Logs need to be sent to McAfee SIEM

Question

Hello all,&nbsp;
I am new to F% and BIG IP. I am currently on version 11.3. I am trying to send logs from the BIG IP to my McAfee SIEM. After talking with McAfee they say that the format of the logs needs to be in NEDS format. Would someone be able to help me out with creating an iRule to send all logs to my SIEM?&nbsp;
Any help would be appreciated. &nbsp;
Thanks.&nbsp;

cliff_126534 · Answer

Maybe this will be of use to you?&nbsp;
https://devcentral.f5.com/articles/big-ip-logging-and-reporting-toolkit-part-one&nbsp;
Specifically this:
https://devcentral.f5.com/wiki/iRules.NEDSRule.ashx&nbsp;

docdriza_161671 · Answer

I have looked at the iRule page, but it confuses me because it specifically talks about Splunk. Plus in part 4 when they talk about defining the syslog server they define version 9 and 10. i am on version 11.3. I know a little about scripting, but I cannot figure this out. I guess the thing that I really asking is how do I define the syslog server I would like to send my logs to? Based off what was suggested, I am not sure how to do that.

docdriza_161671 · Answer

Here is code that i have attempted. Would someone be able to help me with this?&nbsp;when RULE_INIT {
    set ::inbound_vlan "4094"
    set ::device_id "clcappfw01.ssd.com"
    set ::strlimit 256
    set ::doAES 0
    set ::AESKey "H&amp;^)(D(*CEH(c0jhcds9h)(&amp;&amp;%%$%$@"
}
when CLIENT_ACCEPTED {
    set secs [clock seconds]
    set usecs [expr {[clock clicks] - [expr {$secs * 1000000}]}]
    if { $usecs &gt; 1000000 } {
        set usecs "999999"
    } else {
        set usecs [format "%06u" $usecs]
    }
    set conn_start_time $secs.$usecs

set log_event "neds.f5.conn.end.v1"
    set log_content "\"$::device_id\","
    set clientside_client_addr [IP::client_addr]
    set clientside_client_port [TCP::client_port]
    set clientside_server_addr [IP::local_addr]
    set clientside_server_port [TCP::local_port]
    set clientflow "$clientside_client_addr:$clientside_client_port"
    append clientflow "-$clientside_server_addr:$clientside_server_port@$conn_start_time"

set vlanid "[LINK::vlan_id]"
    if { [string compare $vlanid $::inbound_vlan] } {
        set direction "Inbound"
    } else {
        set direction "Outbound"
    }

set log_event "neds.f5.conn.start.v1"
    set log_content "\"$::device_id\","
    append log_content "\"$clientflow\","
    append log_content "$conn_start_time,"
    append log_content "\"[LINK::vlan_id]\","
    append log_content "[IP::protocol],"
    append log_content "[IP::tos],"
    append log_content "[IP::ttl],"
    append log_content "\"[virtual]\","
    append log_content "\"$direction\""

log syslogserver:514 local7.info \"$log_event\",$log_content
}

when CLIENT_CLOSED {
    set secs [clock seconds]
    set usecs [expr {[clock clicks] - [expr {$secs * 1000000}]}]
    if { $usecs &gt; 1000000 } {
        set usecs "999999"
    } else {
        set usecs [format "%06u" $usecs]
    }
    set conn_end_time $secs.$usecs

set log_event "neds.f5.conn.end.v1"
    set log_content "\"$::device_id\","
    append log_content "\"$clientflow\",$conn_end_time,"
    append log_content "[lindex [IP::stats pkts] 0],"
    append log_content "[lindex [IP::stats pkts] 1],"
    append log_content "[lindex [IP::stats bytes] 0],"
    append log_content "[lindex [IP::stats bytes] 1]"

log syslogserver:514 local7.info \"$log_event\",$log_content
}

when HTTP_REQUEST {
    set secs [clock seconds]
    set usecs [expr {[clock clicks] - [expr {$secs * 1000000}]}]
    if { $usecs &gt; 1000000 } {
        set usecs "999999"
    } else {
        set usecs [format "%06u" $usecs]
    }
    set http_request_time $secs.$usecs

set http_host [string range [HTTP::host] 0 $::strlimit]
    set http_host [string map {{"} {""}} $http_host]
    set http_request_uri [string range [HTTP::uri] 0 $::strlimit]
    set http_request_uri [string map {{"} {""}} $http_request_uri]
    set http_username [string range [HTTP::username] 0 $::strlimit]
    set http_username [string map {{"} {""}} $http_username]
    set http_user_agent [string range [HTTP::header User-Agent] 0 $::strlimit]
    set http_user_agent [string map {{"} {""}} $http_user_agent]

set log_event "neds.f5.conn.end.v1"
    set log_content "\"$::device_id\","
    append log_content "\"$clientflow\","
    append log_content "$http_request_time,"
    append log_content "[HTTP::request_num],"
    append log_content "\"$http_host\","
    append log_content "\"$http_request_uri\","
    append log_content "\"$http_username\","
    append log_content "\"$http_user_agent\""

log syslogserver:514 local7.info \"$log_event\",$log_content
}

when HTTP_RESPONSE {
    set secs [clock seconds]
    set usecs [expr {[clock clicks] - [expr {$secs * 1000000}]}]
    if { $usecs &gt; 1000000 } {
        set usecs "999999"
    } else {
        set usecs [format "%06u" $usecs]
    }
    set http_reply_time $secs.$usecs

set content_length ""
    if { [HTTP::header exists "Content-Length"] } {
        set content_length [HTTP::header "Content-Length"]
    }
    set lb_server "[LB::server addr]:[LB::server port]"
    if { [string compare "$lb_server" ""] == 0 } {
        set lb_server ""
    }
    set status_code [HTTP::status]
    set status_code [string map {{"} {""}} $status_code]
    set content_type [HTTP::header "Content-type"]
    set content_type [string map {{"} {""}} $content_type]

set serverside_client_addr [IP::local_addr]
    set serverside_client_port [TCP::local_port]
    set serverside_server_addr [IP::remote_addr]
    set serverside_server_port [TCP::remote_port]

set serverflow "$serverside_client_addr:$serverside_client_port"
    append serverflow "-$serverside_server_addr:$serverside_server_port"

set log_event "neds.f5.http.resp.v1"
    set log_content "\"$::device_id\","
    append log_content "\"$clientflow\","
    append log_content "$http_reply_time,"
    append log_content "[HTTP::request_num],"
    append log_content "\"$status_code\","
    append log_content "\"$content_type\","
    append log_content "\"$content_length\","
    append log_content "\"$lb_server\","
    append log_content "\"$serverflow\""

log syslogserver:514 local7.info \"$log_event\",$log_content
}

sdnath_82757 · Answer

Did you test the irule and how is the response.

docdriza_161671 · Answer

I have tried this, and it does not work.&nbsp;

Forum Discussion

Logs need to be sent to McAfee SIEM

6 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Cisco TACACS+ Config on ISE LTM Pair

Illegal Metacharacter in Parameter Name in Json Data

AS3 declaration to set cookie to preferred

SSL Bridging and FQDN rewrite Policy

Checking for X-Forwarded-For against an Address Data-Group

Related Content

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

Integrating SSL Orchestrator with McAfee Web Gateway-Explicit Proxy

Verified Design: SSL Orchestrator with McAfee Web Gateway-Part 1

Forwarding Logs to SIEM Tools via HTTP Proxy for F5 Distributed Cloud Global Log Receiver

F5 Distributed Cloud Telemetry (Logs) - Loki

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS