Manual Chapter :
Using CGNAT Logging and Subscriber Traceability
Applies To:
Show VersionsBIG-IP LTM
- 15.0.1, 15.0.0, 14.1.3, 14.1.2, 14.1.0
Using CGNAT Logging and Subscriber Traceability
Overview: Configuring local logging for CGNAT
You can configure the BIG-IP system to send log messages about carrier
grade network address translation (CGNAT) processes to the local Syslog database on the BIG-IP
system.
Enabling logging impacts BIG-IP system performance.
When configuring local logging of CGNAT processes, it is helpful to understand the objects you
need to create and why:
Object | Reason | Applies to |
---|---|---|
Destination (formatted/local) | Create a formatted log destination to format the logs in human-readable name/value pairs, and forward the logs to the local-syslog database. | Creating a formatted local log destination for CGNAT. |
Publisher (local-syslog) | Create a log publisher to send logs to the previously created destination that formats the logs in name/value pairs, and forwards the logs to the local Syslog database on the BIG-IP system. | Creating a publisher to send log messages to the local Syslog database. |
LSN pool | Associate a large scale NAT (LSN) pool with a log publisher in order to log messages about the traffic that uses the pool. | Configuring an LSN pool with a local Syslog log publisher. |
Task summary
Creating a formatted local log destination for CGNAT
Create a formatted logging destination to specify that log messages about CGNAT
processes are sent to the local Syslog database in a format that displays name/value
pairs in a human-readable format.
- On the Main tab, click.The Log Destinations screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this destination.
- From theTypelist, selectSplunk.The Splunk format is a predefined format of key value pairs.
- From theForward Tolist, selectlocal-syslog.
- ClickFinished.
Creating a publisher to send log messages to the local Syslog database
Create a publisher to specify that the BIG-IP system sends formatted log messages to
the local Syslog database, on the BIG-IP system.
- On the Main tab, click.The Log Publishers screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this publisher.
- For theDestinationssetting, select the previously created destination from theAvailablelist (which formats the logs in the Splunk format and forwards the logs to the local Syslog database) and move the destination to theSelectedlist.
- ClickFinished.
Configuring an LSN
pool with a local Syslog log publisher
Before associating a large scale NAT (LSN) pool with a log publisher, ensure that at
least one log publisher exists that sends formatted log messages to the local Syslog
database on the BIG-IP system.
Associate an LSN pool with the log publisher that
the BIG-IP system uses to send formatted log messages to the local Syslog
database.
- On the Main tab, click.The LSN Pool List screen opens.
- Click the name of an LSN pool.
- From theLog Publisherlist, select the log publisher that sends formatted log messages to the local Syslog database on the BIG-IP system.
- ClickFinished.
Overview: Configuring remote high-speed logging for CGNAT
You can configure the BIG-IP system to log information about
carrier-grade network address translation (CGNAT) processes and send the log messages to remote
high-speed log servers.
This illustration shows the association of the configuration objects for remote high-speed
logging of CGNAT processes.
Task summary
Perform these tasks to configure remote high-speed logging of
CGNAT processes on the BIG-IP system. Enabling remote high-speed logging
impacts BIG-IP system performance.
About the configuration objects of high-speed logging
When configuring remote high-speed logging (HSL) of CGNAT processes, it is helpful to
understand the objects you need to create and why, as described here:
Object | Reason | Applies to |
---|---|---|
Pool of remote log servers | Create a pool of remote log servers to which the BIG-IP system
can send log messages. | Creating a pool of remote logging servers. |
Destination (formatted) | Create log destination to format the logs in the required format and forward the logs
to a remote high-speed log destination. | Creating a formatted remote high-speed log destination. |
Publisher | Create a log publisher to send logs to a set of specified log destinations. | Creating a publisher. |
Logging Profile (optional) | Create a logging profile to configure logging options for various large scale NAT (LSN)
events. The options apply to all HSL destinations. | Creating a LSN logging profile. |
LSN pool | Associate an LSN pool with a logging profile and log publisher in order to log messages
about the traffic that uses the pool. | Configuring an LSN pool. |
Create a pool of remote logging servers
Before creating a pool of log servers, gather the IP addresses of the servers that
you want to include in the pool. Ensure that the remote log servers are configured to
listen to and receive log messages from the BIG-IP
system.
Create a pool of remote log servers to which the BIG-IP system can send log
messages.
- On the Main tab, click.The Pool List screen opens.
- ClickCreate.The New Pool screen opens.
- In theNamefield, type a unique name for the pool.
- Using theNew Memberssetting, add the IP address for each remote logging server that you want to include in the pool:
- Type an IP address in theAddressfield, or select a node address from theNode List.
- Type a service number in theService Portfield, or select a service name from the list.Typical remote logging servers require port514.
- ClickAdd.
- ClickFinished.
Create a remote high-speed log destination
Before creating a remote high-speed log destination, ensure that at least one pool
of remote log servers exists on the BIG-IP system.
Create a log destination of the
Remote High-Speed Log
type to
specify that log messages are sent to a pool of remote log servers.- On the Main tab, click.The Log Destinations screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this destination.
