Forum Discussion
KrishnaS
Nimbostratus
NimbostratusF5 BIG-IP DNS/Audit Logs — Structured Format for SIEM Ingestion
Hello Team, We are working on adding ingestion support for F5 BIG-IP DNS and Audit logs into a SIEM, with the goal of normalising events to the OCSF standard. For other BIG-IP event types, we use Te...
Jeff_Granieri
Employee
EmployeeHi KrishnaS ,
I would recommend you check out BIG-IP iRules Assistant, I used it to generate a starter iRule that will convert DNS requests to JSON format. You can expand as needed and log to a pool if you want. Keep in mind this would need to be attached to as many WIP's that need this logging. Also test this in a non-prod environment and be sure you are comfortable with its performance.
# This iRule code has the following requirements:
# - DNS Services addon license (called GTM before 12.0) and a DNS profile enabled where applicable (required by: "DNS::question", "DNS_REQUEST")
when DNS_REQUEST priority 500 {
# Declare variable to store client IP
set client_ip [IP::client_addr]
# Declare variable to store DNS question name
set qname [DNS::question name]
# Declare variable to store DNS question type
set qtype [DNS::question type]
# Declare variable to store DNS question class
set qclass [DNS::question class]
# Assemble the extracted fields into a JSON-formatted string
set json [format "{\"client_ip\":\"%s\",\"question_name\":\"%s\",\"question_type\":\"%s\",\"question_class\":\"%s\"}" \
$client_ip \
$qname \
$qtype \
$qclass]
# Log the JSON string to syslog with local0.info facility and level
log local0.info $json
}
