F5 APM Logging to Arcsight

Question

can anyone please let us know whether APM uses CEF format as we are sending logs from APM to Arcsight and the logs are not getting parsed properly. &nbsp;

boneyard · Answer

that depends on how you set up your logging, if you got through the publishers and destinations you are to able to say it is ArcSight.

amolari · Answer

As per v11.6, the information from the manualis:
Important: ArcSight formatting is only available for logs coming from Advanced Firewall Manager
(AFM), Application Security Manager™ (ASM), and the Secure Web Gateway component of Access
Policy Manager® (APM®). IPFIX is not available for Secure Web Gateway. Remote Syslog formatting
is the only type supported for logs coming from APM. The Splunk format is a predefined format of key
value pairs.

At the moment it's not possible. I suggest you to open a case by F5 support. Maybe a RFE is existing and you can link your case to it or alternatively create a RFE.

sathya_balakris · Answer

hi amolari &amp; boneyard, may I know what is RFE ? &nbsp;

curt_kersey_115 · Answer

An RFE is F5's term for a "Request for Enhancement".  For APM, there is one that has already been created for ArcSight CEF formatting, 427106.&nbsp;

Forum Discussion

F5 APM Logging to Arcsight

4 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

2026 301a exam

UCS Encryption Question

Unblock Request WAF

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

VIP in https that redirect to another vip in https

Related Content

Forwarding Logs to SIEM Tools via HTTP Proxy for F5 Distributed Cloud Global Log Receiver

APM Session Variable Logging

F5 Distributed Cloud Telemetry (Logs) - Loki

F5 Distributed Cloud Telemetry (Logs) - ELK Stack

APM Session Elapsed Time Log

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS