at first glance that looks like a question for the forum of your SIEM, they can most likely suggest a filter or search to make this happen.
or do you want the F5 BIG-IP to only send specific logs?
Thanks boneyard for the tips.
In fact, we have an internal SIEM , and I want to separate all the logs sent. For example, a system of locals or Audit.
Because i want to detect Number of Login faill - Change config and etc.
In your opinion , I should define a template or Filter from the syslog and detect details that want ?