (object)

Specifies, when enabled, that the system logs IP Intelligence events

Properties (* = required):

name type(s) default allowed values description
logTranslationFields boolean false true, false Specifies, when enabled, that the system logs translation values if and when it logs a network firewall event
publisher object     Specifies the name of the log publisher used for logging IP Intelligence events
rateLimitAggregate integer 4294967295 -∞ - -Infinity Defines a rate limit for all combined IP intelligence log messages per second

Security_Log_Profile.ipIntelligence.publisher (object)

Specifies the name of the log publisher used for logging IP Intelligence events

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile.nat (object)

Specifies, when enabled, that the system logs Firewall NAT events

Properties (* = required):

name type(s) default allowed values description
formatEndInboundSession       Specifies the format type for log messages
formatEndOutboundSession       Specifies the format type for log messages
formatErrors       Specifies the format type for log messages
formatQuotaExceeded       Specifies the format type for log messages
formatStartInboundSession       Specifies the format type for log messages
formatStartOutboundSession       Specifies the format type for log messages
logEndInboundSession boolean false true, false Generates event log entries at the end of the incoming connection event for a translated endpoint. Triggered when the system frees the inbound session.
logEndOutboundSession boolean false true, false Generates event log entries at end of translation event for a NAT client. Triggered when the system frees the outbound session.
logErrors boolean false true, false Generates event log entries when a NAT translation errors occur
logQuotaExceeded boolean false true, false Generates event log entries when a NAT client exceeds allocated resources
logStartInboundSession boolean false true, false Generates event log entries at the start of the incoming connection event for a translated endpoint. Triggered when the system creates the inbound session.
logStartOutboundSession boolean false true, false Generates event log entries at start of the translation event for a NAT client. Triggered when the system creates the outbound session.
logSubscriberId boolean false true, false Logs the subscriber ID associated with a subscriber IP address
publisher* object     Specifies the name of the log publisher used for logging Network Address Translation events
rateLimitAggregate integer 4294967295 -∞ - -Infinity This option sets the aggregate rate for all the Firewall NAT log events that the system can log per second
rateLimitEndInboundSession integer 4294967295 -∞ - -Infinity This option rate limits the end inbound session log events per second
rateLimitEndOutboundSession integer 4294967295 -∞ - -Infinity This option rate limits the end outbound session log events per second
rateLimitErrors integer 4294967295 -∞ - -Infinity This option rate limits the errors the system logs per second
rateLimitQuotaExceeded integer 4294967295 -∞ - -Infinity This option rate limits the quota exceeded log events per second
rateLimitStartInboundSession integer 4294967295 -∞ - -Infinity This option rate limits the start inbound session log events per second
rateLimitStartOutboundSession integer 4294967295 -∞ - -Infinity This option rate limits the start outbound session log events per second

Security_Log_Profile.nat.publisher (object)

Specifies the name of the log publisher used for logging Network Address Translation events

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile.network (object)

Specifies, when enabled, that the system logs ACL rule matches, TCP events, and/or TCP/IP errors sent to the network firewall

Properties (* = required):