- From theTypelist, selectRemote High-Speed Log.If you use log servers such as Remote Syslog, Splunk, or ArcSight, which require data be sent to the servers in a specific format, you must create an additional log destination of the required type, and associate it with a log destination of theRemote High-Speed Logtype. With this configuration, the BIG-IP system can send data to the servers in the required format.The BIG-IP system is configured to send an unformatted string of text to the log servers.
- From thePool Namelist, select the pool of remote log servers to which you want the BIG-IP system to send log messages.
- From theProtocollist, select the protocol used by the high-speed logging pool members.
- ClickFinished.
Create a formatted remote high-speed log destination
Ensure that at least one remote high-speed log destination exists on the BIG-IP system.
Create a formatted logging destination to specify that log messages are sent to a
pool of remote log servers, such as Remote Syslog, Splunk, or IPFIX servers.
- On the Main tab, click.The Log Destinations screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this destination.
- From theTypelist, select a formatted logging destination, such asRemote Syslog,Splunk, orIPFIX.The Splunk format is a predefined format of key value pairs.The BIG-IP system is configured to send a formatted string of text to the log servers.
- If you selectedRemote Syslog, then from theSyslog Formatlist select a format for the logs, and then from theHigh-Speed Log Destinationlist, select the destination that points to a pool of remote Syslog servers to which you want the BIG-IP system to send log messages.For logs coming from Access Policy Manager (APM), only the BSD Syslog format is supported.
- If you selectedSplunkorIPFIX, then from theForward Tolist, select the destination that points to a pool of high-speed log servers to which you want the BIG-IP system to send log messages.
- ClickFinished.
Create a publisher
Ensure that at least one destination associated with a pool of remote log servers
exists on the BIG-IP system.
Create a publisher to specify where the BIG-IP system sends log messages for
specific resources.
- On the Main tab, click.The Log Publishers screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this publisher.
- For theDestinationssetting, select a destination from theAvailablelist, and move the destination to theSelectedlist.If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or IPFIX.If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set thelogpublisher.atomicdb key tofalse. If all the remote high-speed log (HSL) destinations are down (unavailable), setting thelogpublisher.atomicdb key tofalsewill not work to allow the logs to be written to local-syslog. Thelogpublisher.atomicdb key has no effect on local-syslog.
- ClickFinished.
Creating an LSN logging profile
You can create an LSN logging profile to allow you to configure logging options for
various LSN events that apply to high-speed logging destinations.
For
configuring remote high-speed logging of CGNAT processes on the BIG-IP system, these steps are optional.
- On the Main tab, click.The LSN logging profiles screen opens.
- ClickCreate.The New LSN Logging Profile screen opens.
- In theNamefield, type a unique name for the logging profile.
- From theParent Profilelist, select a profile from which the new profile inherits properties.
- For the Log Settings area, select theCustomcheck box.
- For the Log Settings area, selectEnabledfor the following settings, as necessary.SettingDescriptionCSV FormatGenerates log entries in comma-separated-values (CSV) format.Start Outbound SessionGenerates event log entries at the start of a translation event for an LSN client.End Outbound SessionGenerates event log entries at the end of a translation event for an LSN client.Start Inbound SessionGenerates event log entries at the start of an incoming connection event for a translated endpoint.End Inbound SessionGenerates event log entries at the end of an incoming connection event for a translated endpoint.Quota ExceededGenerates event log entries when an LSN client exceeds allocated resources.ErrorsGenerates event log entries when LSN translation errors occur.Subscriber IDAllows for subscriber ID logging.Enabling theCSVcheck box affects splunk logs because IP addresses are shown asip,port,rtdominstead ofip%rtdom:port. Do not mix log types and only use standard syslog formats.
- ClickFinished.
Configuring an LSN
pool
You can associate an LSN pool with a log publisher
and logging profile that the BIG-IP system uses to send log messages to a specified
destination.
- On the Main tab, click.The LSN Pool List screen opens.
- Select an LSN pool from the list.The configuration screen for the pool opens.
- From theLog Publisherlist, select the log publisher the BIG-IP system uses to send log messages to a specified destination.If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set thelogpublisher.atomicdb key tofalse. If all the remote high-speed log (HSL) destinations are down (unavailable), setting thelogpublisher.atomicdb key tofalsewill not work to allow the logs to be written to local-syslog. Thelogpublisher.atomicdb key has no effect on local-syslog.
- Optional: From theLogging Profilelist, select the logging profile the BIG-IP system uses to configure logging options for various LSN events.
- ClickFinished.
You now have an LSN pool for which the BIG-IP system logs messages using the specified
logging profile.
Overview: Configuring IPFIX logging for CGNAT
You can configure the BIG-IP system to log information about carrier
grade network address translation (CGNAT) processes and send the log messages to remote IPFIX
collectors.
IPFIX is a set of IETF standards described in RFCs 5101 and 5102. The BIG-IP system supports
logging of CGNAT translation events over the IPFIX protocol. IPFIX logs are raw, binary-encoded
strings with their fields and field lengths defined by IPFIX templates.
IPFIX
collectors
are external devices that can receive IPFIX templates, and use them to
interpret IPFIX logs.Task summary
Perform these tasks to configure IPFIX logging of CGNAT
processes on the BIG-IP system. Enabling IPFIX logging impacts BIG-IP system
performance.
