For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

How I did it - "F5 BIG-IP Observability with Dynatrace and F5 Telemetry Streaming"

Modern application environments demand deep observability across infrastructure and services. F5 BIG-IP devices generate valuable logs for security, performance, and operational insights. By leveraging F5 Telemetry Streaming (TS), you can forward these logs to Dynatrace for centralized analysis and AI-driven correlation.

Welcome back to another edition of “How I Did It.” It’s been a while since we looked at observability… Oh wait, I just said that. Anyway, in this post I’ll walk through how I integrated F5 Telemetry Streaming with Dynatrace. To show the results, I’ve included sample dashboards that highlight how the ingested telemetry data can be visualized effectively. Let’s dive in before I repeat myself again.

Introducing Dynatrace

Dynatrace is an observability platform that can ingest and analyze logs and metrics from F5 BIG-IP devices using telemetry streaming. By correlating BIG-IP telemetry with application and infrastructure metrics, Dynatrace provides AI-driven root-cause analysis, anomaly detection, and dashboards for traffic patterns, SSL/TLS issues, and security events. This integration helps teams proactively troubleshoot load balancing and application delivery problems, optimize performance, and automate remediation for critical network services.

Generating a Dynatrace Access Token

In addition to identifying my account-specific Dynatrace ingestion endpoint ( for example: “https://abcd12345.live.dyntatrace.com/api/v2/logs/ingest”), I  generated an access token.  The token and the ingestion endpoint were used in the TS declaration that I POSTed to the BIG-IP’s TS endpoint.

  • Log in to Dynatrace - navigate to your Dynatrace environment (SaaS or Managed).
  • Go to Access Token Management - In the Dynatrace UI, search for Access Tokens.  Click Access Tokens, (see below).
  • Generate a New Token, (see below)
    1. Click Generate a new token.
    2. Enter a meaningful name for the token (helps with future management).
    3. Set an Expiration date.
    4. Select 'logs.ingest' for the required scope.  Optionally, I could also include 'metrics.ingest' if I was configuring TS to send metrics.
  • Click Generate token.
  • Copy and Store the Token - The token will be displayed only once.  Copy it and store it securely (e.g., password manager). Treat the token like a password—do not share or log it.

 

Configure Telemetry Streaming

With my token generated, I turned my attention to configuring BIG-IP for telemetry streaming. Fortunately, with F5’s Automation Toolchain configuring the BIG-IP is quite simple.  Specifically, I used F5 BIG-IP Application Services 3 Extension (AS3) to install the various logging resources and profiles required to support telemetry streaming.  Here are links for AS3 installation and TS installation guidance.

AS3 Declaration

I used Postman to POST an AS3 declaration to configure telemetry resources.  The below declaration deploys the required BIG-IP objects for pushing event data to a third-party vendor. Notably, it created two logging profiles, which I attached to my application’s virtual server.  In addition to basic system information, I configured TS to capture F5 Local Traffic Manager (LTM) request/response telemetry as well as F5 Advanced WAF events.

TS Declaration

Still using Postman, I POSTed my TS declaration (sample). I provided my Dynatrace account ID and the access token created previously, (see below).

Associate Logging Profiles to Virtual Server

The final step to configuring the BIG-IP for telemetry streaming is associating the logging profiles I just created with my existing virtual server. In addition to system telemetry, these logging profiles, when assigned to a virtual, send LTM and Advanced WAF telemetry.

  • From the BIG-IP management UI, I select ‘Local Traffic’ → ‘Virtual Servers’ → <virtual>.
  • Under ‘Configuration’ I select ‘Advanced’, scroll down and select the request logging profiles previously created by AS3. I select ‘Update’ at the bottom of the page to save.
  • From the top of the virtual server page, I select ‘Security’ → ‘Policies’. From the policy settings page, I can see that there is an existing WAF policy associated with my application. To enable ASM logging, I select the previously created ASM logging profile from the available logging profiles and select ‘Update’ to save my changes.

With the configuration process complete, I should now start seeing event data in my Dynatrace account.  

 

Import Dashboards

“Ok, so I have event data streaming into my Dynatrace environment; now what?”  To validate log ingestion, I used dashboards to visualize my telemetry data as well as monitor BIG-IP resources/processes. To finish up, I downloaded both the BIG-IP System Overview and the BIG-IP Advanced WAF dashboard JSON files and used the following steps to import the custom dashboards visualizing BIG-IP metrics and Advanced WAF (formerly ASM) attack information.

  • From the Dynatrace UI, I navigate to the Dashboards page by selecting ‘Dashboards’ and from the top-menu bar select ‘Upload’, (see below).
  •  I select my downloaded files from my local file system and upload them.

With the dashboards imported, I was able to validate that my logs were being successfully ingested into the Dynatrace platform.

 Additional Links

 

Published Nov 19, 2025
Version 1.0
application delivery
management
security
No CommentsBe the first to comment