name type(s) default allowed values description
alwaysLogRegion boolean false true, false Specifies, when enabled, that when a geolocation event causes a network firewall event, the system logs the associated IP address
logIpErrors boolean false true, false Specifies, when enabled, that the system logs IP error packets
logRuleMatchAccepts boolean false true, false Specifies, when enabled, that the system logs packets that match ACL rules configured with action = Accept
logRuleMatchDrops boolean false true, false Specifies, when enabled, that the system logs packets that match ACL rules configured with action = Drop
logRuleMatchRejects boolean false true, false Specifies, when enabled, that the system logs packets that match ACL rules configured with action = Reject
logTcpErrors boolean false true, false Specifies, when enabled, that the system logs TCP error packets
logTcpEvents boolean false true, false Specifies, when enabled, that the system logs TCP events (open and close of TCP sessions)
logTranslationFields boolean false true, false Specifies, when enabled, that the system logs translation values if and when it logs a network firewall event
publisher object     Specifies the name of the log publisher used for logging Network events
rateLimitAggregate integer 4294967295 -∞ - -Infinity This option sets the aggregate rate limit that applies to any network logging message
rateLimitIpErrors integer 4294967295 -∞ - -Infinity This option enables or disables the logging of IP error packets
rateLimitRuleMatchAccepts integer 4294967295 -∞ - -Infinity This option sets rate limits for the logging of packets that match ACL rules configured with action = Accept or action = Accept Decisively
rateLimitRuleMatchDrops integer 4294967295 -∞ - -Infinity This option sets rate limits for the logging of packets that match ACL rules configured with action = Accept or action = Accept Decisively
rateLimitRuleMatchRejects integer 4294967295 -∞ - -Infinity This option sets rate limits for the logging of packets that match ACL rules configured with action = Reject
rateLimitTcpErrors integer 4294967295 -∞ - -Infinity This option sets rate limits for the logging of TCP error packets
rateLimitTcpEvents integer 4294967295 -∞ - -Infinity This option sets rate limits for the logging of TCP events on client side
storageFormat       Specifies the format type for log messages. If it is a string it is user-defined

Security_Log_Profile.network.publisher (object)

Specifies the name of the log publisher used for logging Network events

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile.protocolDns (object)

Specifies, when enabled, that the system logs DNS security events

Properties (* = required):

name type(s) default allowed values description
logDroppedRequests boolean false true, false Specifies, when enabled, that the system logs dropped DNS requests
logFilteredDroppedRequests boolean false true, false Specifies, when enabled, that the system logs DNS requests dropped due to DNS query/header-opcode filtering. The system does not log DNS requests dropped due to errors in the way the system processes DNS packets.
logMalformedRequests boolean false true, false Specifies, when enabled, that the system logs malformed DNS requests
logMaliciousRequests boolean false true, false Specifies, when enabled, that the system logs malicious DNS requests
logRejectedRequests boolean false true, false Specifies, when enabled, that the system logs rejected DNS requests
publisher object     Specifies the name of the log publisher used for logging DNS security events
storageFormat       Specifies the format type for log messages

Security_Log_Profile.protocolDns.publisher (object)

Specifies the name of the log publisher used for logging DNS security events

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile.protocolDnsDos (object)

Specifies, when enabled, that the system logs detected DNS DoS attacks

Properties (* = required):

name type(s) default allowed values description
publisher object     Specifies the name of the log publisher used for logging DNS DoS events

Security_Log_Profile.protocolDnsDos.publisher (object)

Specifies the name of the log publisher used for logging DNS DoS events

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile.protocolInspection (object)

Specifies, when enabled, that the system logs events from the Protocol Inspection engine

Properties (* = required):

name type(s) default allowed values description
logPacketPayloadEnabled boolean false true, false Enable logging of the packet payload for Protocol Inspection events
publisher object     Reference to a log publisher

Security_Log_Profile.protocolInspection.publisher (object)

Reference to a log publisher

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile.protocolSip (object)

Specifies, when enabled, that the system logs SIP protocol security events

Properties (* = required):

name type(s) default allowed values description
logDroppedRequests boolean false true, false Specifies, when enabled, that the system logs dropped requests
logGlobalFailures boolean false true, false Specifies, when enabled, that the system logs global failures
logMalformedRequests boolean false true, false Specifies, when enabled, that the system logs malformed requests
logRedirectedResponses boolean false true, false Specifies, when enabled, that the system logs redirection responses
logRequestFailures boolean false true, false Specifies, when enabled, that the system logs request failures
logServerErrors boolean false true, false Specifies, when enabled, that the system logs server errors
publisher object     Specifies the name of the log publisher used for logging SIP protocol security events
storageFormat       Specifies the format type for log messages

Security_Log_Profile.protocolSip.publisher (object)

Specifies the name of the log publisher used for logging SIP protocol security events

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile.protocolSipDos (object)

