Multiline logs in F5 Big

Question

I am trying to Audit F5 ASM Logs in SIEM platform.

The issue is, it seems like F5 is storing some of the logs with multiline description:

This makes it very difficult to parse in SIEM as they receive all the lines in reverse order:

This log is generated from: "Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs >> Create" action.

Is there any way to have the log description in single line?

zamroni777 · Answer

i guess they are in json or xml format.if it is, the parser should not process them as plain text but as json/xml

utkc137 · Answer

I don't think so, here's a screenshot from F5 backend:&nbsp;Any way to make F5 store these as a single line event?

nikoolayy1 · Answer

Except setting a filter with a specific source and a destination that is a format like SIEM ELK, Splunk etc. I do not see way to to do it from F5 side.
&nbsp;
https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/42.html

&nbsp;

Forum Discussion

Multiline logs in F5 Big

3 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

iRule causing requests to be duplicated (sometimes)

SSL Bridging and FQDN rewrite Policy

How can I get started with iCall

After upgrading from PeopleTools 8.59.11 to 8.61.11 F5 APM is not rewriting the internal URLs

Could not communicate with the system. Try to reload page.

Related Content

Implementing BIG-IP WAF logging and visibility with ELK

Automating Certificate Management on F5 BIG-IP

Mitigating OWASP Web Application Risk: Security Logging & Monitoring Failures using F5 BIG-IP

BIG-IP security hardening and compliance checks

Forwarding Logs to SIEM Tools via HTTP Proxy for F5 Distributed Cloud Global Log Receiver

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS