Sending selective APM log fields to SIEM

The siem wants apm logs in a single line with few fields.

I used the custom logging agent to log these session variables as of now, is there any better way to do this and also can using the custom logging agent cause huge cpu or resource spikes on the device?

USER %{session.logon.last.username} USER-AGENT: %{session.user.agent} CLIENT-IP: %{session.user.clientip} login-result: %{session.logon.last.result} URI-ACCESS: %{session.policy.result.start_uri} LOGGED_IN_TO_OWA

OUTPUT:

Logging Agent: USER bob USER-AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 CLIENT-IP: 172.22.70.81 LOGGED_IN_TO_OWA

APM

application delivery

Forum Discussion

Sending selective APM log fields to SIEM

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

Port Group on F5OS network setting

Advise on setting up IRULE

F5 iRule to replace host to path

google-visualization-issues

Related Content

What is HTML Field Obfuscation?

Net Trunk API Status Field Missing

irule reject request when payload field is null

OCSP HTTP Header Specification/Example or field name of EDIPI?

The TCP Send Buffer, In-Depth