Specifies, when enabled, that the system logs detected SIP DoS attacks

Properties (* = required):

name type(s) default allowed values description
publisher object     Specifies the name of the log publisher used for logging SIP DoS events

Security_Log_Profile.protocolSipDos.publisher (object)

Specifies the name of the log publisher used for logging SIP DoS events

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile.protocolTransfer (object)

Specifies, when enabled, that the system logs HTTP, FTP, and SMTP protocol security events

Properties (* = required):

name type(s) default allowed values description
publisher object     Specifies where the system sends log messages

Security_Log_Profile.protocolTransfer.publisher (object)

Specifies where the system sends log messages

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile.sshProxy (object)

Specifies, when enabled, that the system logs SSH Proxy events

Properties (* = required):

name type(s) default allowed values description
logAllowedChannelAction boolean false true, false Specifies, when enabled, that the system logs allowed channel actions
logClientAuthFail boolean false true, false Specifies the name of the log publisher used for logging SSH Proxy events
logClientAuthPartial boolean false true, false Specifies, when enabled, that the system logs client auth partial events
logClientAuthSuccess boolean false true, false Specifies, when enabled, that the system logs client auth success events
logDisallowedChannelAction boolean false true, false Specifies, when enabled, that the system logs disallowed channel actions
logNonSshTraffic boolean false true, false Specifies, when enabled, that the system logs non-SSH traffic events
logServerAuthFail boolean false true, false Specifies, when enabled, that the system logs server auth failure events
logServerAuthPartial boolean false true, false Specifies, when enabled, that the system logs server auth partial events
logServerAuthSuccess boolean false true, false Specifies, when enabled, that the system logs server auth failure events
logSshTimeout boolean false true, false Specifies, when enabled, that the system logs SSH timeouts
publisher object     Specifies the name of the log publisher used for logging SSH Proxy events

Security_Log_Profile.sshProxy.publisher (object)

Specifies the name of the log publisher used for logging SSH Proxy events

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile_Application (object)

Specifies, when enabled, that the system logs events from applications.

Properties (* = required):

name type(s) default allowed values description
facility string “local0” “local0”, “local1”, “local2”, “local3”, “local4”, “local5”, “local6”, “local7” Specifies the facility category of the logged traffic
guaranteeLoggingEnabled boolean false true, false Indicates whether to guarantee local logging
guaranteeResponseLoggingEnabled boolean false true, false Indicates whether to guarantee local response logging. guaranteeLoggingEnabled must be true and responseLogging must be illegal or all
localStorage boolean true true, false Enables or disabled local storage
maxEntryLength string “2k” “1k”, “2k”, “10k”, “64k” Specifies the maximum entry length
maxHeaderSize integer   1 - 2048 Specifies the maximum headers size
maxQuerySize integer   1 - 2048 Specifies the maximum query string size
maxRequestSize integer   1 - 2048 Specifies the maximum request size
protocol string “tcp” “udp”, “tcp”, “tcp-rfc3195” Specifies the protocol supported by the remote server
remoteStorage string   “remote”, “splunk”, “arcsight”, “bigiq” Specifies a remote storage type
reportAnomaliesEnabled boolean false true, false Indicates whether to report detected anomalies
responseLogging string “none” “none”, “illegal”, “all” Specifies a response logging type
servers array     Adds, deletes, or replaces a set of remote servers
storageFilter object {}   Adds, deletes, or replaces a set of request filters
storageFormat       Specifies a storage format

Security_Log_Profile_Application.storageFilter (object)

Adds, deletes, or replaces a set of request filters

Default: {}

Properties (* = required):

name type(s) default allowed values description
httpMethods array     Specifies whether request logging is dependent on the HTTP methods
logicalOperation string “or” “and”, “or” Specifies the logical operation on associated filters
loginResults array     Specifies whether the request logging is dependent on the login results
protocols array     Specifies if request logging is dependent on the protocols
requestContains object     Specifies whether the request logging is dependent on s specific string and where to look for that string
requestType string “illegal” “all”, “illegal”, “illegal-including-staged-signatures” Specifies which kind of requests the system or server will log
responseCodes array     Specifies whether request logging is dependent on the response status codes

