Manual Chapter : Using CGNAT Logging and Subscriber Traceability

Applies To:

Show Versions

BIG-IP LTM

15.0.1, 15.0.0, 14.1.3, 14.1.2, 14.1.0

Using CGNAT Logging and Subscriber Traceability

Overview: Configuring local logging for CGNAT

You can configure the BIG-IP system to send log messages about carrier grade network address translation (CGNAT) processes to the local Syslog database on the BIG-IP system.

Enabling logging impacts BIG-IP system performance.

When configuring local logging of CGNAT processes, it is helpful to understand the objects you need to create and why:

Object	Reason	Applies to
Destination (formatted/local)	Create a formatted log destination to format the logs in human-readable name/value pairs, and forward the logs to the local-syslog database.	Creating a formatted local log destination for CGNAT.
Publisher (local-syslog)	Create a log publisher to send logs to the previously created destination that formats the logs in name/value pairs, and forwards the logs to the local Syslog database on the BIG-IP system.	Creating a publisher to send log messages to the local Syslog database.
LSN pool	Associate a large scale NAT (LSN) pool with a log publisher in order to log messages about the traffic that uses the pool.	Configuring an LSN pool with a local Syslog log publisher.

Task summary

Creating a formatted local log destination for CGNAT

Create a formatted logging destination to specify that log messages about CGNAT processes are sent to the local Syslog database in a format that displays name/value pairs in a human-readable format.

On the Main tab, click

System

Logs

Configuration

Log Destinations

The Log Destinations screen opens.

Click

Create

In the

Name

field, type a unique, identifiable name for this destination.

From the

Type

list, select

Splunk

The Splunk format is a predefined format of key value pairs.

From the

Forward To

list, select

local-syslog

Click

Finished

Creating a publisher to send log messages to the local Syslog database

Create a publisher to specify that the BIG-IP system sends formatted log messages to the local Syslog database, on the BIG-IP system.

On the Main tab, click

System

Logs

Configuration

Log Publishers

The Log Publishers screen opens.

Click

Create

In the

Name

field, type a unique, identifiable name for this publisher.

For the

Destinations

setting, select the previously created destination from the

Available

list (which formats the logs in the Splunk format and forwards the logs to the local Syslog database) and move the destination to the

Selected

list.

Click

Finished

Configuring an LSN pool with a local Syslog log publisher

Before associating a large scale NAT (LSN) pool with a log publisher, ensure that at least one log publisher exists that sends formatted log messages to the local Syslog database on the BIG-IP system.

Associate an LSN pool with the log publisher that the BIG-IP system uses to send formatted log messages to the local Syslog database.

On the Main tab, click

Carrier Grade NAT

LSN Pools

The LSN Pool List screen opens.

Click the name of an LSN pool.

From the

Log Publisher

list, select the log publisher that sends formatted log messages to the local Syslog database on the BIG-IP system.

Click

Finished

Overview: Configuring remote high-speed logging for CGNAT

You can configure the BIG-IP system to log information about carrier-grade network address translation (CGNAT) processes and send the log messages to remote high-speed log servers.

This illustration shows the association of the configuration objects for remote high-speed logging of CGNAT processes.

Associations between CGNAT remote high-speed logging configuration objects — Association of remote high-speed logging configuration objects

Task summary

Perform these tasks to configure remote high-speed logging of CGNAT processes on the BIG-IP system.

Enabling remote high-speed logging impacts BIG-IP system performance.

About the configuration objects of high-speed logging

When configuring remote high-speed logging (HSL) of CGNAT processes, it is helpful to understand the objects you need to create and why, as described here:

Object	Reason	Applies to
Pool of remote log servers	Create a pool of remote log servers to which the BIG-IP system can send log messages.	Creating a pool of remote logging servers.
Destination (formatted)	Create log destination to format the logs in the required format and forward the logs to a remote high-speed log destination.	Creating a formatted remote high-speed log destination.
Publisher	Create a log publisher to send logs to a set of specified log destinations.	Creating a publisher.
Logging Profile (optional)	Create a logging profile to configure logging options for various large scale NAT (LSN) events. The options apply to all HSL destinations.	Creating a LSN logging profile.
LSN pool	Associate an LSN pool with a logging profile and log publisher in order to log messages about the traffic that uses the pool.	Configuring an LSN pool.

Create a pool of remote logging servers

Before creating a pool of log servers, gather the IP addresses of the servers that you want to include in the pool. Ensure that the remote log servers are configured to listen to and receive log messages from the BIG-IP system.

Create a pool of remote log servers to which the BIG-IP system can send log messages.

On the Main tab, click

Local Traffic

Pools

The Pool List screen opens.

Click

Create

The New Pool screen opens.

In the

Name

field, type a unique name for the pool.

Using the

New Members

setting, add the IP address for each remote logging server that you want to include in the pool:

Type an IP address in the

Address

field, or select a node address from the

Node List

Type a service number in the

Service Port

field, or select a service name from the list.

Typical remote logging servers require port

514

Click

Add

Click

Finished

Create a remote high-speed log destination

Before creating a remote high-speed log destination, ensure that at least one pool of remote log servers exists on the BIG-IP system.

Create a log destination of the

Remote High-Speed Log

type to specify that log messages are sent to a pool of remote log servers.

On the Main tab, click

System

Logs

Configuration

Log Destinations

The Log Destinations screen opens.

Click

Create

In the

Name

field, type a unique, identifiable name for this destination.

From the

Type

list, select

Remote High-Speed Log

If you use log servers such as Remote Syslog, Splunk, or ArcSight, which require data be sent to the servers in a specific format, you must create an additional log destination of the required type, and associate it with a log destination of the

Remote High-Speed Log

type. With this configuration, the BIG-IP system can send data to the servers in the required format.

The BIG-IP system is configured to send an unformatted string of text to the log servers.

From the

Pool Name

list, select the pool of remote log servers to which you want the BIG-IP system to send log messages.

From the

Protocol

list, select the protocol used by the high-speed logging pool members.

Click

Finished

Create a formatted remote high-speed log destination

Ensure that at least one remote high-speed log destination exists on the BIG-IP system.

Create a formatted logging destination to specify that log messages are sent to a pool of remote log servers, such as Remote Syslog, Splunk, or IPFIX servers.

On the Main tab, click

System

Logs

Configuration

Log Destinations

The Log Destinations screen opens.

Click

Create

In the

Name

field, type a unique, identifiable name for this destination.

From the

Type

list, select a formatted logging destination, such as

Remote Syslog

Splunk

, or

IPFIX

The Splunk format is a predefined format of key value pairs.

The BIG-IP system is configured to send a formatted string of text to the log servers.

If you selected

Remote Syslog

, then from the

Syslog Format

list select a format for the logs, and then from the

High-Speed Log Destination

list, select the destination that points to a pool of remote Syslog servers to which you want the BIG-IP system to send log messages.

For logs coming from Access Policy Manager (APM), only the BSD Syslog format is supported.

If you selected

Splunk

IPFIX

, then from the

Forward To

list, select the destination that points to a pool of high-speed log servers to which you want the BIG-IP system to send log messages.

Click

Finished

Create a publisher

Ensure that at least one destination associated with a pool of remote log servers exists on the BIG-IP system.

Create a publisher to specify where the BIG-IP system sends log messages for specific resources.

On the Main tab, click

System

Logs

Configuration

Log Publishers

The Log Publishers screen opens.

Click

Create

In the

Name

field, type a unique, identifiable name for this publisher.

For the

Destinations

setting, select a destination from the

Available

list, and move the destination to the

Selected

list.

If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or IPFIX.

If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the

logpublisher.atomic

db key to

false

. If all the remote high-speed log (HSL) destinations are down (unavailable), setting the

logpublisher.atomic

db key to

false

will not work to allow the logs to be written to local-syslog. The

logpublisher.atomic

db key has no effect on local-syslog.

Click

Finished

Creating an LSN logging profile

You can create an LSN logging profile to allow you to configure logging options for various LSN events that apply to high-speed logging destinations.

For configuring remote high-speed logging of CGNAT processes on the BIG-IP system, these steps are optional.

On the Main tab, click

Carrier Grade NAT

Logging Profiles

LSN

The LSN logging profiles screen opens.

Click

Create

The New LSN Logging Profile screen opens.

In the

Name

field, type a unique name for the logging profile.

From the

Parent Profile

list, select a profile from which the new profile inherits properties.

For the Log Settings area, select the

Custom

check box.

For the Log Settings area, select

Enabled

for the following settings, as necessary.

Setting	Description
CSV Format	Generates log entries in comma-separated-values (CSV) format.
Start Outbound Session	Generates event log entries at the start of a translation event for an LSN client.
End Outbound Session	Generates event log entries at the end of a translation event for an LSN client.
Start Inbound Session	Generates event log entries at the start of an incoming connection event for a translated endpoint.
End Inbound Session	Generates event log entries at the end of an incoming connection event for a translated endpoint.
Quota Exceeded	Generates event log entries when an LSN client exceeds allocated resources.
Errors	Generates event log entries when LSN translation errors occur.
Subscriber ID	Allows for subscriber ID logging.

Enabling the

CSV

check box affects splunk logs because IP addresses are shown as

ip,port,rtdom

instead of

ip%rtdom:port

. Do not mix log types and only use standard syslog formats.

Click

Finished

Configuring an LSN pool

You can associate an LSN pool with a log publisher and logging profile that the BIG-IP system uses to send log messages to a specified destination.

On the Main tab, click

Carrier Grade NAT

LSN Pools

LSN Pool List

The LSN Pool List screen opens.

Select an LSN pool from the list.

The configuration screen for the pool opens.

From the

Log Publisher

list, select the log publisher the BIG-IP system uses to send log messages to a specified destination.

logpublisher.atomic

db key to

false

. If all the remote high-speed log (HSL) destinations are down (unavailable), setting the

logpublisher.atomic

db key to

false

will not work to allow the logs to be written to local-syslog. The

logpublisher.atomic

db key has no effect on local-syslog.

Optional: From the

Logging Profile

list, select the logging profile the BIG-IP system uses to configure logging options for various LSN events.

Click

Finished

You now have an LSN pool for which the BIG-IP system logs messages using the specified logging profile.

Overview: Configuring IPFIX logging for CGNAT

You can configure the BIG-IP system to log information about carrier grade network address translation (CGNAT) processes and send the log messages to remote IPFIX collectors.