About the configuration objects of IPFIX logging
The configuration process involves creating and connecting the following configuration
objects.
Object | Reason | Applies to |
---|---|---|
Pool of IPFIX collectors | Create a pool of remote log servers to which the BIG-IP system can send log messages.
| Assembling a pool of IPFIX collectors. |
Destination | Create a log destination to format the logs in IPFIX templates, and forward the logs to the IPFIX collectors. | Creating an IPFIX log destination. |
Publisher | Create a log publisher to send logs to a set of specified log destinations. | Creating a publisher. |
Logging Profile (optional) | Create a logging profile to configure logging options for various large scale NAT (LSN) events. The options apply to all HSL destinations. | Creating an LSN logging profile. |
LSN pool | Associate an LSN pool with a logging profile and log publisher in order to log messages about the traffic that uses the pool. | Configuring an LSN pool. |
Assemble a pool
of IPFIX collectors
Before creating a pool of IPFIX collectors, gather the IP addresses of the collectors
that you want to include in the pool. Ensure that the remote IPFIX collectors are
configured to listen to and receive log messages from the BIG-IP system.
You can create a pool of IPFIX collectors to
which the system can send IPFIX log messages.
- On the Main tab, click.The Pool List screen opens.
- ClickCreate.The New Pool screen opens.
- In theNamefield, type a unique name for the pool.
- Using theNew Memberssetting, add the IP address for each IPFIX collector that you want to include in the pool:
- Type the collector's IP address in theAddressfield, or select a node address from theNode List.
- Type a port number in theService Portfield.By default, IPFIX collectors listen on UDP or TCP port4739and Netflow V9 devices listen on port2055, though the port is configurable at each collector.
- ClickAdd.
- ClickFinished.
Create an IPFIX log destination
A log destination of the
IPFIX
type specifies that log
messages are sent to a pool of IPFIX collectors. Use these steps to create a log
destination for IPFIX collectors.- On the Main tab, click.The Log Destinations screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this destination.
- From theTypelist, selectIPFIX.
- From theProtocollist, selectIPFIXorNetflow V9, depending on the type of collectors you have in the pool.
- From thePool Namelist, select an LTM pool of IPFIX collectors.
- From theTransport Profilelist, selectTCP,UDP, or any customized profile derived from TCP or UDP.
- TheTemplate Retransmit Intervalis the time between transmissions of IPFIX templates to the pool of collectors. The BIG-IP system only retransmits its templates if theTransport Profileis aUDPprofile.AnIPFIX templatedefines the field types and byte lengths of the binary IPFIX log messages. The logging destination sends the template for a given log type (for example, NAT44 logs or customized logs from an iRule) before sending any of those logs, so that the IPFIX collector can read the logs of that type. The logging destination assigns a template ID to each template, and places the template ID into each log that uses that template.The log destination periodically retransmits all of its IPFIX templates over a UDP connection. The retransmissions are helpful for UDP connections, which are lossy.
- TheTemplate Delete Delayis the time that the BIG-IP device should pause between deleting an obsolete template and re-using its template ID. This feature is helpful for systems that can create custom IPFIX templates with iRules.
- TheServer SSL Profileapplies Secure Socket Layer (SSL) or Transport Layer Security (TLS) to TCP connections. You can only choose an SSL profile if theTransport Profileis aTCPprofile. Choose an SSL profile that is appropriate for the IPFIX collectors' SSL/TLS configuration.SSL or TLS requires extra processing and therefore slows the connection, so we only recommend this for sites where the connections to the IPFIX collectors have a potential security risk.
- ClickFinished.
Create a publisher
Ensure that at least one destination associated with a pool of remote log servers
exists on the BIG-IP system.
Create a publisher to specify where the BIG-IP system sends log messages for
specific resources.
- On the Main tab, click.The Log Publishers screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this publisher.
- For theDestinationssetting, select a destination from theAvailablelist, and move the destination to theSelectedlist.If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or IPFIX.If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set thelogpublisher.atomicdb key tofalse. If all the remote high-speed log (HSL) destinations are down (unavailable), setting thelogpublisher.atomicdb key tofalsewill not work to allow the logs to be written to local-syslog. Thelogpublisher.atomicdb key has no effect on local-syslog.
- ClickFinished.
Creating an LSN logging profile
You can create an LSN logging profile to allow you to configure logging options for
various LSN events that apply to high-speed logging destinations.
For
configuring remote high-speed logging of CGNAT processes on the BIG-IP system, these steps are optional.
- On the Main tab, click.The LSN logging profiles screen opens.
- ClickCreate.The New LSN Logging Profile screen opens.
- In theNamefield, type a unique name for the logging profile.
- From theParent Profilelist, select a profile from which the new profile inherits properties.
- For the Log Settings area, select theCustomcheck box.