Security_Log_Profile_Application.storageFilter.requestContains (object)

Specifies whether the request logging is dependent on s specific string and where to look for that string

Properties (* = required):

name type(s) default allowed values description
searchIn* string   “search-in-headers”, “search-in-post-data”, “search-in-query-string”, “search-in-request”, “search-in-uri” Where to look for the specified string
value* string     The specified string to look for

Security_Log_Profile_Bot_Defense (object)

Specifies, when enabled, the system logs events from the Proactive Bot Defense mechanism.

Properties (* = required):

name type(s) default allowed values description
localPublisher object     Specifies, when enabled, a Log Publisher to log events to (Note: This publisher should have a single local-database destination),Reference to a log publisher
logAlarm boolean false true, false This option enables or disables the logging of requests with alarm mitigation. This feature is only supported in TMOS versions 14.1+
logBlock boolean false true, false This option enables or disables the logging of requests with block mitigation. This feature is only supported in TMOS versions 14.1+
logBotSignatureMatchedRequests boolean false true, false This option enables or disables the logging of reported bot signature requests
logBrowser boolean false true, false This option enables or disables the logging of requests with browser classification. This feature is only supported in TMOS versions 14.1+
logBrowserVerificationAction boolean false true, false This option enables or disables the logging of requests by browser verification action. This feature is only supported in TMOS versions 14.1+
logCaptcha boolean false true, false This option enables or disables the logging of requests with captcha mitigation. This feature is only supported in TMOS versions 14.1+
logCaptchaChallengedRequests boolean false true, false This option enables or disables the logging of captcha challenged requests
logChallengedRequests boolean false true, false This option enables or disables the logging of challenged requests
logChallengeFailureRequest boolean false true, false This option enables or disables the logging of requests by challenge failure. This feature is only supported in TMOS versions 15.0+
logDeviceIdCollectionRequest boolean false true, false This option enables or disables the logging of requests by device ID collection. This feature is only supported in TMOS versions 14.1+
logHoneyPotPage boolean false true, false This option enables or disables the logging of requests with honey pot page mitigation. This feature is only supported in TMOS versions 15.0+
logIllegalRequests boolean true true, false This option enables or disables the logging of illegal requests
logLegalRequests boolean false true, false This option enables or disables the logging of legal requests
logMaliciousBot boolean false true, false This option enables or disables the logging of requests with malicious bot classification. This feature is only supported in TMOS versions 14.1+
logMobileApplication boolean false true, false This option enables or disables the logging of requests with mobile application classification. This feature is only supported in TMOS versions 14.1+
logNone boolean false true, false This option enables or disables the logging of requests with no mitigation. This feature is only supported in TMOS versions 14.1+
logRateLimit boolean false true, false This option enables or disables the logging of requests with rate limit mitigation. This feature is only supported in TMOS versions 14.1+
logRedirectToPool boolean false true, false This option enables or disables the logging of requests with redirect to pool mitigation. This feature is only supported in TMOS versions 15.0+
logSuspiciousBrowser boolean false true, false This option enables or disables the logging of requests with suspicious browser classification. This feature is only supported in TMOS versions 14.1+
logTcpReset boolean false true, false This option enables or disables the logging of requests with TCP reset mitigation. This feature is only supported in TMOS versions 14.1+
logTrustedBot boolean false true, false This option enables or disables the logging of requests with trusted bot classification. This feature is only supported in TMOS versions 14.1+
logUnknown boolean true true, false This option enables or disables the logging of requests with unknown classification. This feature is only supported in TMOS versions 14.1+
logUntrustedBot boolean false true, false This option enables or disables the logging of requests with untrusted bot classification. This feature is only supported in TMOS versions 14.1+
remotePublisher object     Enables selecting a Log Publisher that has Splunk enabled,Reference to a log publisher

Security_Log_Profile_Bot_Defense.localPublisher (object)

Specifies, when enabled, a Log Publisher to log events to (Note: This publisher should have a single local-database destination) Reference to a log publisher

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile_Bot_Defense.remotePublisher (object)

Enables selecting a Log Publisher that has Splunk enabled Reference to a log publisher

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile_Classification (object)

Specifies, when enabled, that the system logs events from the Classification engine.