IPFIX is a set of IETF standards described in RFCs 5101 and 5102. The BIG-IP system supports logging of CGNAT translation events over the IPFIX protocol. IPFIX logs are raw, binary-encoded strings with their fields and field lengths defined by IPFIX templates.

IPFIX collectors

are external devices that can receive IPFIX templates, and use them to interpret IPFIX logs.

Task summary

Perform these tasks to configure IPFIX logging of CGNAT processes on the BIG-IP system.

Enabling IPFIX logging impacts BIG-IP system performance.

About the configuration objects of IPFIX logging

The configuration process involves creating and connecting the following configuration objects.

Object	Reason	Applies to
Pool of IPFIX collectors	Create a pool of remote log servers to which the BIG-IP system can send log messages.	Assembling a pool of IPFIX collectors.
Destination	Create a log destination to format the logs in IPFIX templates, and forward the logs to the IPFIX collectors.	Creating an IPFIX log destination.
Publisher	Create a log publisher to send logs to a set of specified log destinations.	Creating a publisher.
Logging Profile (optional)	Create a logging profile to configure logging options for various large scale NAT (LSN) events. The options apply to all HSL destinations.	Creating an LSN logging profile.
LSN pool	Associate an LSN pool with a logging profile and log publisher in order to log messages about the traffic that uses the pool.	Configuring an LSN pool.

Assemble a pool of IPFIX collectors

Before creating a pool of IPFIX collectors, gather the IP addresses of the collectors that you want to include in the pool. Ensure that the remote IPFIX collectors are configured to listen to and receive log messages from the BIG-IP system.

You can create a pool of IPFIX collectors to which the system can send IPFIX log messages.

On the Main tab, click

Local Traffic

Pools

The Pool List screen opens.

Click

Create

The New Pool screen opens.

In the

Name

field, type a unique name for the pool.

Using the

New Members

setting, add the IP address for each IPFIX collector that you want to include in the pool:

Type the collector's IP address in the

Address

field, or select a node address from the

Node List

Type a port number in the

Service Port

field.

By default, IPFIX collectors listen on UDP or TCP port

4739

and Netflow V9 devices listen on port

2055

, though the port is configurable at each collector.

Click

Add

Click

Finished

Create an IPFIX log destination

A log destination of the

IPFIX

type specifies that log messages are sent to a pool of IPFIX collectors. Use these steps to create a log destination for IPFIX collectors.

On the Main tab, click

System

Logs

Configuration

Log Destinations

The Log Destinations screen opens.

Click

Create

In the

Name

field, type a unique, identifiable name for this destination.

From the

Type

list, select

IPFIX

From the

Protocol

list, select

IPFIX

Netflow V9

, depending on the type of collectors you have in the pool.

From the

Pool Name

list, select an LTM pool of IPFIX collectors.

From the

Transport Profile

list, select

TCP

UDP

, or any customized profile derived from TCP or UDP.

The

Template Retransmit Interval

is the time between transmissions of IPFIX templates to the pool of collectors. The BIG-IP system only retransmits its templates if the

Transport Profile

is a

UDP

profile.

IPFIX template

defines the field types and byte lengths of the binary IPFIX log messages. The logging destination sends the template for a given log type (for example, NAT44 logs or customized logs from an iRule) before sending any of those logs, so that the IPFIX collector can read the logs of that type. The logging destination assigns a template ID to each template, and places the template ID into each log that uses that template.

The log destination periodically retransmits all of its IPFIX templates over a UDP connection. The retransmissions are helpful for UDP connections, which are lossy.

The

Template Delete Delay

is the time that the BIG-IP device should pause between deleting an obsolete template and re-using its template ID. This feature is helpful for systems that can create custom IPFIX templates with iRules.

The

Server SSL Profile

applies Secure Socket Layer (SSL) or Transport Layer Security (TLS) to TCP connections. You can only choose an SSL profile if the

Transport Profile

is a

TCP

profile. Choose an SSL profile that is appropriate for the IPFIX collectors' SSL/TLS configuration.

SSL or TLS requires extra processing and therefore slows the connection, so we only recommend this for sites where the connections to the IPFIX collectors have a potential security risk.

Click

Finished

Create a publisher

Ensure that at least one destination associated with a pool of remote log servers exists on the BIG-IP system.

Create a publisher to specify where the BIG-IP system sends log messages for specific resources.

On the Main tab, click

System

Logs

Configuration

Log Publishers

The Log Publishers screen opens.

Click

Create

In the

Name

field, type a unique, identifiable name for this publisher.

For the

Destinations

setting, select a destination from the

Available

list, and move the destination to the

Selected

list.

If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or IPFIX.

logpublisher.atomic

db key to

false

. If all the remote high-speed log (HSL) destinations are down (unavailable), setting the

logpublisher.atomic

db key to

false

will not work to allow the logs to be written to local-syslog. The

logpublisher.atomic

db key has no effect on local-syslog.

Click

Finished

Creating an LSN logging profile

You can create an LSN logging profile to allow you to configure logging options for various LSN events that apply to high-speed logging destinations.

For configuring remote high-speed logging of CGNAT processes on the BIG-IP system, these steps are optional.

On the Main tab, click

Carrier Grade NAT

Logging Profiles

LSN

The LSN logging profiles screen opens.

Click

Create

The New LSN Logging Profile screen opens.

In the

Name

field, type a unique name for the logging profile.

From the

Parent Profile

list, select a profile from which the new profile inherits properties.

For the Log Settings area, select the

Custom

check box.

For the Log Settings area, select

Enabled

for the following settings, as necessary.

Setting	Description
CSV Format	Generates log entries in comma-separated-values (CSV) format.
Start Outbound Session	Generates event log entries at the start of a translation event for an LSN client.
End Outbound Session	Generates event log entries at the end of a translation event for an LSN client.
Start Inbound Session	Generates event log entries at the start of an incoming connection event for a translated endpoint.
End Inbound Session	Generates event log entries at the end of an incoming connection event for a translated endpoint.
Quota Exceeded	Generates event log entries when an LSN client exceeds allocated resources.
Errors	Generates event log entries when LSN translation errors occur.
Subscriber ID	Allows for subscriber ID logging.

Enabling the

CSV

check box affects splunk logs because IP addresses are shown as

ip,port,rtdom

instead of

ip%rtdom:port

. Do not mix log types and only use standard syslog formats.

Click

Finished

Configuring an LSN pool

You can associate an LSN pool with a log publisher and logging profile that the BIG-IP system uses to send log messages to a specified destination.

On the Main tab, click

Carrier Grade NAT

LSN Pools

LSN Pool List

The LSN Pool List screen opens.

Select an LSN pool from the list.

The configuration screen for the pool opens.

From the

Log Publisher

list, select the log publisher the BIG-IP system uses to send log messages to a specified destination.

logpublisher.atomic

db key to

false

. If all the remote high-speed log (HSL) destinations are down (unavailable), setting the

logpublisher.atomic

db key to

false

will not work to allow the logs to be written to local-syslog. The

logpublisher.atomic

db key has no effect on local-syslog.

Optional: From the

Logging Profile

list, select the logging profile the BIG-IP system uses to configure logging options for various LSN events.

Click

Finished

You now have an LSN pool for which the BIG-IP system logs messages using the specified logging profile.

CGNAT Log Format Reference

Overview: CGNAT log formats

Carrier Grade Network Address Translation (CGNAT) log formats are specific to the type of logging used, for example, high-speed logging (HSL) or Splunk.

Log field descriptions

This topic lists the available log fields and provides a description of each.

Log field descriptions
Log field	Description
bigip_hostname	BIG-IP hostname.
bigip_mgmt_ip_address	BIG-IP management IP address.
bigip_software_version	BIG-IP software version. An example format is 11.4.0.132.0 .
client_ipv4_address	Client IPV4 address.
client_ipv6_address	Client IPV6 address(IPV6 or NAT64 client).
client_port	Client TCP/UDP port.
client_rtdomid	Client route domain ID.
date_time	Date and time. An example format is Apr 04 2013 08:13:26 .
destination_address	Client's destination IPV4/IPV6 address.
destination_port	Client's port.
dslite_ipv6_remote_ip	DS-Lite remote end point.
dslite_rtdomid	DS-Lite tunnel route domain ID.
duration	Duration of the translation (in ms).
egress_rtdomid	Route domain ID of the egress interface.
end	End time.
errdefs_msgno	TMM internal value.
errdefs_msg_name	TMM internal value.
internet_client_ipv4_address	IP address of the inbound client connections from the internet.
internet_client_rtdomid	Route domain ID of the inbound client connecting from the internet.
lsn_address	IPV4/IPV6 translation address.
lsn_dnat_log_version	DNAT log version.
lsn_dnat_port_range_min	LSN pool translation port range low value.
lsn_dnat_port_range_max	LSN pool translation port range high value.
lsn_dnat_prefix_list	List of LSN pool translation prefixes.
lsn_dnat_source_list	List of all the virtual server source prefixes that are attached to this lsn pool.
lsn_dnat_state	DNAT algorithm internal state.
lsn_dnat_dag_id	LSN Deterministic NAT libdag identifier.
lsn_port	TCP/UDP translation port.
lsn_rtdomid	Translation address route domain ID.
lsn_result	Reason for translation failure.
lsn_pool_name	LSN pool name with complete path. For example, /Common/lsnp1 .
protocol	UDP, TCP, or ICMP.
sa_trans_pool	Source Address Translation Pool name, for example, SNAT pool, LSN, or Automap.
start	The unixtime for the start of the translation.
timestamp	Unix time, always in UTC.
tmm_daglib_state	TMM DAG library state.

BIG-IP version 11.3.0 and 11.4.0 log reference

This reference content describes the logging format specific to BIG-IP software version 11.3.0 and 11.4.0.

This release provides the following logging changes:

CGNAT HSL and Splunk logging introduced in 11.3.0, unchanged in 11.4.0.