- For the Log Settings area, selectEnabledfor the following settings, as necessary.SettingDescriptionCSV FormatGenerates log entries in comma-separated-values (CSV) format.Start Outbound SessionGenerates event log entries at the start of a translation event for an LSN client.End Outbound SessionGenerates event log entries at the end of a translation event for an LSN client.Start Inbound SessionGenerates event log entries at the start of an incoming connection event for a translated endpoint.End Inbound SessionGenerates event log entries at the end of an incoming connection event for a translated endpoint.Quota ExceededGenerates event log entries when an LSN client exceeds allocated resources.ErrorsGenerates event log entries when LSN translation errors occur.Subscriber IDAllows for subscriber ID logging.Enabling theCSVcheck box affects splunk logs because IP addresses are shown asip,port,rtdominstead ofip%rtdom:port. Do not mix log types and only use standard syslog formats.
- ClickFinished.
Configuring an LSN
pool
You can associate an LSN pool with a log publisher
and logging profile that the BIG-IP system uses to send log messages to a specified
destination.
- On the Main tab, click.The LSN Pool List screen opens.
- Select an LSN pool from the list.The configuration screen for the pool opens.
- From theLog Publisherlist, select the log publisher the BIG-IP system uses to send log messages to a specified destination.If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set thelogpublisher.atomicdb key tofalse. If all the remote high-speed log (HSL) destinations are down (unavailable), setting thelogpublisher.atomicdb key tofalsewill not work to allow the logs to be written to local-syslog. Thelogpublisher.atomicdb key has no effect on local-syslog.
- Optional: From theLogging Profilelist, select the logging profile the BIG-IP system uses to configure logging options for various LSN events.
- ClickFinished.
You now have an LSN pool for which the BIG-IP system logs messages using the specified
logging profile.
CGNAT Log Format Reference
Overview: CGNAT log formats
Carrier Grade Network Address Translation (CGNAT) log formats are specific to the type of
logging used, for example, high-speed logging (HSL) or Splunk.
Log field descriptions
This topic lists the available log fields and provides a description of each.
Log field | Description |
---|---|
bigip_hostname | BIG-IP hostname. |
bigip_mgmt_ip_address | BIG-IP management IP address. |
bigip_software_version | BIG-IP software version. An example format is
11.4.0.132.0 . |
client_ipv4_address | Client IPV4 address. |
client_ipv6_address | Client IPV6 address(IPV6 or NAT64 client). |
client_port | Client TCP/UDP port. |
client_rtdomid | Client route domain ID. |
date_time | Date and time. An example format is Apr 04 2013
08:13:26 . |
destination_address | Client's destination IPV4/IPV6 address. |
destination_port | Client's port. |
dslite_ipv6_remote_ip | DS-Lite remote end point. |
dslite_rtdomid | DS-Lite tunnel route domain ID. |
duration | Duration of the translation (in ms). |
egress_rtdomid | Route domain ID of the egress interface. |
end | End time. |
errdefs_msgno | TMM internal value. |
errdefs_msg_name | TMM internal value. |
internet_client_ipv4_address | IP address of the inbound client connections from the internet. |
internet_client_rtdomid | Route domain ID of the inbound client connecting from the internet. |
lsn_address | IPV4/IPV6 translation address. |
lsn_dnat_log_version | DNAT log version. |
lsn_dnat_port_range_min | LSN pool translation port range low value. |
lsn_dnat_port_range_max | LSN pool translation port range high value. |
lsn_dnat_prefix_list | List of LSN pool translation prefixes. |
lsn_dnat_source_list | List of all the virtual server source prefixes that are attached to this lsn
pool. |
lsn_dnat_state | DNAT algorithm internal state. |
lsn_dnat_dag_id | LSN Deterministic NAT libdag identifier. |
lsn_port | TCP/UDP translation port. |
lsn_rtdomid | Translation address route domain ID. |
lsn_result | Reason for translation failure. |
lsn_pool_name | LSN pool name with complete path. For example,
/Common/lsnp1 . |
protocol | UDP, TCP, or ICMP. |
sa_trans_pool | Source Address Translation Pool name, for example, SNAT pool, LSN, or
Automap. |
start | The unixtime for the start of the translation. |
timestamp | Unix time, always in UTC. |
tmm_daglib_state | TMM DAG library state. |
BIG-IP version 11.3.0 and 11.4.0 log
reference
This reference content describes the logging format specific to BIG-IP software version
11.3.0 and 11.4.0.
This release provides the following logging changes:
- CGNAT HSL and Splunk logging introduced in 11.3.0, unchanged in 11.4.0.
