We feed out F5 logs into a SIEM and use for incident investigation. Currently the logs we get do not show cs information - all I get is the ss IP addresses. This makes it impossible to correlate IPS alerts with the source IP -- all I see is the ss IP addresses. Looking in the F5 logs only shows me the ss IPs which I already have from the IPS.
How can I get the F5 to show connection logs with the cs IP addresses as well as the ss IP addresses in the connectin logs we send to the SIEM?