BIG-IP version 11.3.0 and 11.4.0 log reference
Log Message	Type	Format
NAT44 session create	HSL	"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>"
NAT44 session create	Splunk	lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>"
NAT64 session create	HSL	"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>"
NAT64 session create	Splunk	lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>"
DSLITE session create	HSL	"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>""<dslite_ipv6_remote_ip>%<dslite_rtdomid>"
DSLITE session create	Splunk	lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>"
NAT44/NAT64/DSLITE Translation failed	HSL	"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","NAPT - Translation failed","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<lsn_address>","<lsn_port>","<lsn_rtdomid>"
NAT44/NAT64/DSLITE Translation failed	Splunk	hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",client_ip="<client_ipv4_address/client_ipv6_address>",client_port="<client_port>",date_time="<date_time>",dest_ip="<destination_address>",dest_port="<destination_port>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="1",errdefs_msg_name="LSN Translation Event",lsn_translated_client_ip="<lsn_address>",lsn_translated_client_port="<lsn_port>",lsn_event="LSN_ERR",lsn_result="NAPT - Translation failed",lsn_translated_route_domain="<lsn_rtdomid>",cli="<client_ipv4_address/client_ipv6_address>:<client_port>",nat="<lsn_address>:<lsn_port>",dslite="<dslite_ipv6_remote_ip>",severity="6",route_domain="<client_rtdomid>"
DNAT config	HSL	"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_dnat_log_version>","LSN_CFG","<lsn_result>","<lsn_dnat_source_list>","<lsn_dnat_prefix_list>","<lsn_dnat_port_range_min>","<lsn_dnat_port_range_max>","<tmm_daglib_state>"
DNAT config	Splunk	hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",date_time="<date_time>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="2",errdefs_msg_name="LSNDNAT Config Event",lsn_event="LSN_CFG",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_source_list="<lsn_dnat_source_list>",lsn_dnat_prefix_list="<lsn_dnat_prefix_list>",lsn_dnat_port_range_min="<lsn_dnat_port_range_min>",lsn_dnat_port_range_max="<lsn_dnat_port_range_max>",lsn_dnat_log_version="<lsn_dnat_log_version>",lsn_result="DNAT config change",severity="6",tmm_daglib_state="<tmm_daglib_state>"
DNAT session delete	HSL	"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>"
DNAT session delete	Splunk	lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>"

BIG-IP 11.3.0 and 11.4.0 log formats

This reference content describes the log format changes specific to BIG-IP software versions 11.3.0 and 11.4.0.

This release introduces CGNAT high-speed logging (HSL) and Splunk logging.

**NAT44 session create**
Type	Format
HSL	"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>"
Splunk	lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>"

IPFIX is not implemented for NAT44 session create.

**NAT64 session create**
Type	Format
HSL	"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>"
Splunk	lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>"

IPFIX is not implemented for NAT64 session create.

**DSLITE session create**
Type	Format
HSL	"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>""<dslite_ipv6_remote_ip>%<dslite_rtdomid>"
Splunk	lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>"

IPFIX is not implemented for DSLITE session create.

NAT44/NAT64/DSLITE Translation failed
Type	Format
HSL	"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","NAPT - Translation failed","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<lsn_address>","<lsn_port>","<lsn_rtdomid>"
Splunk	hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",client_ip="<client_ipv4_address/client_ipv6_address>",client_port="<client_port>",date_time="<date_time>",dest_ip="<destination_address>",dest_port="<destination_port>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="1",errdefs_msg_name="LSN Translation Event",lsn_translated_client_ip="<lsn_address>",lsn_translated_client_port="<lsn_port>",lsn_event="LSN_ERR",lsn_result="NAPT - Translation failed",lsn_translated_route_domain="<lsn_rtdomid>",cli="<client_ipv4_address/client_ipv6_address>:<client_port>",nat="<lsn_address>:<lsn_port>",dslite="<dslite_ipv6_remote_ip>",severity="6",route_domain="<client_rtdomid>"

IPFIX is not implemented for NAT44/NAT64/DSLITE Translation failed.

DNAT config
Type	Format
HSL	"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_dnat_log_version>","LSN_CFG","<lsn_result>","<lsn_dnat_source_list>","<lsn_dnat_prefix_list>","<lsn_dnat_port_range_min>","<lsn_dnat_port_range_max>","<tmm_daglib_state>"
Splunk	hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",date_time="<date_time>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="2",errdefs_msg_name="LSNDNAT Config Event",lsn_event="LSN_CFG",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_source_list="<lsn_dnat_source_list>",lsn_dnat_prefix_list="<lsn_dnat_prefix_list>",lsn_dnat_port_range_min="<lsn_dnat_port_range_min>",lsn_dnat_port_range_max="<lsn_dnat_port_range_max>",lsn_dnat_log_version="<lsn_dnat_log_version>",lsn_result="DNAT config change",severity="6",tmm_daglib_state="<tmm_daglib_state>"

IPFIX is not implemented for DNAT config.

DNAT session delete
Type	Format
HSL	"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>"
Splunk	lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>"
LTM log	DNAT connection: dnat: start=<start time in secs> end=<end time in secs> server=<destination_address>,<destination_port> local=<lsn_address>,<lsn_port> proto=<protocol_id> client=<client_ipv4_address>

IPFIX is not implemented for DNAT session delete.

BIG-IP version 11.5.0 log reference

This reference content describes the logging format specific to BIG-IP software version 11.5.0.

This release provides the following logging changes:

IPFIX logging introduced, egress_rtdomid used in logs instead of lsn_rtdomid and following new logs were added

Log delete for NAT44/NAT64/DSLITE events

Log create/delete for inbound connections

Log quota exceeded events

Log outbound create/delete with destination address/port

Log start-time/duration in delete for outbounds

BIG-IP version 11.5.0 log reference
Log Message	Type	Format
NAT44 session create	HSL	"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid >:<lsn_port>"
NAT44 session create	Splunk	ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>"
NAT44 session delete	HSL	"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid >:<lsn_port>""<start>""<duration>"
NAT44 session delete	Splunk	ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",duration="<duration>"
NAT44 session create (with log.lsn.session.destination enabled)	HSL	"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid >:<lsn_port>""<destination_address>""<destination_port>"
	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>"
NAT44 session delete (with log.lsn.session.destination enabled)	HSL	"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>""<duration>"
	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",start="<start>",lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"
NAT44 inbound session create	HSL	"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>"
NAT44 inbound session create	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>"
NAT44 inbound session delete	HSL	"LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"
NAT44 inbound session delete	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>"
NAT64 session create	HSL	"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>"
NAT64 session create	Splunk	ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>"
NAT64 session delete	HSL	"LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>"
NAT64 session delete	Splunk	ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"
NAT64 session create (with log.lsn.session.destination enabled)	HSL	"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>"
	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>"
NAT64 session delete (with log.lsn.session.destination enabled)	HSL	"LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>""<duration>"
	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"
NAT64 inbound session create	HSL	"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>"
NAT64 inbound session create	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>"
NAT64 inbound session delete	HSL	"LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"
NAT64 inbound session delete	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>"
DSLITE session create	HSL	"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>"
DSLITE session create	Splunk	ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"
DSLITE session delete	HSL	"LSN_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>"
DSLITE session delete	Splunk	ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>"
DSLITE session create (with log.lsn.session.destination enabled)	HSL	"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>"
	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"
DSLITE session delete (with log.lsn.session.destination enabled)	HSL	"LSN_DELETE"""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>"<destination_address>""<destination_port>""<start>""<duration>"
	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>"
DSLITE inbound session create	HSL	"LSN_INBOUND_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>"
DSLITE inbound session create	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"
DSLITE inbound session delete	HSL	"LSN_INBOUND_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"
DSLITE inbound session delete	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"
Translation failed	HSL	"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","NAPT - Translation failed","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>"
Translation failed	Splunk	hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",client_ip="<client_ipv4_address/client_ipv6_address>",client_port="<client_port>",date_time="<date_time>",dest_ip="<destination_address>",dest_port="<destination_port>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="1",errdefs_msg_name="LSN Translation Event",lsn_translated_client_ip="<lsn_address>",lsn_translated_client_port="<lsn_port>",lsn_event="LSN_ERR",lsn_result="NAPT - Translation failed",lsn_translated_route_domain="<lsn_rtdomid>",cli="<client_ipv4_address/client_ipv6_address>:<client_port>",nat="<lsn_address>:<lsn_port>",dslite="<dslite_ipv6_remote_ip>",severity="6",route_domain="<client_rtdomid>"
DNAT config	HSL	"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_dnat_log_version>","LSN_CFG","<lsn_result>","<lsn_pool_name>","<lsn_dnat_source_list>","<lsn_dnat_prefix_list>","<lsn_dnat_port_range_min>","<lsn_dnat_port_range_max>","<tmm_daglib_state>","<lsn_dnat_state>","<lsn_dnat_dag_id>","<timestamp>"
DNAT config	Splunk	hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",date_time="<date_time>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="2",errdefs_msg_name="LSNDNAT Config Event",lsn_event="LSN_CFG",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_source_list="<lsn_dnat_source_list>",lsn_dnat_prefix_list="<lsn_dnat_prefix_list>",lsn_dnat_port_range_min="<lsn_dnat_port_range_min>",lsn_dnat_port_range_max="<lsn_dnat_port_range_max>",lsn_dnat_log_version="<lsn_dnat_log_version>",lsn_result="DNAT config change",severity="6",tmm_daglib_state="<tmm_daglib_state>",lsn_pool_name="<lsn_pool_name>",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_dag_id="<lsn_dnat_dag_id>",timestamp="<timestamp>"
DNAT session delete	HSL	"LSN_CONNECTION","<start>","<end>","<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>","<lsn_address>%<lsn_rtdomid>:<lsn_port>","<destination_port>"
DNAT session delete	Splunk	ip_protocol="<protocol>",lsn_event="LSN_CONNECTION",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>",destination_port="<destination_port>",start="<start>",end="<end>"
NAT44 client quota exceeded	HSL	"LSN_QUOTA_EXCEEDED""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
NAT44 client quota exceeded	Splunk	ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
NAT64 client quota exceeded	HSL	"LSN_QUOTA_EXCEEDED""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
NAT64 client quota exceeded	Splunk	ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
DSLITE client quota exceeded	HSL	"LSN_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
DSLITE client quota exceeded	Splunk	ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

BIG-IP 11.5.0 log formats

This reference content describes the log format changes specific to BIG-IP software version 11.5.0.

This release includes the following changes:

Log delete for NAT44/NAT64/DSLITE events.

Log create/delete for inbound connections.

Log quota exceeded events.

Log outbound create/delete with destination address/port.

Log start-time/duration in delete for outbounds.