Properties (* = required):

name type(s) default allowed values description
logAllMatches boolean false true, false This option enables or disables the logging of all matches
publisher object     Specifies where the system sends log messages

Security_Log_Profile_Classification.publisher (object)

Specifies where the system sends log messages

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile_Dos_Application (object)

Specifies, when enabled, that the system logs detected application DoS attacks

Properties (* = required):

name type(s) default allowed values description
localPublisher object     Specifies the local log publisher used for Application DoS attacks (Note: This publisher should have a single local-database destination)
remotePublisher object     Specifies the remote log publisher used for Application DoS attacks (Note: This publisher should have ArcSight or Splunk destinations)

Security_Log_Profile_Dos_Application.localPublisher (object)

Specifies the local log publisher used for Application DoS attacks (Note: This publisher should have a single local-database destination)

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile_Dos_Application.remotePublisher (object)

Specifies the remote log publisher used for Application DoS attacks (Note: This publisher should have ArcSight or Splunk destinations)

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile_Dos_Network (object)

Specifies, when enabled, that the system logs detected network DoS attacks

Properties (* = required):

name type(s) default allowed values description
publisher object     Specifies the name of the log publisher used for logging Network DoS events

Security_Log_Profile_Dos_Network.publisher (object)

Specifies the name of the log publisher used for logging Network DoS events

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile_Ip_Intelligence (object)

Specifies, when enabled, that the system logs IP Intelligence events

Properties (* = required):

name type(s) default allowed values description
logTranslationFields boolean false true, false Specifies, when enabled, that the system logs translation values if and when it logs a network firewall event
publisher object     Specifies the name of the log publisher used for logging IP Intelligence events
rateLimitAggregate integer 4294967295 -∞ - -Infinity Defines a rate limit for all combined IP intelligence log messages per second

Security_Log_Profile_Ip_Intelligence.publisher (object)

Specifies the name of the log publisher used for logging IP Intelligence events

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile_Nat (object)

Specifies, when enabled, that the system logs Firewall NAT events

Properties (* = required):

name type(s) default allowed values description
formatEndInboundSession       Specifies the format type for log messages
formatEndOutboundSession       Specifies the format type for log messages
formatErrors       Specifies the format type for log messages
formatQuotaExceeded       Specifies the format type for log messages
formatStartInboundSession       Specifies the format type for log messages
formatStartOutboundSession       Specifies the format type for log messages
logEndInboundSession boolean false true, false Generates event log entries at the end of the incoming connection event for a translated endpoint. Triggered when the system frees the inbound session.
logEndOutboundSession boolean false true, false Generates event log entries at end of translation event for a NAT client. Triggered when the system frees the outbound session.
logErrors boolean false true, false Generates event log entries when a NAT translation errors occur
logQuotaExceeded boolean false true, false Generates event log entries when a NAT client exceeds allocated resources
logStartInboundSession boolean false true, false Generates event log entries at the start of the incoming connection event for a translated endpoint. Triggered when the system creates the inbound session.
logStartOutboundSession boolean false true, false Generates event log entries at start of the translation event for a NAT client. Triggered when the system creates the outbound session.
logSubscriberId boolean false true, false Logs the subscriber ID associated with a subscriber IP address
publisher* object     Specifies the name of the log publisher used for logging Network Address Translation events
rateLimitAggregate integer 4294967295 -∞ - -Infinity This option sets the aggregate rate for all the Firewall NAT log events that the system can log per second
rateLimitEndInboundSession integer 4294967295 -∞ - -Infinity This option rate limits the end inbound session log events per second
rateLimitEndOutboundSession integer 4294967295 -∞ - -Infinity This option rate limits the end outbound session log events per second
rateLimitErrors integer 4294967295 -∞ - -Infinity This option rate limits the errors the system logs per second
rateLimitQuotaExceeded integer 4294967295 -∞ - -Infinity This option rate limits the quota exceeded log events per second
rateLimitStartInboundSession integer 4294967295 -∞ - -Infinity This option rate limits the start inbound session log events per second
rateLimitStartOutboundSession integer 4294967295 -∞ - -Infinity This option rate limits the start outbound session log events per second