Log Message | Type | Format |
---|---|---|
NAT44 session create | HSL | "LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>" |
Splunk | lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>" | |
NAT64 session create | HSL | "LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>" |
Splunk | lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>" | |
DSLITE session create | HSL | "LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>""<dslite_ipv6_remote_ip>%<dslite_rtdomid>" |
Splunk | lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>" | |
NAT44/NAT64/DSLITE Translation failed | HSL | "<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","NAPT
- Translation
failed","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<lsn_address>","<lsn_port>","<lsn_rtdomid>" |
Splunk | hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",client_ip="<client_ipv4_address/client_ipv6_address>",client_port="<client_port>",date_time="<date_time>",dest_ip="<destination_address>",dest_port="<destination_port>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="1",errdefs_msg_name="LSN
Translation
Event",lsn_translated_client_ip="<lsn_address>",lsn_translated_client_port="<lsn_port>",lsn_event="LSN_ERR",lsn_result="NAPT
- Translation
failed",lsn_translated_route_domain="<lsn_rtdomid>",cli="<client_ipv4_address/client_ipv6_address>:<client_port>",nat="<lsn_address>:<lsn_port>",dslite="<dslite_ipv6_remote_ip>",severity="6",route_domain="<client_rtdomid>" | |
DNAT config | HSL | "<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_dnat_log_version>","LSN_CFG","<lsn_result>","<lsn_dnat_source_list>","<lsn_dnat_prefix_list>","<lsn_dnat_port_range_min>","<lsn_dnat_port_range_max>","<tmm_daglib_state>" |
Splunk | hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",date_time="<date_time>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="2",errdefs_msg_name="LSNDNAT
Config
Event",lsn_event="LSN_CFG",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_source_list="<lsn_dnat_source_list>",lsn_dnat_prefix_list="<lsn_dnat_prefix_list>",lsn_dnat_port_range_min="<lsn_dnat_port_range_min>",lsn_dnat_port_range_max="<lsn_dnat_port_range_max>",lsn_dnat_log_version="<lsn_dnat_log_version>",lsn_result="DNAT
config
change",severity="6",tmm_daglib_state="<tmm_daglib_state>" | |
DNAT session delete | HSL | "LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>" |
Splunk | lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>" |
BIG-IP 11.3.0 and 11.4.0 log formats
This reference content describes the log format changes specific to BIG-IP software versions 11.3.0 and 11.4.0.
This release introduces CGNAT high-speed logging (HSL) and Splunk logging.
Type | Format |
---|---|
HSL | "LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>" |
Splunk | lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>" |
IPFIX is not implemented for NAT44 session create.
Type | Format |
---|---|
HSL | "LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>" |
Splunk | lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>" |
IPFIX is not implemented for NAT64 session create.
Type | Format |
---|---|
HSL | "LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>""<dslite_ipv6_remote_ip>%<dslite_rtdomid>"
|
Splunk | lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>"
|
IPFIX is not implemented for DSLITE session create.
Type | Format |
---|---|
HSL | "<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","NAPT
- Translation
failed","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<lsn_address>","<lsn_port>","<lsn_rtdomid>"
|
Splunk | hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",client_ip="<client_ipv4_address/client_ipv6_address>",client_port="<client_port>",date_time="<date_time>",dest_ip="<destination_address>",dest_port="<destination_port>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="1",errdefs_msg_name="LSN
Translation
Event",lsn_translated_client_ip="<lsn_address>",lsn_translated_client_port="<lsn_port>",lsn_event="LSN_ERR",lsn_result="NAPT
- Translation
failed",lsn_translated_route_domain="<lsn_rtdomid>",cli="<client_ipv4_address/client_ipv6_address>:<client_port>",nat="<lsn_address>:<lsn_port>",dslite="<dslite_ipv6_remote_ip>",severity="6",route_domain="<client_rtdomid>"
|
IPFIX is not implemented for NAT44/NAT64/DSLITE Translation failed.
Type | Format |
---|---|
HSL | "<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_dnat_log_version>","LSN_CFG","<lsn_result>","<lsn_dnat_source_list>","<lsn_dnat_prefix_list>","<lsn_dnat_port_range_min>","<lsn_dnat_port_range_max>","<tmm_daglib_state>"
|
Splunk | hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",date_time="<date_time>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="2",errdefs_msg_name="LSNDNAT
Config
Event",lsn_event="LSN_CFG",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_source_list="<lsn_dnat_source_list>",lsn_dnat_prefix_list="<lsn_dnat_prefix_list>",lsn_dnat_port_range_min="<lsn_dnat_port_range_min>",lsn_dnat_port_range_max="<lsn_dnat_port_range_max>",lsn_dnat_log_version="<lsn_dnat_log_version>",lsn_result="DNAT
config change",severity="6",tmm_daglib_state="<tmm_daglib_state>"
|
IPFIX is not implemented for DNAT config.
Type | Format |
---|---|
HSL | "LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>"
|
Splunk | lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>"
|
LTM log | DNAT connection: dnat: start=<start time in secs> end=<end time in
secs> server=<destination_address>,<destination_port>
local=<lsn_address>,<lsn_port> proto=<protocol_id>
client=<client_ipv4_address> |
IPFIX is not implemented for DNAT session delete.
BIG-IP version 11.5.0 log reference
This reference content describes the logging format specific to BIG-IP software version
11.5.0.