NAT44 session create/delete format changes
Description	Type	Format
Without destination address/port	HSL	"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid >:<lsn_port>" "LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid >:<lsn_port>""<start>""duration"
With destination address/port	HSL	"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid >:<lsn_port>""<destination_address>""<destination_port>" "LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid >:<lsn_port>""<destination_address>""<destination_port>" "<start>""<duration>"
Without destination address/port	Splunk	ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>" ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>", cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",duration="<duration>"
With destination address/port	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>" ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",start="<start>",lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"

IPFIX Create
Field	Bytes	Description
observationTimeMilliseconds	8
ingressVRFID	4	The client routing domain ID.
egressVRFID	4	The LSN routing domain ID.
sourceIPv4Address	4
postNATSourceIPv4Address	4
protocolIdentifier	1
sourceTransportPort	2
postNAPTsourceTransportPort	2
destinationIPv4Address	2	0, if obscured.
destinationTransportPort	2	0, if obscured.
natOriginatingAddressRealm	1	1 (Private/internal realm – Subscriber side).
natEvent	1	1 (Create Event) or 2 (Delete Event).

IPFIX Delete
Field	Bytes	Description
observationTimeMilliseconds	8
ingressVRFID	4	The client routing domain ID.
egressVRFID	4	The LSN routing domain ID.
sourceIPv4Address	4
postNATSourceIPv4Address	4
protocolIdentifier	1
sourceTransportPort	2
postNAPTsourceTransportPort	2
destinationIPv4Address	2	0, if obscured.
destinationTransportPort	2	0, if obscured.
natOriginatingAddressRealm	1	1 (Private/internal realm – Subscriber side).
natEvent	1	1 (Create Event) or 2 (Delete Event).
flowStartMilliseconds	8
flowDurationMilliseconds	4

NAT44 inbound session create/delete format changes
Type	Format
HSL	"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>" "<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>" "LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>" "<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>" "<start>""<duration>"
Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>" ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE", cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>"

IPFIX
Field	Bytes	Description
observationTimeMilliseconds	8
ingressVRFID	4	The LSN routing domain ID.
egressVRFID	4	The client routing domain ID.
sourceIPv4Address	4
protocolIdentifier	1
sourceTransportPort	2
destinationIPv4Address	4
postNATDestinationIPV4Address	4
destinationTransportPort	2
postNAPTDestinationTransportPort	2
natOriginatingAddressRealm	1	2 (Public/external realm – Internet side).
natEvent	1	1 (Create Event) or 2 (Delete Event).

NAT64 session create/delete
Description	Type	Format
Without destination address/port	HSL	"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid>:<lsn_port>" "LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid>:<lsn_port>" "<start>""<duration>""<start>""<duration>"
With destination address/port	HSL	"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>" "LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>" "<start>""<duration>"
Without destination address/port	Splunk	ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>" ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>", cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"
With destination address/port	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>" ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_DELETE",start="<start>", cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>" ,duration="<duration>"

IPFIX Create
Field	Bytes	Description
observationTimeMilliseconds	8
ingressVRFID	4	The LSN routing domain ID.
egressVRFID	4	The client routing domain ID.
sourceIPv6Address	16
postNATSourceIPv4Address	4
protocolIdentifier	1
sourceTransportPort	2
postNAPTsourceTransportPort	2
postNATDestinationIPV4Address	4	0, if obscured.
destinationTransportPort	2	0, if obscured.
postNAPTDestinationTransportPort	2
natOriginatingAddressRealm	1	2 (Public/external realm – Internet side).
natEvent	1	1 (Create Event) or 2 (Delete Event).

IPFIX Delete
Field	Bytes	Description
observationTimeMilliseconds	8
ingressVRFID	4	The LSN routing domain ID.
egressVRFID	4	The client routing domain ID.
sourceIPv6Address	16
postNATSourceIPv4Address	4
protocolIdentifier	1
sourceTransportPort	2
postNAPTsourceTransportPort	2
postNATDestinationIPV4Address	4	0, if obscured.
destinationTransportPort	2	0, if obscured.
postNAPTDestinationTransportPort	2
natOriginatingAddressRealm	1	2 (Public/external realm – Internet side).
natEvent	1	1 (Create Event) or 2 (Delete Event)
flowStartMilliseconds	8
flowDurationMilliseconds	4

NAT64 inbound session create/delete format changes
Type	Format
HSL	"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>" "<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>" "LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>" "<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>" "<start>""<duration>"
Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>" ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE", cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>"

IPFIX
Field	Bytes	Description
observationTimeMilliseconds	8
ingressVRFID	4	The LSN routing domain ID.
egressVRFID	4	The client routing domain ID.
sourceIPv4Address	4
protocolIdentifier	1
sourceTransportPort	2
destinationIPv4Address	4
postNATDestinationIPv6Address	16	0, if obscured.
destinationTransportPort	2
postNAPTDestinationTransportPort	2
natOriginatingAddressRealm	1	2 (Public/external realm – Internet side).
natEvent	1	1 (Create Event) or 2 (Delete Event).

DSLITE session create/delete
Description	Type	Format
Without destination address/port	HSL	"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid>:<lsn_port>" "LSN_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid>:<lsn_port>" "<start>""<duration>"
With destination address/port	HSL	"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>" "LSN_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>" "<start>""<duration>"
Without destination address/port	Splunk	ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>" ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>", cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>", duration="<duration>"
With destination address/port	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>" ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_DELETE",start="<start>", cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>"

IPFIX Create
Field	Bytes	Description
observationTimeMilliseconds	8
ingressVRFID	4	The LSN routing domain ID.
egressVRFID	4	The client routing domain ID.
sourceIPv4Address	4
postNATSourceIPv4Address	4
protocolIdentifier	1
sourceTransportPort	2
postNAPTsourceTransportPort	2
sourceIPv6Address	16	IPv6 address for remote endpoint of the DS-Lite tunnel.
destinationIPv4Address	4	0, if obscured.
destinationTransportPort	2
natOriginatingAddressRealm	1	2 (Public/external realm – Internet side).
natEvent	1	1 (Create Event) or 2 (Delete Event).

IPFIX Delete
Field	Bytes	Description
observationTimeMilliseconds	8
ingressVRFID	4	The LSN routing domain ID.
egressVRFID	4	The client routing domain ID.
sourceIPv4Address	4
postNATSourceIPv4Address	4
protocolIdentifier	1
sourceTransportPort	2
postNAPTsourceTransportPort	2
sourceIPv6Address	16	IPv6 address for remote endpoint of the DS-Lite tunnel.
destinationIPv4Address	4	0, if obscured.
destinationTransportPort	2
natOriginatingAddressRealm	1	2 (Public/external realm – Internet side).
natEvent	1	1 (Create Event) or 2 (Delete Event).
flowStartMilliseconds	8
flowDurationMilliseconds	4

DSLITE inbound session create/delete
Type	Format
HSL	"LSN_INBOUND_ADD""<dslite_ipv6_remote_ip%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>""<lsn_port>" "LSN_INBOUND_DELETE""<dslite_ipv6_remote_ip%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>""<lsn_port>" "<start>""<duration>"
Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>" ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"

IPFIX Create
Field	Bytes	Description
observationTimeMilliseconds	8
ingressVRFID	4	The LSN routing domain ID.
egressVRFID	4	The client routing domain ID.
sourceIPv4Address	4
protocolIdentifier	1
sourceTransportPort	2
destinationIPv4Address	4
postNATDestinationIPv6Address	16	DSLITE remote endpoint IPV6 address.
postNatDestinationIPv4Address	4
destinationTransportPort	2
postNAPTDestinationTransportPort	2
natOriginatingAddressRealm	1	2 (Public/external realm – Internet side).
natEvent	1	1 (Create Event) or 2 (Delete Event).

Translation failed
Type	Format
HSL	"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","NAPT - Translation failed","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>"
Splunk	hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",client_ip="<client_ipv4_address/client_ipv6_address>",client_port="<client_port>",date_time="<date_time>",dest_ip="<destination_address>",dest_port="<destination_port>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="1",errdefs_msg_name="LSN Translation Event",lsn_translated_client_ip="<lsn_address>",lsn_translated_client_port="<lsn_port>",lsn_event="LSN_ERR",lsn_result="NAPT - Translation failed",lsn_translated_route_domain="<lsn_rtdomid>",cli="<client_ipv4_address/client_ipv6_address>:<client_port>",nat="<lsn_address>:<lsn_port>",dslite="<dslite_ipv6_remote_ip>",severity="6",route_domain="<client_rtdomid>"

IPFIX
Field	Bytes	Description
observationTimeMilliseconds	8
ingressVRFID	4	The client routing domain ID.
sourceIPv4Address	4
protocolIdentifier	1
sourceTransportPort	2
destinationIPv4Address	4	0, if obscured.
destinationTransportPort	2	0, if obscured.
natEvent	1	Translation failed.
natPoolName	Variable	This IE is omitted for NetFlow v9 compatible configurations.

IPFIX
Field	Bytes	Description
observationTimeMilliseconds	8
ingressVRFID	4	The client routing domain ID.
sourceIPv6Address	16
protocolIdentifier	1
sourceTransportPort	2
destinationIPv4Address	4	0, if obscured.
destinationTransportPort	2	0, if obscured.
natEvent	1	Translation failed.
natPoolName	Variable	This IE is omitted for NetFlow v9 compatible configurations.

IPFIX
Field	Bytes	Description
observationTimeMilliseconds	8
ingressVRFID	4	The client routing domain ID.
sourceIPv4Address	4	IPv4 address used by F5 CGNAT in the IPv4-mapped IPv6 format, for the DS-Lite tunnel terminated on the BIG-IP.
protocolIdentifier	1
sourceTransportPort	2
sourceIPv6Address	16	IPv6 address for remote endpoint of the DS-Lite tunnel.
destinationIPv4Address	4	0, if obscured.
destinationTransportPort	2	0, if obscured.
natEvent	1	Translation failed.
natPoolName	Variable	This IE is omitted for NetFlow v9 compatible configurations.

