Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

KrishnaS's avatar
KrishnaS
Icon for Nimbostratus rankNimbostratus
Apr 12, 2026

F5 BIG-IP DNS/Audit Logs — Structured Format for SIEM Ingestion

Hello Team, We are working on adding ingestion support for F5 BIG-IP DNS and Audit logs into a SIEM, with the goal of normalising events to the OCSF standard. For other BIG-IP event types, we use Te...
security
jainzeel13's avatar
jainzeel13
Icon for Altocumulus rankAltocumulus
Apr 20, 2026

Hello Jeff_Granieri​ 

Thanks for the iRule suggestion.

Following up on a post previously shared by my colleague Krishna — we are currently working together on this setup and facing an issue with logs not reaching AWS S3.

Current Setup:

  • iRule attached to the Virtual Server, logging DNS_REQUEST in JSON format using log local0.info
  • HSL Log Destination configured with a pool pointing to 127.0.0.1:6514
  • Log Publisher -> DNS Logging Profile -> attached to the Virtual Server
  • Telemetry Streaming configured with a listener on port 6514
  • Consumer configured to AWS S3 (eu-north-1)
  • Port 6514 is confirmed open (verified via netstat)

Expected Flow:
F5 BIG-IP -> Telemetry Streaming -> AWS S3

Issue:
Despite the above configuration, we are not receiving any data in AWS S3.
We would appreciate any guidance on what we might be missing or additional checks we should perform.


My declaration 

{
  "class": "Telemetry",
  "My_Listener": {
    "class": "Telemetry_Listener",
    "port": 6514
  },
  "My_Consumer": {
    "class": "Telemetry_Consumer",
    "type": "AWS_S3",
    "region": "eu-north-1",
    "bucket": "f5-dns-community-test",
    "username": "Access key",
    "passphrase": {
      "cipherText": "Secret Key"
    }
  }
}

 

Jeff_Granieri's avatar
Jeff_Granieri
Icon for Employee rankEmployee
Apr 20, 2026

HI jainzeel13​   looks like your declaration is missing the system poller which might be why TS is not sending anything...  

{
  "class": "Telemetry",
  "My_System": {
    "class": "Telemetry_System",
    "systemPoller": {
      "interval": 300
    }
  },
  "My_Listener": {
    "class": "Telemetry_Listener",
    "port": 6514
  },
  "My_Consumer": {
    "class": "Telemetry_Consumer",
    "type": "AWS_S3",
    "region": "eu-north-1",
    "bucket": "f5-dns-community-test",
    "username": "AKIA________________",
    "passphrase": {
      "cipherText": "actual_secret_key_here"
    }
  }
}

you can try to add debugging :  

restcurl -X POST /mgmt/shared/telemetry/declare -d '{

"class": "Telemetry",

"controls": {

"class": "Controls",

"logLevel": "debug"

}

}'

*** make sure you set the loglevel off debug when you are done ***

and then monitor restnoded.log for the TS polling and check for error response codes...