Multiline logs in F5 Big

Question

I am trying to Audit F5 ASM Logs in SIEM platform.

The issue is, it seems like F5 is storing some of the logs with multiline description:

This makes it very difficult to parse in SIEM as they receive all the lines in reverse order:

This log is generated from: "Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs >> Create" action.

Is there any way to have the log description in single line?

zamroni777 · Answer

i guess they are in json or xml format.if it is, the parser should not process them as plain text but as json/xml

utkc137 · Answer

I don't think so, here's a screenshot from F5 backend:&nbsp;Any way to make F5 store these as a single line event?

nikoolayy1 · Answer

Except setting a filter with a specific source and a destination that is a format like SIEM ELK, Splunk etc. I do not see way to to do it from F5 side.
&nbsp;
https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/42.html

&nbsp;

Forum Discussion

Multiline logs in F5 Big

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

Big-IQ HA logs

Re: Get Started with BIG-IP Virtual Edition (VE), BIG-IQ VE or BIG-IP Cloud Edition Trial

Reminder: MFA now required to log in to DevCentral

Lightboard Lessons: Logging on BIG-IP

AWAF - Do not log Geolocation violations from the Event Log

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS