search

F5Networks / f5-appsvcs-extension

F5 BIG-IP Application Services 3 Extension
Apache License 2.0
164 stars 53 forks source link

missing support for some network profile storage format log fields #714

Open rhavenn opened 1 year ago

rhavenn commented 1 year ago

AS3: 3.44.0 BIGIP: 17.1

Using Azure F5 "best" VMs. It seems AS3 can't set the following options:

Always Log User
Log UUID field

Those don't really matter to us, but the Storage Format is also missing some fields as valid which seems odd.

acl_rule_uuid
dest_fqdn
dest_geo
dest_ipint_categories
source_fqdn
source_ipint_categories
source_user
src_geo

can't be set / added via AS3. We're currently logging all but the 2 "ipint" ones with our on-prem BigIPs. Of those, src_geo is the only one that actually seems to get any data in it that isn't blank or just "unknown", but it's also a very useful log category to run queries / reports off of. Please consider adding support for it.

Trying to add "src-geo" to my AS3 template fails as invalid, so it seems it's just not a documentation issue unless I'm guessing wrong.

My working class definition (without the missing fields) for clarity:

                "seclogprofile": {
                    "class": "Security_Log_Profile",
                    "network": {
                        "publisher": {
                            "use": "/Common/Shared/logpublisher"

                        },

                        "alwaysLogRegion": true,
                        "logIpErrors": true,
                        "logRuleMatchAccepts": true,
                        "logRuleMatchDrops": true,
                        "logRuleMatchRejects": true,
                        "logTcpErrors": true,
                        "logTcpEvents": true,
                        "logTranslationFields": true,

                        "storageFormat": {
                            "delimiter": ",",
                            "fields": [ "date-time", "acl-policy-name", "acl-policy-type", "acl-rule-name", "action", "bigip-hostname", "context-name", "context-type", "dest-ip", "dest-port", "drop-reason", "management-ip-address", "protocol", "route-domain", "sa-translation-pool", "sa-translation-type", "src-ip", "src-port", "translated-dest-ip", "translated-dest-port", "translated-ip-protocol", "translated-route-domain", "translated-src-ip", "translated-src-port", "translated-vlan", "vlan" ]

                        }

                    },

                },

We have some log parsers (fluentbit) that expect a specific format of log and we'll need to either adjust our syslog flow and update our on-prem devices to also not include those fields or add them manually for the time being, but they'll be wiped every time we run our AS3 deploy.

rhavenn commented 1 year ago

I would think this would just be updating the proper enum in src/schema/latest/def-log-schema.json since it's clearly a valid field on the F5 side.

sunitharonan commented 7 months ago

Thanks for reaching out, have created an internal backlog item AUTOTOOL-4277. In order to prioritize this issue, please reach out to us at automation_toolchain_pm@f5.com