F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

PSFletchTheTek's avatar
PSFletchTheTek
Icon for Cumulonimbus rankCumulonimbus
Jan 14, 2022

ELK Logs Vs F5 - Is there a complete solution anywhere? - If not, can we make one?

Hi All, This has been bothering me for some time now, I've used f5 for many years now, and its many different modules and log types have always bothered me when looking at external logging. Identify...
BIG-IP
event
security
Patrik_Jonsson's avatar
Patrik_Jonsson
Icon for MVP rankMVP
Feb 02, 2022

Hey Pete
I actually wrote a logstash parser for a customer of mine a few years ago.
Too bad I could not share it due to NDAs.

However, I can share one thing which sprang out of the excercise:
https://loadbalancing.se/2020/03/11/logstash-testing-tool/

It's not what you're looking for, but it might help when writing the pipeline. At least it helped me a lot when developing parsers.

Also wanted to input that part of the reason why this was a bit painful:

  • In order to get synergy from parsing the logs the field names should match those of other sources. Makes it easier to correlate data. I have not found an opinionated database with recommended field names, but I feel that if there is a need for such. 
  • F5 logs are pretty much free text after the log header. It was (somewhat) easy to catch the common things, but I found after a while that there were subtle differences between even the standard log messages (pool member down etc) and I pulled my hair multiple times when trying to figure it out.

Kind regards,
Patrik