Syslog records format for AFM DoS attack detection

Dear Gents,

 

I am working as engineer at some ISP provider and I am doing analyse of syslog files where are recorded DoS attack at AFM feature. My some syslog record has structure as following

 

Sep 11 00:05:04 pf5dma301.mobile.belgacom.be tmm[10183] "Sep 11 2017 00:05:03","10.42.67.20","aaa.bbb.ccc.com","/Common/VS_ANY_IPv4-PUBLIC_IN_2","176.126.83.66","109.143.31.9","48261","50804","0","/Common/external-IPv4","Sweep attack","4087591717","Attack Sampled","Allow","1","0","0000000000000000", "Enforced", "Aggregate"

 

Q1 I am looking for good reference describing format of record. Traversing devcentral gave me just some unrelated results.

 

Q2 I did some linux shell scripting on logs and I have found there is 1.5 Milion attacks events in a day. It is really much and AFM brings significant load on F5

 

Q3 Are attacker connections logged at every attacker's request?

 

Any useful comment or experience with AFM would be highly welcomed.

 

Thanks

 

Regards

 

Andrew