Security_Log_Profile_Nat.publisher (object)

Specifies the name of the log publisher used for logging Network Address Translation events

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile_Nat_Storage_Format ()

Specifies the format type for log messages

Security_Log_Profile_Network (object)

Specifies, when enabled, that the system logs ACL rule matches, TCP events, and/or TCP/IP errors sent to the network firewall

Properties (* = required):

name type(s) default allowed values description
alwaysLogRegion boolean false true, false Specifies, when enabled, that when a geolocation event causes a network firewall event, the system logs the associated IP address
logIpErrors boolean false true, false Specifies, when enabled, that the system logs IP error packets
logRuleMatchAccepts boolean false true, false Specifies, when enabled, that the system logs packets that match ACL rules configured with action = Accept
logRuleMatchDrops boolean false true, false Specifies, when enabled, that the system logs packets that match ACL rules configured with action = Drop
logRuleMatchRejects boolean false true, false Specifies, when enabled, that the system logs packets that match ACL rules configured with action = Reject
logTcpErrors boolean false true, false Specifies, when enabled, that the system logs TCP error packets
logTcpEvents boolean false true, false Specifies, when enabled, that the system logs TCP events (open and close of TCP sessions)
logTranslationFields boolean false true, false Specifies, when enabled, that the system logs translation values if and when it logs a network firewall event
publisher object     Specifies the name of the log publisher used for logging Network events
rateLimitAggregate integer 4294967295 -∞ - -Infinity This option sets the aggregate rate limit that applies to any network logging message
rateLimitIpErrors integer 4294967295 -∞ - -Infinity This option enables or disables the logging of IP error packets
rateLimitRuleMatchAccepts integer 4294967295 -∞ - -Infinity This option sets rate limits for the logging of packets that match ACL rules configured with action = Accept or action = Accept Decisively
rateLimitRuleMatchDrops integer 4294967295 -∞ - -Infinity This option sets rate limits for the logging of packets that match ACL rules configured with action = Accept or action = Accept Decisively
rateLimitRuleMatchRejects integer 4294967295 -∞ - -Infinity This option sets rate limits for the logging of packets that match ACL rules configured with action = Reject
rateLimitTcpErrors integer 4294967295 -∞ - -Infinity This option sets rate limits for the logging of TCP error packets
rateLimitTcpEvents integer 4294967295 -∞ - -Infinity This option sets rate limits for the logging of TCP events on client side
storageFormat       Specifies the format type for log messages. If it is a string it is user-defined

Security_Log_Profile_Network.publisher (object)

Specifies the name of the log publisher used for logging Network events

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile_Protocol_Dns (object)

Specifies, when enabled, that the system logs DNS security events

Properties (* = required):

name type(s) default allowed values description
logDroppedRequests boolean false true, false Specifies, when enabled, that the system logs dropped DNS requests
logFilteredDroppedRequests boolean false true, false Specifies, when enabled, that the system logs DNS requests dropped due to DNS query/header-opcode filtering. The system does not log DNS requests dropped due to errors in the way the system processes DNS packets.
logMalformedRequests boolean false true, false Specifies, when enabled, that the system logs malformed DNS requests
logMaliciousRequests boolean false true, false Specifies, when enabled, that the system logs malicious DNS requests
logRejectedRequests boolean false true, false Specifies, when enabled, that the system logs rejected DNS requests
publisher object     Specifies the name of the log publisher used for logging DNS security events
storageFormat       Specifies the format type for log messages