DNAT config
Type	Format
HSL	"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_dnat_log_version>","LSN_CFG","<lsn_result>","<lsn_pool_name>","<lsn_dnat_source_list>","<lsn_dnat_prefix_list>","<lsn_dnat_port_range_min>","<lsn_dnat_port_range_max>","<tmm_daglib_state>","<lsn_dnat_state>","<lsn_dnat_dag_id>","<timestamp>"
Splunk	hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",date_time="<date_time>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="2",errdefs_msg_name="LSNDNAT Config Event",lsn_event="LSN_CFG",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_source_list="<lsn_dnat_source_list>",lsn_dnat_prefix_list="<lsn_dnat_prefix_list>",lsn_dnat_port_range_min="<lsn_dnat_port_range_min>",lsn_dnat_port_range_max="<lsn_dnat_port_range_max>",lsn_dnat_log_version="<lsn_dnat_log_version>",lsn_result="DNAT config change",severity="6",tmm_daglib_state="<tmm_daglib_state>",lsn_pool_name="<lsn_pool_name>",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_dag_id="<lsn_dnat_dag_id>",timestamp="<timestamp>"

IPFIX is not implemented for DNAT configuration.

DNAT session delete
Type	Format
HSL	"LSN_CONNECTION","<start>","<end>","<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>","<lsn_address>%<lsn_rtdomid>:<lsn_port>","<destination_port>"
Splunk	ip_protocol="<protocol>",lsn_event="LSN_CONNECTION",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>",destination_port="<destination_port>",start="<start>",end="<end>"
LTM log	DNAT connection: dnat: start=<start time in secs> end=<end time in secs> server=<destination_address>,<destination_port> local=<lsn_address>,<lsn_port> proto=<protocol_id> client=<client_ipv4_address>

IPFIX is not implemented for DNAT session delete.

**NAT44 client quota exceeded**
Type	Format
HSL	"LSN_QUOTA_EXCEEDED""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
Splunk	ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>

IPFIX
Field	Bytes	Description
observationTimeMilliseconds	8
ingressVRFID	4	The client routing domain ID.
sourceIPv4Address	4
natEvent	1	Session Quota Exceeded/Port Quota Exceeded.
natPoolName	Variable	This IE is omitted for NetFlow v9 compatible configurations.

NAT64 client quota exceeded
Type	Description
HSL	"LSN_QUOTA_EXCEEDED""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
Splunk	lip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>

IPFIX
Field	Bytes	Description
observationTimeMilliseconds	8
ingressVRFID	4	The client routing domain ID.
sourceIPv6Address	16
natEvent	1	Session Quota Exceeded/Port Quota Exceeded.
natPoolName	Variable	This IE is omitted for NetFlow v9 compatible configurations.

DSLITE client quota exceeded
Type	Description
HSL	"LSN_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
Splunk	ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

IPFIX
Field	Bytes	Description
observationTimeMilliseconds	8
ingressVRFID	4	The client routing domain ID.
sourceIPv4Address	4
sourceIPv6Address	16	IPv6 address for remote endpoint of the DS-Lite tunnel.
natEvent	1	Session Quota Exceeded/Port Quota Exceeded
natPoolName	Variable	This IE is omitted for NetFlow v9 compatible configurations.

BIG-IP version 11.6.0 log reference

This reference content describes the logging format specific to BIG-IP software version 11.6.0.

This release provides the following logging changes:

PBA Logging introduced.

Added ports exhausted message for NAT44, NAT64, and DSLITE

Log for DNAT inbound connections on connection end

BIG-IP version 11.6.0 log reference
Log Message	Type	Format
NAT44 session create	HSL	"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid >:<lsn_port>"
NAT44 session create	Splunk	ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>"
NAT44 session delete	HSL	"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid >:<lsn_port>""<start>""<duration>"
NAT44 session delete	Splunk	ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",duration="<duration>"
NAT44 session create	HSL	"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid >:<lsn_port>""<destination_address>""<destination_port>"
NAT44 session create	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>"
NAT44 session delete	HSL	"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>""<duration>"
NAT44 session delete	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",start="<start>",lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"
NAT44 inbound session create	HSL	"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>"
NAT44 inbound session create	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>"
NAT44 inbound session delete	HSL	"LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"
NAT44 inbound session delete	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>"
NAT64 session create	HSL	"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>"
NAT64 session create	Splunk	ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>"
NAT64 session delete	HSL	"LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>"
NAT64 session delete	Splunk	ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"
NAT64 session create	HSL	"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>"
NAT64 session create	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>"
NAT64 session delete	HSL	"LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>""<duration>"
NAT64 session delete	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"
NAT64 inbound session create	HSL	"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>"
NAT64 inbound session create	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>"
NAT64 inbound session delete	HSL	"LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"
NAT64 inbound session delete	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>"
DSLITE session create	HSL	"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>"
DSLITE session create	Splunk	ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"
DSLITE session delete	HSL	"LSN_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>"
DSLITE session delete	Splunk	ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>"
DSLITE session create	HSL	"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>"
DSLITE session create	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"
DSLITE session delete	HSL	"LSN_DELETE"""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>"<destination_address>""<destination_port>""<start>""<duration>"
DSLITE session delete	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>"
DSLITE inbound session create	HSL	"LSN_INBOUND_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>"
DSLITE inbound session create	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"
DSLITE inbound session delete	HSL	"LSN_INBOUND_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"
DSLITE inbound session delete	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"
Translation failed	HSL	"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","NAPT - Translation failed","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>"
Translation failed	Splunk	hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",client_ip="<client_ipv4_address/client_ipv6_address>",client_port="<client_port>",date_time="<date_time>",dest_ip="<destination_address>",dest_port="<destination_port>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="1",errdefs_msg_name="LSN Translation Event",lsn_translated_client_ip="<lsn_address>",lsn_translated_client_port="<lsn_port>",lsn_event="LSN_ERR",lsn_result="NAPT - Translation failed",lsn_translated_route_domain="<lsn_rtdomid>",cli="<client_ipv4_address/client_ipv6_address>:<client_port>",nat="<lsn_address>:<lsn_port>",dslite="<dslite_ipv6_remote_ip>",severity="6",route_domain="<client_rtdomid>"
DNAT config	HSL	"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_dnat_log_version>","LSN_CFG","<lsn_result>","<lsn_pool_name>","<lsn_dnat_source_list>","<lsn_dnat_prefix_list>","<lsn_dnat_port_range_min>","<lsn_dnat_port_range_max>","<tmm_daglib_state>","<lsn_dnat_state>","<lsn_dnat_dag_id>","<timestamp>"
DNAT config	Splunk	hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",date_time="<date_time>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="2",errdefs_msg_name="LSNDNAT Config Event",lsn_event="LSN_CFG",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_source_list="<lsn_dnat_source_list>",lsn_dnat_prefix_list="<lsn_dnat_prefix_list>",lsn_dnat_port_range_min="<lsn_dnat_port_range_min>",lsn_dnat_port_range_max="<lsn_dnat_port_range_max>",lsn_dnat_log_version="<lsn_dnat_log_version>",lsn_result="DNAT config change",severity="6",tmm_daglib_state="<tmm_daglib_state>",lsn_pool_name="<lsn_pool_name>",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_dag_id="<lsn_dnat_dag_id>",timestamp="<timestamp>"
DNAT session delete (on connection end, and inbound connection end)	HSL	"LSN_CONNECTION","<start>","<end>","<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>","<lsn_address>%<lsn_rtdomid>:<lsn_port>","<destination_port>"
	Splunk	ip_protocol="<protocol>",lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>",destination_port="<destination_port>",start="<start>",end="<end>"
NAT44 client quota exceeded	HSL	"LSN_QUOTA_EXCEEDED""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
NAT44 client quota exceeded	Splunk	ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
NAT64 client quota exceeded	HSL	"LSN_QUOTA_EXCEEDED""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
NAT64 client quota exceeded	Splunk	ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
DSLITE client quota exceeded	HSL	"LSN_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
DSLITE client quota exceeded	Splunk	ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
NAT44 Port-block allocated	HSL	"LSN_PB_ALLOCATED""<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
NAT44 Port-block allocated	Splunk	lsn_event="LSN_PB_ALLOCATED", lsn_client="<client_ipv4_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
NAT44 Port-block released	HSL	"LSN_PB_RELEASED""<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
NAT44 Port-block released	Splunk	lsn_event="LSN_PB_RELEASED", lsn_client="<client_ipv4_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
NAT44 Client block limit reached	HSL	"LSN_BLOCK_QUOTA_EXCEEDED""<client_ip4_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
NAT44 Client block limit reached	Splunk	ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
NAT44 Ports Exhausted	HSL	"LSN_PORTS_EXHAUSTED""<client_ip4_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
NAT44 Ports Exhausted	Splunk	ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
NAT64 Port-block allocated	HSL	"LSN_PB_ALLOCATED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
NAT64 Port-block allocated	Splunk	lsn_event="LSN_PB_ALLOCATED", lsn_client="<client_ipv6_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
NAT64 Port-block released	HSL	"LSN_PB_RELEASED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
NAT64 Port-block released	Splunk	lsn_event="LSN_PB_RELEASED", lsn_client="<client_ipv6_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
NAT64 Client block limit reached	HSL	"LSN_BLOCK_QUOTA_EXCEEDED""<client_ip6_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
NAT64 Client block limit reached	Splunk	ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
NAT64 Ports Exhausted	HSL	ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
NAT64 Ports Exhausted	Splunk	ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
DSLITE Port-block allocated	HSL	"LSN_PB_ALLOCATED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
DSLITE Port-block allocated	Splunk	lsn_event="LSN_PB_ALLOCATED", lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
DSLITE Port-block released	HSL	lsn_event="LSN_PB_ALLOCATED", lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
DSLITE Port-block released	Splunk	lsn_event="LSN_PB_RELEASED", lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
DSLITE Client block limit reached	HSL	"LSN_BLOCK_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
DSLITE Client block limit reached	Splunk	ip_protocol="<protocol>",lsn_event="LSN_BLOCK_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
DSLITE Ports Exhausted	HSL	"LSN_PORTS_EXHAUSTED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
DSLITE Ports Exhausted	Splunk	ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

BIG-IP version 11.6.0 log formats

This reference content describes the log format changes specific to BIG-IP software version 11.6.0.