This release provides the following logging changes:
- IPFIX logging introduced, egress_rtdomid used in logs instead of lsn_rtdomid and following new logs were added
- Log delete for NAT44/NAT64/DSLITE events
- Log create/delete for inbound connections
- Log quota exceeded events
- Log outbound create/delete with destination address/port
- Log start-time/duration in delete for outbounds
Log Message | Type | Format |
---|---|---|
NAT44 session create | HSL | "LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid
>:<lsn_port>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid
>:<lsn_port>" | |
NAT44 session delete | HSL | "LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid
>:<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid
>:<lsn_port>",duration="<duration>" | |
NAT44 session create (with log.lsn.session.destination
enabled) | HSL | "LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid
>:<lsn_port>""<destination_address>""<destination_port>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid
>:<lsn_port>" | |
NAT44 session delete (with log.lsn.session.destination
enabled) | HSL | "LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",start="<start>",lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>" | |
NAT44 inbound session create | HSL | "LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>" | |
NAT44 inbound session delete | HSL | "LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>" | |
NAT64 session create | HSL | "LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>" | |
NAT64 session delete | HSL | "LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>" | |
NAT64 session create (with log.lsn.session.destination enabled) | HSL | "LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>" | |
NAT64 session delete (with log.lsn.session.destination enabled) | HSL | "LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>" | |
NAT64 inbound session create | HSL | "LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>" | |
NAT64 inbound session delete | HSL | "LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>" | |
DSLITE session create | HSL | "LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>" | |
DSLITE session delete | HSL | "LSN_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>" | |
DSLITE session create (with log.lsn.session.destination enabled) | HSL | "LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>" | |
DSLITE session delete (with log.lsn.session.destination enabled) | HSL | "LSN_DELETE"""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>"<destination_address>""<destination_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>" | |
DSLITE inbound session create | HSL | "LSN_INBOUND_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>" | |
DSLITE inbound session delete | HSL | "LSN_INBOUND_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>" | |
Translation failed | HSL | "<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","NAPT
- Translation
failed","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>" |
Splunk | hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",client_ip="<client_ipv4_address/client_ipv6_address>",client_port="<client_port>",date_time="<date_time>",dest_ip="<destination_address>",dest_port="<destination_port>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="1",errdefs_msg_name="LSN
Translation
Event",lsn_translated_client_ip="<lsn_address>",lsn_translated_client_port="<lsn_port>",lsn_event="LSN_ERR",lsn_result="NAPT
- Translation
failed",lsn_translated_route_domain="<lsn_rtdomid>",cli="<client_ipv4_address/client_ipv6_address>:<client_port>",nat="<lsn_address>:<lsn_port>",dslite="<dslite_ipv6_remote_ip>",severity="6",route_domain="<client_rtdomid>" | |
DNAT config | HSL | "<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_dnat_log_version>","LSN_CFG","<lsn_result>","<lsn_pool_name>","<lsn_dnat_source_list>","<lsn_dnat_prefix_list>","<lsn_dnat_port_range_min>","<lsn_dnat_port_range_max>","<tmm_daglib_state>","<lsn_dnat_state>","<lsn_dnat_dag_id>","<timestamp>" |
Splunk | hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",date_time="<date_time>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="2",errdefs_msg_name="LSNDNAT
Config
Event",lsn_event="LSN_CFG",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_source_list="<lsn_dnat_source_list>",lsn_dnat_prefix_list="<lsn_dnat_prefix_list>",lsn_dnat_port_range_min="<lsn_dnat_port_range_min>",lsn_dnat_port_range_max="<lsn_dnat_port_range_max>",lsn_dnat_log_version="<lsn_dnat_log_version>",lsn_result="DNAT
config
change",severity="6",tmm_daglib_state="<tmm_daglib_state>",lsn_pool_name="<lsn_pool_name>",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_dag_id="<lsn_dnat_dag_id>",timestamp="<timestamp>" | |
DNAT session delete | HSL | "LSN_CONNECTION","<start>","<end>","<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>","<lsn_address>%<lsn_rtdomid>:<lsn_port>","<destination_port>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_CONNECTION",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>",destination_port="<destination_port>",start="<start>",end="<end>" | |
NAT44 client quota exceeded | HSL | "LSN_QUOTA_EXCEEDED""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
NAT64 client quota exceeded | HSL | "LSN_QUOTA_EXCEEDED""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
DSLITE client quota exceeded | HSL | "LSN_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" |
BIG-IP 11.5.0 log formats
This reference content describes the log format changes specific to BIG-IP software version 11.5.0.
This release includes the following changes:
- Log delete for NAT44/NAT64/DSLITE events.
- Log create/delete for inbound connections.
- Log quota exceeded events.
- Log outbound create/delete with destination address/port.
- Log start-time/duration in delete for outbounds.
