They are coming into the HF through syslog UDP port.

1. And you have the add-on installed on the HF?

2. Have you configured your F5 to properly export the data (AFAIR there's a section in the docs describing required configuration which needs to be performed on the F5's side)

Hi @marka3721 ,

in this case, check the regexes used in transformations:

take some log samples and put them in tegex101.com; then use this regex and see what it captures as group1

^.+?devid=\"?F(?:G|W|\dK).+?(?:\s|\,|\,\s)type=\"?(traffic|utm|event|anomaly)

if it captures the correct extension of the sourcetype it's correct, otherwise, modify it to adapt it to your different log format.

Only one final question: what's the sourcetype of your logs?

it should be fortigate_log or fgt_log, otherwise transformations aren't taken in consideration.

Ciao.

Giuseppe

We have it set to f5:bigip:syslog

Hi @marka3721 ,

You are right! sorry I confused f5 with fortinet!
Anyway, take the transformation you find in the add-on transforms.conf and try it out.

the transformations to search and verify in transforms.conf are: f5_bigip-icontrol-locallb, f5_bigip-icontrol-globallb, f5_bigip-icontrol-networking, f5_bigip-icontrol-management, f5_bigip-icontrol-system-systeminfo, f5_bigip-icontrol-system-statistics, f5_bigip-icontrol-system-disk, f5_bigip-icontrol-management-device, f5_bigip-icontrol-networking-interfaces, f5_bigip-icontrol-networking-adminip, f5_bigip-icontrol-locallb-pool, f5_bigip-icontrol-management-usermanagement.

check if those regexes match your data or you need to modify them to adapt to your logs.

If you have to modify them, remember to copy the thansforms.conf file in the local folder before modifying it.

Ciao.

Giuseppe