This release includes log messages for the following translation modes:

Port Block Allocation (PBA)

PBA log format changes
Message	Type	Format
Port block allocated	HSL	NAT44: "LSN_PB_ALLOCATED"<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" NAT64: "LSN_PB_ALLOCATED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" DSLITE: "LSN_PB_ALLOCATED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
Port block allocated	Splunk	NAT44: lsn_event="LSN_PB_ALLOCATED", lsn_client="<client_ipv4_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" NAT64: lsn_event="LSN_PB_ALLOCATED", lsn_client="<client_ipv6_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" DSLITE: lsn_event="LSN_PB_ALLOCATED", lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
Port-block released	HSL	NAT44: "LSN_PB_RELEASED""<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" NAT64: "LSN_PB_RELEASED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" DSLITE: "LSN_PB_RELEASED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
Port-block released	Splunk	NAT44: lsn_event="LSN_PB_RELEASED", lsn_client="<client_ipv4_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" NAT64: lsn_event="LSN_PB_RELEASED", lsn_client="<client_ipv6_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" DSLITE: lsn_event="LSN_PB_RELEASED", lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
Client block limit reached	HSL	NAT44: "LSN_BLOCK_QUOTA_EXCEEDED""<Client IPV4 address%rtdomid>:<Client port>""<LSN pool name>" NAT64: "LSN_BLOCK_QUOTA_EXCEEDED""<Client IPV6 address%rtdomid>:<Client port>""<LSN pool name>" DSLITE: "LSN_BLOCK_QUOTA_EXCEEDED""<DSLITE IPV6 address%rtdomid>""<Client IPV4 address%rtdomid>:<Client port>""<LSN pool name>"
Client block limit reached	Splunk	NAT44: lsn_event="LSN_BLOCK_QUOTA_EXCEEDED", cli="<Client IPV4 address%rtdomid>:<Client port>", sa_translation_pool="<LSN pool name>" NAT64: lsn_event="LSN_BLOCK_QUOTA_EXCEEDED", cli="<Client IPV6 address%rtdomid>:<Client port>", sa_translation_pool="<LSN pool name>" DSLITE: lsn_event="LSN_BLOCK_QUOTA_EXCEEDED", cli="<Client IPV6 address%rtdomid>:<Client port>", dslite="<DSLITE IPV6 address%rtdomid>" sa_translation_pool="<LSN pool name>"
Ports exhausted	HSL	NAT44: "LSN_PORTS_EXHAUSTED""<client_ip4_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" NAT64: "LSN_PORTS_EXHAUSTED""<client_ip6_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" DSLITE: "LSN_PORTS_EXHAUSTED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
Ports exhausted	Splunk	NAT44: ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" NAT64: ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" DSLITE: ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

IPFIX

NAT44 port-block allocated/released:
Field	Size (Bytes)	IANA IPFIX ID	Description
timeStamp	8	323
ingressVRFID	4	234	The client routing domain ID.
egressVRFID	4	235	The egress routing domain ID.
sourceIPv4Address	4	8	Not applicable
postNATSourceIPv4Address	4	225	Not applicable
PortRangeStart	2	361	Not applicable
PortRangeEnd	2	362	Not applicable
natEvent	1	230	13 for allocation. 14 for released.

NAT64 port-block allocated/released:
Field	Size (Bytes)	IANA IPFIX ID	Description
timeStamp	8	323
ingressVRFID	4	234	The client routing domain ID.
egressVRFID	4	235	The egress routing domain ID.
sourceIPv4Address	16	8	Not applicable
postNATSourceIPv4Address	4	225	Not applicable
PortRangeStart	2	361	Not applicable
PortRangeEnd	2	362	Not applicable
natEvent	1	230	13 for allocation. 14 for released.

DSLITE port-block allocated/released:
Field	Size (Bytes)	IANA IPFIX ID	Description
timeStamp	8	323
ingressVRFID	4	234	The client routing domain ID.
egressVRFID	4	235	The egress routing domain ID.
sourceIPv4Address	16	8	DSLITE remote endpoint address.
postNATSourceIPv4Address	4	235	Not applicable
PortRangeStart	2	361	Not applicable
PortRangeEnd	2	362	Not applicable
natEvent	1	230	13 for allocation. 14 for released.

**NAT44 client block limit reached OR ports exhausted:**
Field	Size (Bytes)	IANA IPFIX ID	Description
observationTimeMilliseconds	8	323
ingressVRFID	4	234	The client routing domain ID.
sourceIPv4Address	4	8	The egress routing domain ID.
natEvent	1	230	Client block limit reached (15) or ports exhausted (16).
natPoolName	Variable	284	This IE is omitted for NetFlow v9 compatible configurations.

**NAT64 client block limit reached OR ports exhausted:**
Field	Size (Bytes)	IANA IPFIX ID	Description
observationTimeMilliseconds	8	323
ingressVRFID	4	234	The client routing domain ID.
sourceIPv4Address	16	27	The egress routing domain ID.
natEvent	1	230	Client block limit reached (15) or ports exhausted (16).
natPoolName	Variable	284	This IE is omitted for NetFlow v9 compatible configurations.

**DSLITE client block limit reached OR ports exhausted:**
Field	Size (Bytes)	IANA IPFIX ID	Description
natEvent	1	230	Client block limit reached (15) or ports exhausted (16).
sourceIPv4Address	16	27	IPv6 address for remote endpoint of the DS-Lite tunnel.
ingressVRFID	4	234	The client routing domain ID.
natPoolName	Variable	284	This IE is omitted for NetFlow v9 compatible configurations.
observationTimeMilliseconds	8	323
sourceIPv4Address	4	8

BIG-IP version 12.0.0 log reference

This reference content describes the logging format specific to BIG-IP software version 12.0.0.

This release provides the following logging changes:

Port-block released (added start and duration)

Start time added to LSN_ADD messages.

BIG-IP version 12.0.0 log reference
Log Message	Type	Format
NAT44 session create	HSL	"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>" "<protocol>""<lsn_address>%<egress_rtdomid >:<lsn_port>""<start>"
NAT44 session create	Splunk	ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",start="<start>"
NAT44 session delete	HSL	"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid >:<lsn_port>""<start>""<duration>"
NAT44 session delete	Splunk	ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",duration="<duration>"
NAT44 session create (with log.lsn.session.destination enabled)	HSL	"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid >:<lsn_port>""<destination_address>""<destination_port>""<start>"
	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",start="<start>"
NAT44 session delete (with log.lsn.session.destination enabled)	HSL	"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>""<duration>"
	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",start="<start>",lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"
NAT44 inbound session create	HSL	"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>"
NAT44 inbound session create	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>",start="<start>"
NAT44 inbound session delete	HSL	"LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"
NAT44 inbound session delete	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>"
NAT64 session create	HSL	"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>"
NAT64 session create	Splunk	ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",start="<start>"
NAT64 session delete	HSL	"LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>"
NAT64 session delete	Splunk	ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"
NAT64 session create (with log.lsn.session.destination enabled)	HSL	"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>"
	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",start="<start>"
NAT64 session delete (with log.lsn.session.destination enabled)	HSL	"LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>"
	Splunk	ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"
NAT64 inbound session create	HSL	"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>"
NAT64 inbound session create	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",start="<start>"
NAT64 inbound session delete	HSL	"LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"
NAT64 inbound session delete	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>"
DSLITE session create	HSL	"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>"
DSLITE session create	Splunk	ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>"
DSLITE session delete	HSL	"LSN_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>"
DSLITE session delete	Splunk	ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>"
DSLITE session create (with log.lsn.session.destination enabled)	HSL	"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>"
	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>"
DSLITE session delete (with log.lsn.session.destination enabled)	HSL	"LSN_DELETE"""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>"<destination_address>""<destination_port>""<start>""<duration>"
	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>"
DSLITE inbound session create	HSL	"LSN_INBOUND_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>"
DSLITE inbound session create	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>"
DSLITE inbound session delete	HSL	"LSN_INBOUND_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"
DSLITE inbound session delete	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"
Translation failed	HSL	"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","NAPT - Translation failed","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>"
Translation failed	Splunk	hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",client_ip="<client_ipv4_address/client_ipv6_address>",client_port="<client_port>",date_time="<date_time>",dest_ip="<destination_address>",dest_port="<destination_port>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="1",errdefs_msg_name="LSN Translation Event",lsn_translated_client_ip="<lsn_address>",lsn_translated_client_port="<lsn_port>",lsn_event="LSN_ERR",lsn_result="NAPT - Translation failed",lsn_translated_route_domain="<lsn_rtdomid>",cli="<client_ipv4_address/client_ipv6_address>:<client_port>",nat="<lsn_address>:<lsn_port>",dslite="<dslite_ipv6_remote_ip>",severity="6",route_domain="<client_rtdomid>"
DNAT config	HSL	"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_dnat_log_version>","LSN_CFG","<lsn_result>","<lsn_pool_name>","<lsn_dnat_source_list>","<lsn_dnat_prefix_list>","<lsn_dnat_port_range_min>","<lsn_dnat_port_range_max>","<tmm_daglib_state>","<lsn_dnat_state>","<lsn_dnat_dag_id>","<timestamp>"
DNAT config	Splunk	hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",date_time="<date_time>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="2",errdefs_msg_name="LSNDNAT Config Event",lsn_event="LSN_CFG",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_source_list="<lsn_dnat_source_list>",lsn_dnat_prefix_list="<lsn_dnat_prefix_list>",lsn_dnat_port_range_min="<lsn_dnat_port_range_min>",lsn_dnat_port_range_max="<lsn_dnat_port_range_max>",lsn_dnat_log_version="<lsn_dnat_log_version>",lsn_result="DNAT config change",severity="6",tmm_daglib_state="<tmm_daglib_state>",lsn_pool_name="<lsn_pool_name>",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_dag_id="<lsn_dnat_dag_id>",timestamp="<timestamp>"
DNAT session delete (on connection end, and inbound connection end)	HSL	"LSN_CONNECTION","<start>","<end>","<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>","<lsn_address>%<lsn_rtdomid>:<lsn_port>","<destination_port>"
	Splunk	ip_protocol="<protocol>",lsn_event="LSN_CONNECTION",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>",destination_port="<destination_port>",start="<start>",end="<end>"
NAT44 client quota exceeded	HSL	"LSN_QUOTA_EXCEEDED""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
NAT44 client quota exceeded	Splunk	ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
NAT64 client quota exceeded	HSL	"LSN_QUOTA_EXCEEDED""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
NAT64 client quota exceeded	Splunk	ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
DSLITE client quota exceeded	HSL	"LSN_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
DSLITE client quota exceeded	Splunk	ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
NAT44 Port-block allocated	HSL	"LSN_PB_ALLOCATED""<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
NAT44 Port-block allocated	Splunk	lsn_event="LSN_PB_ALLOCATED", lsn_client="<client_ipv4_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
NAT44 Port-block released	HSL	"LSN_PB_RELEASED""<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>""<start>""<duration>"
NAT44 Port-block released	Splunk	lsn_event="LSN_PB_RELEASED", lsn_client="<client_ipv4_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>",start="<start>",duration="<duration>"
NAT44 Client block limit reached	HSL	"LSN_BLOCK_QUOTA_EXCEEDED""<client_ip4_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
NAT44 Client block limit reached	Splunk	ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
NAT44 Ports Exhausted	HSL	"LSN_PORTS_EXHAUSTED""<client_ip4_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
NAT44 Ports Exhausted	Splunk	ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
NAT64 Port-block allocated	HSL	"LSN_PB_ALLOCATED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
NAT64 Port-block allocated	Splunk	lsn_event="LSN_PB_ALLOCATED", lsn_client="<client_ipv6_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
NAT64 Port-block released	HSL	"LSN_PB_RELEASED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>""<start>""<duration>"
NAT64 Port-block released	Splunk	lsn_event="LSN_PB_RELEASED", lsn_client="<client_ipv6_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>",start="<start>",duration="<duration>"
NAT64 Client block limit reached	HSL	"LSN_BLOCK_QUOTA_EXCEEDED""<client_ip6_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
NAT64 Client block limit reached	Splunk	ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
NAT64 Ports Exhausted	HSL	"LSN_PORTS_EXHAUSTED""<client_ip6_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
NAT64 Ports Exhausted	Splunk	ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
DSLITE Port-block allocated	HSL	"LSN_PB_ALLOCATED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
DSLITE Port-block allocated	Splunk	lsn_event="LSN_PB_ALLOCATED", lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
DSLITE Port-block released	HSL	"LSN_PB_RELEASED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>""<start>""<duration>"
DSLITE Port-block released	Splunk	lsn_event="LSN_PB_RELEASED", lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>",start="<start>",duration="<duration>"
DSLITE Client block limit reached	HSL	"LSN_BLOCK_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
DSLITE Client block limit reached	Splunk	ip_protocol="<protocol>",lsn_event="LSN_BLOCK_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
DSLITE Ports Exhausted	HSL	"LSN_PORTS_EXHAUSTED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
DSLITE Ports Exhausted	Splunk	ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