Description | Type | Format |
---|---|---|
Without destination address/port | HSL | "LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid
>:<lsn_port>" "LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid
>:<lsn_port>""<start>""duration" |
With destination address/port | HSL | "LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid
>:<lsn_port>""<destination_address>""<destination_port>" "LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid
>:<lsn_port>""<destination_address>""<destination_port>" "<start>""<duration>" |
Without destination address/port | Splunk | ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid
>:<lsn_port>" ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>", cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid
>:<lsn_port>",duration="<duration>" |
With destination address/port | Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid
>:<lsn_port>" ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",start="<start>",lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>" |
Field | Bytes | Description |
---|---|---|
observationTimeMilliseconds | 8 | |
ingressVRFID | 4 | The client routing domain ID. |
egressVRFID | 4 | The LSN routing domain ID. |
sourceIPv4Address | 4 | |
postNATSourceIPv4Address | 4 | |
protocolIdentifier | 1 | |
sourceTransportPort | 2 | |
postNAPTsourceTransportPort | 2 | |
destinationIPv4Address | 2 | 0, if obscured. |
destinationTransportPort | 2 | 0, if obscured. |
natOriginatingAddressRealm | 1 | 1 (Private/internal realm – Subscriber side). |
natEvent | 1 | 1 (Create Event) or 2 (Delete Event). |
Field | Bytes | Description |
---|---|---|
observationTimeMilliseconds | 8 | |
ingressVRFID | 4 | The client routing domain ID. |
egressVRFID | 4 | The LSN routing domain ID. |
sourceIPv4Address | 4 | |
postNATSourceIPv4Address | 4 | |
protocolIdentifier | 1 | |
sourceTransportPort | 2 | |
postNAPTsourceTransportPort | 2 | |
destinationIPv4Address | 2 | 0, if obscured. |
destinationTransportPort | 2 | 0, if obscured. |
natOriginatingAddressRealm | 1 | 1 (Private/internal realm – Subscriber side). |
natEvent | 1 | 1 (Create Event) or 2 (Delete Event). |
flowStartMilliseconds | 8 | |
flowDurationMilliseconds | 4 |
Type | Format |
---|---|
HSL | "LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>" "<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>" "LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>" "<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>" "<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>" ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE", cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>" |
Field | Bytes | Description |
---|---|---|
observationTimeMilliseconds | 8 | |
ingressVRFID | 4 | The LSN routing domain ID. |
egressVRFID | 4 | The client routing domain ID. |
sourceIPv4Address | 4 | |
protocolIdentifier | 1 | |
sourceTransportPort | 2 | |
destinationIPv4Address | 4 | |
postNATDestinationIPV4Address | 4 | |
destinationTransportPort | 2 | |
postNAPTDestinationTransportPort | 2 | |
natOriginatingAddressRealm | 1 | 2 (Public/external realm – Internet side). |
natEvent | 1 | 1 (Create Event) or 2 (Delete Event). |
Description | Type | Format |
---|---|---|
Without destination address/port | HSL | "LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid>:<lsn_port>" "LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid>:<lsn_port>" "<start>""<duration>""<start>""<duration>" |
With destination address/port | HSL | "LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>" "LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>" "<start>""<duration>" |
Without destination address/port | Splunk | ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>" ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>", cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>" |
With destination address/port | Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>" ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_DELETE",start="<start>", cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>" ,duration="<duration>" |
Field | Bytes | Description |
---|---|---|
observationTimeMilliseconds | 8 | |
ingressVRFID | 4 | The LSN routing domain ID. |
egressVRFID | 4 | The client routing domain ID. |
sourceIPv6Address | 16 | |
postNATSourceIPv4Address | 4 | |
protocolIdentifier | 1 | |
sourceTransportPort | 2 | |
postNAPTsourceTransportPort | 2 | |
postNATDestinationIPV4Address | 4 | 0, if obscured. |
destinationTransportPort | 2 | 0, if obscured. |
postNAPTDestinationTransportPort | 2 | |
natOriginatingAddressRealm | 1 | 2 (Public/external realm – Internet side). |
natEvent | 1 | 1 (Create Event) or 2 (Delete Event). |
Field | Bytes | Description |
---|---|---|
observationTimeMilliseconds | 8 | |
ingressVRFID | 4 | The LSN routing domain ID. |
egressVRFID | 4 | The client routing domain ID. |
sourceIPv6Address | 16 | |
postNATSourceIPv4Address | 4 | |
protocolIdentifier | 1 | |
sourceTransportPort | 2 | |
postNAPTsourceTransportPort | 2 | |
postNATDestinationIPV4Address | 4 | 0, if obscured. |
destinationTransportPort | 2 | 0, if obscured. |
postNAPTDestinationTransportPort | 2 | |
natOriginatingAddressRealm | 1 | 2 (Public/external realm – Internet side). |
natEvent | 1 | 1 (Create Event) or 2 (Delete Event) |
flowStartMilliseconds | 8 | |
flowDurationMilliseconds | 4 |
Type | Format |
---|---|
HSL | "LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>" "<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>" "LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>" "<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>" "<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>" ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE", cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>" |
Field | Bytes | Description |
---|---|---|
observationTimeMilliseconds | 8 | |
ingressVRFID | 4 | The LSN routing domain ID. |
egressVRFID | 4 | The client routing domain ID. |