Security_Log_Profile_Protocol_Dns.publisher (object)

Specifies the name of the log publisher used for logging DNS security events

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile_Protocol_Dns_Dos (object)

Specifies, when enabled, that the system logs detected DNS DoS attacks

Properties (* = required):

name type(s) default allowed values description
publisher object     Specifies the name of the log publisher used for logging DNS DoS events

Security_Log_Profile_Protocol_Dns_Dos.publisher (object)

Specifies the name of the log publisher used for logging DNS DoS events

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile_Protocol_Inspection (object)

Specifies, when enabled, that the system logs events from the Protocol Inspection engine

Properties (* = required):

name type(s) default allowed values description
logPacketPayloadEnabled boolean false true, false Enable logging of the packet payload for Protocol Inspection events
publisher object     Reference to a log publisher

Security_Log_Profile_Protocol_Inspection.publisher (object)

Reference to a log publisher

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile_Protocol_Sip (object)

Specifies, when enabled, that the system logs SIP protocol security events

Properties (* = required):

name type(s) default allowed values description
logDroppedRequests boolean false true, false Specifies, when enabled, that the system logs dropped requests
logGlobalFailures boolean false true, false Specifies, when enabled, that the system logs global failures
logMalformedRequests boolean false true, false Specifies, when enabled, that the system logs malformed requests
logRedirectedResponses boolean false true, false Specifies, when enabled, that the system logs redirection responses
logRequestFailures boolean false true, false Specifies, when enabled, that the system logs request failures
logServerErrors boolean false true, false Specifies, when enabled, that the system logs server errors
publisher object     Specifies the name of the log publisher used for logging SIP protocol security events
storageFormat       Specifies the format type for log messages

Security_Log_Profile_Protocol_Sip.publisher (object)

Specifies the name of the log publisher used for logging SIP protocol security events

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile_Protocol_Sip_Dos (object)

Specifies, when enabled, that the system logs detected SIP DoS attacks

Properties (* = required):

name type(s) default allowed values description
publisher object     Specifies the name of the log publisher used for logging SIP DoS events

Security_Log_Profile_Protocol_Sip_Dos.publisher (object)

Specifies the name of the log publisher used for logging SIP DoS events

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile_Protocol_Transfer (object)

Specifies, when enabled, that the system logs HTTP, FTP, and SMTP protocol security events

Properties (* = required):

name type(s) default allowed values description
publisher object     Specifies where the system sends log messages

Security_Log_Profile_Protocol_Transfer.publisher (object)

Specifies where the system sends log messages

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration

Security_Log_Profile_Ssh_Proxy (object)

Specifies, when enabled, that the system logs SSH Proxy events

Properties (* = required):

name type(s) default allowed values description
logAllowedChannelAction boolean false true, false Specifies, when enabled, that the system logs allowed channel actions
logClientAuthFail boolean false true, false Specifies the name of the log publisher used for logging SSH Proxy events
logClientAuthPartial boolean false true, false Specifies, when enabled, that the system logs client auth partial events
logClientAuthSuccess boolean false true, false Specifies, when enabled, that the system logs client auth success events
logDisallowedChannelAction boolean false true, false Specifies, when enabled, that the system logs disallowed channel actions
logNonSshTraffic boolean false true, false Specifies, when enabled, that the system logs non-SSH traffic events
logServerAuthFail boolean false true, false Specifies, when enabled, that the system logs server auth failure events
logServerAuthPartial boolean false true, false Specifies, when enabled, that the system logs server auth partial events
logServerAuthSuccess boolean false true, false Specifies, when enabled, that the system logs server auth failure events
logSshTimeout boolean false true, false Specifies, when enabled, that the system logs SSH timeouts
publisher object     Specifies the name of the log publisher used for logging SSH Proxy events

Security_Log_Profile_Ssh_Proxy.publisher (object)

Specifies the name of the log publisher used for logging SSH Proxy events

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP log publisher
use string     AS3 pointer to log publisher declaration