BIG-IP version 12.0.0 log formats

This reference content describes the log format changes specific to BIG-IP software version 12.0.0.

This release includes log messages for the following:

Port-block released (added start and duration)

Start time added to LSN_ADD messages and LSN_INBOUND_CREATE messages

Log format changes
Translation Mode	Type	Format
Port Block Allocation (PBA) log formats	HSL	NAT44:"LSN_PB_RELEASED""<Client IPV4 address%rtdomid>""<Translated IPV4 address%rtdomid>:<Port range start>:<Port range end>""<start>""<duration>" NAT64: "LSN_PB_RELEASED""<Client IPV6 address%rtdomid>""<Translated IPV4 address%rtdomid>:<Port range start>-<Port range end>""<start>""<duration>" DSLITE: "LSN_PB_RELEASED""<DSLITE IPV6 address%rtdomid>""<Translated IPV4 address%rtdomid>:<Port range start>-<Port range end>""<start>""<duration>"
Port Block Allocation (PBA) log formats	Splunk	NAT44: lsn_event="LSN_PB_RELEASED", lsn_client="<Client IPV4 address%rtdomid>", lsn_pb="<Translated IPV4 address%rtdomid>:<Port range start>-<Port range end>",start="<start>",duration="<duration>" NAT64: lsn_event="LSN_PB_RELEASED", lsn_client="<Client IPV6 address%rtdomid>", lsn_pb="<Translated IPV4 address%rtdomid>:<Port range start>-<Port range end>",start="<start>",duration="<duration>" DSLITE: lsn_event="LSN_PB_RELEASED", lsn_dslite_client="<DSLITE IPV6 address%rtdomid>", lsn_pb="<Translated IPV4 address%rtdomid>:<Port range start>-<Port range end>",start="<start>",duration="<duration>"
NAT 44 session create	HSL	"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>""<start>" With destination logging (log.lsn.session.destination) enabled: "LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid >:<lsn_port>""<destination_address>""<destination_port>""<start>"
NAT 44 session create	Splunk	ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",start="<start>" With destination logging (log.lsn.session.destination) enabled: ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",start="<start>"
NAT 64 session create	HSL	"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>" With destination logging (log.lsn.session.destination) enabled: "LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>"
NAT 64 session create	Splunk	ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",start="<start>" With destination logging (log.lsn.session.destination) enabled: ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",start="<start>"
DSLITE session create	HSL	"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>" With destination logging (log.lsn.session.destination) enabled: "LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>"
DSLITE session create	Splunk	ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>" With destination logging (log.lsn.session.destination) enabled: ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>"
NAT44 Inbound session create	HSL	"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>"
NAT44 Inbound session create	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>",start="<start>"
NAT64 Inbound session create	HSL	"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>"
NAT64 Inbound session create	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",start="<start>"
DSLITE Inbound session create	HSL	"LSN_INBOUND_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>"
DSLITE Inbound session create	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>"

BIG-IP version 12.1.0 log formats

This reference content describes the log format changes specific to BIG-IP software version 12.1.0.

This release includes log messages for translation failures, specifically, when a suggested resource is unavailable for iRules, or a preserve strict source port setting applies.

Log format changes
Message	Type	Format
Translation failed - iRules suggested port busy	HSL	"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","Translation failed - iRule port busy","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>"
Translation failed - iRules suggested address busy	HSL	"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","Translation failed - iRule address busy","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>"
Translation failed - Preserve strict source port busy	HSL	"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","Translation failed - Preserve strict source port busy","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>"

BIG-IP version 12.1.1 log reference

This reference content describes the logging format specific to BIG-IP software version 12.1.1.

This release provides the following logging changes:

Log specific translation failed messages when a suggested resource is unavailable (for iRules and source port preserve strict).

BIG-IP version 12.1.1 log reference
Log Message	Type	Format
NAT44 session create	HSL	"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid >:<lsn_port>""<start>"
NAT44 session create	Splunk	ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",start="<start>"
NAT44 session delete	HSL	"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid >:<lsn_port>""<start>""<duration>"
NAT44 session delete	Splunk	ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",duration="<duration>"
NAT44 session create (with log.lsn.session.destination enabled)	HSL	"LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol> ""<lsn_address>%<egress_rtdomid >:<lsn_port>;""<destination_address>""<destination_port>""<start>"
	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid >:<lsn_port>",start="<start>"
NAT44 session delete (with log.lsn.session.destination enabled)	HSL	"LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>:<destination_port>""<start>""<duration>"
	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",start="<start>",lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"
NAT44 inbound session create	HSL	"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>"
NAT44 inbound session create	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>",start="<start>"
NAT44 inbound session delete	HSL	"LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"
NAT44 inbound session delete	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>"
NAT64 session create	HSL	"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>"
NAT64 session create	Splunk	ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",start="<start>"
NAT64 session delete	HSL	"LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>"
NAT64 session delete	Splunk	ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"
NAT64 session create (with log.lsn.session.destination enabled)	HSL	"LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>"
	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",start="<start>"
NAT64 session delete (with log.lsn.session.destination enabled)	HSL	"LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>""<duration>"
	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>"
NAT64 inbound session create	HSL	"LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>"
NAT64 inbound session create	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",start="<start>"
NAT64 inbound session delete	HSL	"LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"
NAT64 inbound session delete	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>"
DSLITE session create	HSL	"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>"
DSLITE session create	Splunk	ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>"
DSLITE session delete	HSL	"LSN_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>"
DSLITE session delete	Splunk	ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>"
DSLITE session create (with log.lsn.session.destination enabled)	HSL	"LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>"
	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>"
DSLITE session delete (with log.lsn.session.destination enabled)	HSL	"LSN_DELETE"""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>"<destination_address>""<destination_port>""<start>""<duration>"
	Splunk	ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>"
DSLITE inbound session create	HSL	"LSN_INBOUND_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>"
DSLITE inbound session create	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>"
DSLITE inbound session delete	HSL	"LSN_INBOUND_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>"
DSLITE inbound session delete	Splunk	ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"
Translation failed	HSL	"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","<lsn_result>","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>"
Translation failed	Splunk	hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",client_ip="<client_ipv4_address/client_ipv6_address>",client_port="<client_port>",date_time="<date_time>",dest_ip="<destination_address>",dest_port="<destination_port>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="1",errdefs_msg_name="LSN Translation Event",lsn_translated_client_ip="<lsn_address>",lsn_translated_client_port="<lsn_port>",lsn_event="LSN_ERR",lsn_result="<lsn_result>",lsn_translated_route_domain="<lsn_rtdomid>",cli="<client_ipv4_address/client_ipv6_address>:<client_port>",nat="<lsn_address>:<lsn_port>",dslite="<dslite_ipv6_remote_ip>",severity="6",route_domain="<client_rtdomid>"
DNAT config	HSL	"<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_dnat_log_version>","LSN_CFG","<lsn_result>","<lsn_pool_name>","<lsn_dnat_source_list>","<lsn_dnat_prefix_list>","<lsn_dnat_port_range_min>","<lsn_dnat_port_range_max>","<tmm_daglib_state>","<lsn_dnat_state>","<lsn_dnat_dag_id>","<timestamp>"
DNAT config	Splunk	hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",date_time="<date_time>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="2",errdefs_msg_name="LSNDNAT Config Event",lsn_event="LSN_CFG",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_source_list="<lsn_dnat_source_list>",lsn_dnat_prefix_list="<lsn_dnat_prefix_list>",lsn_dnat_port_range_min="<lsn_dnat_port_range_min>",lsn_dnat_port_range_max="<lsn_dnat_port_range_max>",lsn_dnat_log_version="<lsn_dnat_log_version>",lsn_result="DNAT config change",severity="6",tmm_daglib_state="<tmm_daglib_state>",lsn_pool_name="<lsn_pool_name>",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_dag_id="<lsn_dnat_dag_id>",timestamp="<timestamp>"
DNAT session delete (on connection end, and inbound connection end)	HSL	"LSN_CONNECTION","<start>","<end>","<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>","<lsn_address>%<lsn_rtdomid>:<lsn_port>","<destination_port>"
	Splunk	ip_protocol="<protocol>",lsn_event="LSN_CONNECTION",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>",destination_port="<destination_port>",start="<start>",end="<end>"
NAT44 client quota exceeded	HSL	"LSN_QUOTA_EXCEEDED""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
NAT44 client quota exceeded	Splunk	ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
NAT64 client quota exceeded	HSL	"LSN_QUOTA_EXCEEDED""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
NAT64 client quota exceeded	Splunk	ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
DSLITE client quota exceeded	HSL	"LSN_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
DSLITE client quota exceeded	Splunk	ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
NAT44 Port-block allocated	HSL	"LSN_PB_ALLOCATED""<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
NAT44 Port-block allocated	Splunk	lsn_event="LSN_PB_ALLOCATED", lsn_client="<client_ipv4_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
NAT44 Port-block released	HSL	"LSN_PB_RELEASED""<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>""<start>""<duration>"
NAT44 Port-block released	Splunk	lsn_event="LSN_PB_RELEASED", lsn_client="<client_ipv4_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>",start="<start>",duration="<duration>"
NAT44 Client block limit reached	HSL	"LSN_BLOCK_QUOTA_EXCEEDED""<client_ip4_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
	Splunk	ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
	IPFIX
NAT44 Ports Exhausted	HSL	"LSN_PORTS_EXHAUSTED""<client_ip4_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
NAT44 Ports Exhausted	Splunk	ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
NAT64 Port-block allocated	HSL	"LSN_PB_ALLOCATED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
NAT64 Port-block allocated	Splunk	lsn_event="LSN_PB_ALLOCATED", lsn_client="<client_ipv6_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
NAT64 Port-block released	HSL	"LSN_PB_RELEASED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>""<start>""<duration>"
NAT64 Port-block released	Splunk	lsn_event="LSN_PB_RELEASED", lsn_client="<client_ipv6_address>%<client_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>",start="<start>",duration="<duration>"
NAT64 Client block limit reached	HSL	"LSN_BLOCK_QUOTA_EXCEEDED""<client_ip6_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
NAT64 Client block limit reached	Splunk	ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
NAT64 Ports Exhausted	HSL	"LSN_PORTS_EXHAUSTED""<client_ip6_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
NAT64 Ports Exhausted	Splunk	ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
DSLITE Port-block allocated	HSL	"LSN_PB_ALLOCATED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
DSLITE Port-block allocated	Splunk	lsn_event="LSN_PB_ALLOCATED", lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>"
DSLITE Port-block released	HSL	"LSN_PB_RELEASED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>""<start>""<duration>"
DSLITE Port-block released	Splunk	lsn_event="LSN_PB_RELEASED", lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>", lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>",start="<start>",duration="<duration>"
DSLITE Client block limit reached	HSL	"LSN_BLOCK_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
DSLITE Client block limit reached	Splunk	ip_protocol="<protocol>",lsn_event="LSN_BLOCK_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
DSLITE Ports Exhausted	HSL	"LSN_PORTS_EXHAUSTED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
DSLITE Ports Exhausted	Splunk	ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"

BIG-IP 13.0.0 log formats

This reference content describes the log format changes specific to BIG-IP software version 13.0.0.

This release includes the following changes:

In IPFIX logs, added flowStartMilliseconds to inbound/outbound NAT44, NAT64, and DSLITE create events, as well as PBA allocated/released events.

IPFIX NAT44 outbound Create
Field	Bytes	Description
observationTimeMilliseconds	8
ingressVRFID	4	The client routing domain ID.
egressVRFID	4	The LSN routing domain ID.
sourceIPv4Address	4
postNATSourceIPv4Address	4
protocolIdentifier	1
sourceTransportPort	2
postNAPTsourceTransportPort	2
destinationIPv4Address	2	0, if obscured.
destinationTransportPort	2	0, if obscured.
natOriginatingAddressRealm	1	1 (Private/internal realm – Subscriber side).
natEvent	1	1 (Create Event) or 2 (Delete Event).
flowStartMilliseconds	8	Start time, in ms since Epoch(1/1/1970).

IPFIX inbound create
Field	Bytes	Description
observationTimeMilliseconds	8
ingressVRFID	4	The LSN routing domain ID
egressVRFID	4	The client routing domain ID.
sourceIPv4Address	4
protocolIdentifier	1
sourceTransportPort	2
destinationIPv4Address	4
postNAPTsourceTransportPort	4
destinationTransportPort	2	0, if obscured.
postNAPTDestinationTransportPort	2
natOriginatingAddressRealm	1	2 (Public/external realm – Internet side).
natEvent	1	1 (Create Event) or 2 (Delete Event).
flowStartMilliseconds	8	Start time, in ms since Epoch(1/1/1970).

NAT64 outbound create
Field	Bytes	Description
observationTimeMilliseconds	8
ingressVRFID	4	The LSN routing domain ID
egressVRFID	4	The client routing domain ID.
sourceIPv6Address	16
postNATSourceIPv4Address	4
protocolIdentifier	1
sourceTransportPort	2
postNAPTsourceTransportPort	2
postNATDestinationIPV4Address	4	0, if obscured.
destinationTransportPort	2	0, if obscured.
postNAPTDestinationTransportPort	2
natOriginatingAddressRealm	1	2 (Public/external realm – Internet side).
natEvent	1	1 (Create Event) or 2 (Delete Event).
flowStartMilliseconds	8	Start time, in ms since Epoch(1/1/1970).

NAT64 inbound create
Field	Bytes	Description
observationTimeMilliseconds	8
ingressVRFID	4	The LSN routing domain ID
egressVRFID	4	The client routing domain ID.
sourceIPv4Address	4
protocolIdentifier	1
sourceTransportPort	2
destinationIPv4Address	4
postNATDestinationIPV6Address	16	0, if obscured.
destinationTransportPort	2
postNAPTDestinationTransportPort	2
natOriginatingAddressRealm	1	2 (Public/external realm – Internet side).
natEvent	1	1 (Create Event) or 2 (Delete Event).
flowStartMilliseconds	8	Start time, in ms since Epoch(1/1/1970).

**DSLITE outbound create**
Field	Bytes	Description
observationTimeMilliseconds	8
ingressVRFID	4	The LSN routing domain ID
egressVRFID	4	The client routing domain ID.
sourceIPv4Address	4
postNATSourceIPv4Address	4
protocolIdentifier	1
sourceTransportPort	2
postNAPTsourceTransportPort	2
sourceIPv6Address	16	IPv6 address for remote endpoint of the DS-Lite tunnel
destinationIPv4Address	2	0, if obscured.
destinationTransportPort	2
natOriginatingAddressRealm	1	2 (Public/external realm – Internet side).
natEvent	1	1 (Create Event) or 2 (Delete Event).
flowStartMilliseconds	8	Start time, in ms since Epoch(1/1/1970).

**DSLITE inbound create**
Field	Bytes	Description
observationTimeMilliseconds	8
ingressVRFID	4	The LSN routing domain ID
egressVRFID	4	The client routing domain ID.
sourceIPv4Address	4
protocolIdentifier	1
sourceTransportPort	2
destinationIPv4Address	4
postNATDestinationIPv6Address	16	DSLITE remote endpoint IPV6 address
postNatDestinationIPv4Address	4
destinationTransportPort	2
postNAPTDestinationTransportPort	2
natOriginatingAddressRealm	1	2 (Public/external realm – Internet side).
natEvent	1	1 (Create Event) or 2 (Delete Event).
flowStartMilliseconds	8	Start time, in ms since Epoch(1/1/1970).

**NAT44 port-block allocated/released**
Field	Bytes	IANA IPFIX ID	Description
timeStamp	8	323
ingressVRFID	4	234	The client routing domain ID.
egressVRFID	4	235	The egress routing domain ID.
sourceIPv4Address	4	8
postNATSourceIPv4Address	4	225
PortRangeStart	2	361
PortRangeEnd	2	362
natEvent	1	230	13 for allocation, 14 for released
flowStartMilliseconds	8	152	Start time, in ms since Epoch(1/1/1970)

**NAT44 port-block allocated/released**
Field	Bytes	IANA IPFIX ID	Description
timeStamp	8	323
ingressVRFID	4	234	The client routing domain ID.
egressVRFID	4	235	The egress routing domain ID.
sourceIPv4Address	16	27
postNATSourceIPv4Address	4	225
PortRangeStart	2	361
PortRangeEnd	2	362
natEvent	1	230	13 for allocation, 14 for released
flowStartMilliseconds	8	152	Start time, in ms since Epoch(1/1/1970)

**DSLITE port-block allocated/released**
Field	Bytes	IANA IPFIX ID	Description
timeStamp	8	323
ingressVRFID	4	234	The client routing domain ID.
egressVRFID	4	235	The egress routing domain ID.
sourceIPv6Address	16	27	DSLITE remote endpoint address.
postNATSourceIPv4Address	4	225
PortRangeStart	2	361
PortRangeEnd	2	362
natEvent	1	230	13 for allocation, 14 for released
flowStartMilliseconds	8	152	Start time, in ms since Epoch(1/1/1970)

Subscriptions

Product Usage

Trials

Registration Keys

Downloads

Applies To:

BIG-IP LTM

Using CGNAT Logging and Subscriber Traceability

Overview: Configuring local logging for CGNAT

Task summary

Creating a formatted local log destination for CGNAT

Creating a publisher to send log messages to the local Syslog database

Configuring an LSN pool with a local Syslog log publisher

Overview: Configuring remote high-speed logging for CGNAT

Task summary

About the configuration objects of high-speed logging

Create a pool of remote logging servers

Create a remote high-speed log destination

Create a formatted remote high-speed log destination

Create a publisher

Creating an LSN logging profile

Configuring an LSN pool

Overview: Configuring IPFIX logging for CGNAT

Task summary

About the configuration objects of IPFIX logging

Assemble a pool of IPFIX collectors

Create an IPFIX log destination

Create a publisher

Creating an LSN logging profile

Configuring an LSN pool

CGNAT Log Format Reference

Overview: CGNAT log formats

Log field descriptions

BIG-IP version 11.3.0 and 11.4.0 log reference

BIG-IP 11.3.0 and 11.4.0 log formats

BIG-IP version 11.5.0 log reference

BIG-IP 11.5.0 log formats

BIG-IP version 11.6.0 log reference

BIG-IP version 11.6.0 log formats

Port Block Allocation (PBA)

IPFIX

BIG-IP version 12.0.0 log reference

BIG-IP version 12.0.0 log formats

BIG-IP version 12.1.0 log formats

BIG-IP version 12.1.1 log reference

BIG-IP 13.0.0 log formats

Have a Question?

Follow Us

About F5

Education

F5 Sites

Support Tasks