sourceIPv4Address | 4 | |
protocolIdentifier | 1 | |
sourceTransportPort | 2 | |
destinationIPv4Address | 4 | |
postNATDestinationIPv6Address | 16 | 0, if obscured. |
destinationTransportPort | 2 | |
postNAPTDestinationTransportPort | 2 | |
natOriginatingAddressRealm | 1 | 2 (Public/external realm – Internet side). |
natEvent | 1 | 1 (Create Event) or 2 (Delete Event). |
Description | Type | Format |
---|---|---|
Without destination address/port | HSL | "LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid>:<lsn_port>" "LSN_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid>:<lsn_port>" "<start>""<duration>"
|
With destination address/port | HSL | "LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>"
"LSN_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>" "<start>""<duration>" |
Without destination address/port | Splunk | ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>" ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>", cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>", duration="<duration>" |
With destination address/port | Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>" ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_DELETE",start="<start>", cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>" |
Field | Bytes | Description |
---|---|---|
observationTimeMilliseconds | 8 | |
ingressVRFID | 4 | The LSN routing domain ID. |
egressVRFID | 4 | The client routing domain ID. |
sourceIPv4Address | 4 | |
postNATSourceIPv4Address | 4 | |
protocolIdentifier | 1 | |
sourceTransportPort | 2 | |
postNAPTsourceTransportPort | 2 | |
sourceIPv6Address | 16 | IPv6 address for remote endpoint of the DS-Lite tunnel. |
destinationIPv4Address | 4 | 0, if obscured. |
destinationTransportPort | 2 | |
natOriginatingAddressRealm | 1 | 2 (Public/external realm – Internet side). |
natEvent | 1 | 1 (Create Event) or 2 (Delete Event). |
Field | Bytes | Description |
---|---|---|
observationTimeMilliseconds | 8 | |
ingressVRFID | 4 | The LSN routing domain ID. |
egressVRFID | 4 | The client routing domain ID. |
sourceIPv4Address | 4 | |
postNATSourceIPv4Address | 4 | |
protocolIdentifier | 1 | |
sourceTransportPort | 2 | |
postNAPTsourceTransportPort | 2 | |
sourceIPv6Address | 16 | IPv6 address for remote endpoint of the DS-Lite tunnel. |
destinationIPv4Address | 4 | 0, if obscured. |
destinationTransportPort | 2 | |
natOriginatingAddressRealm | 1 | 2 (Public/external realm – Internet side). |
natEvent | 1 | 1 (Create Event) or 2 (Delete Event). |
flowStartMilliseconds | 8 | |
flowDurationMilliseconds | 4 |
Type | Format |
---|---|
HSL | "LSN_INBOUND_ADD""<dslite_ipv6_remote_ip%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>"
"<lsn_address>""<lsn_port>" "LSN_INBOUND_DELETE""<dslite_ipv6_remote_ip%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>"
"<lsn_address>""<lsn_port>" "<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"
ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>"
|
Field | Bytes | Description |
---|---|---|
observationTimeMilliseconds | 8 | |
ingressVRFID | 4 | The LSN routing domain ID. |
egressVRFID | 4 | The client routing domain ID. |
sourceIPv4Address | 4 | |
protocolIdentifier | 1 | |
sourceTransportPort | 2 | |
destinationIPv4Address | 4 | |
postNATDestinationIPv6Address | 16 | DSLITE remote endpoint IPV6 address. |
postNatDestinationIPv4Address | 4 | |
destinationTransportPort | 2 | |
postNAPTDestinationTransportPort | 2 | |
natOriginatingAddressRealm | 1 | 2 (Public/external realm – Internet side). |
natEvent | 1 | 1 (Create Event) or 2 (Delete Event). |
Type | Format |
---|---|
HSL | "<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","NAPT
- Translation
failed","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>" |
Splunk | hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",client_ip="<client_ipv4_address/client_ipv6_address>",client_port="<client_port>",date_time="<date_time>",dest_ip="<destination_address>",dest_port="<destination_port>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="1",errdefs_msg_name="LSN
Translation
Event",lsn_translated_client_ip="<lsn_address>",lsn_translated_client_port="<lsn_port>",lsn_event="LSN_ERR",lsn_result="NAPT
- Translation
failed",lsn_translated_route_domain="<lsn_rtdomid>",cli="<client_ipv4_address/client_ipv6_address>:<client_port>",nat="<lsn_address>:<lsn_port>",dslite="<dslite_ipv6_remote_ip>",severity="6",route_domain="<client_rtdomid>" |
Field | Bytes | Description |
---|---|---|
observationTimeMilliseconds | 8 | |
ingressVRFID | 4 | The client routing domain ID. |
sourceIPv4Address | 4 | |
protocolIdentifier | 1 | |
sourceTransportPort | 2 | |
destinationIPv4Address | 4 | 0, if obscured. |
destinationTransportPort | 2 | 0, if obscured. |
natEvent | 1 | Translation failed. |
natPoolName | Variable | This IE is omitted for NetFlow v9 compatible configurations. |
Field | Bytes | Description |
---|---|---|
observationTimeMilliseconds | 8 | |
ingressVRFID | 4 | The client routing domain ID. |
sourceIPv6Address | 16 | |
protocolIdentifier | 1 | |
sourceTransportPort | 2 | |
destinationIPv4Address | 4 | 0, if obscured. |
destinationTransportPort | 2 | 0, if obscured. |
natEvent | 1 | Translation failed. |
natPoolName | Variable | This IE is omitted for NetFlow v9 compatible configurations. |
Field | Bytes | Description |
---|---|---|
observationTimeMilliseconds | 8 | |
ingressVRFID | 4 | The client routing domain ID. |
sourceIPv4Address | 4 | IPv4 address used by F5 CGNAT in the IPv4-mapped IPv6 format, for the DS-Lite
tunnel terminated on the BIG-IP. |
protocolIdentifier | 1 | |
sourceTransportPort | 2 | |
sourceIPv6Address | 16 | IPv6 address for remote endpoint of the DS-Lite tunnel. |
destinationIPv4Address | 4 | 0, if obscured. |
destinationTransportPort | 2 | 0, if obscured. |
natEvent | 1 | Translation failed. |
natPoolName | Variable | This IE is omitted for NetFlow v9 compatible configurations. |
Type | Format |
---|---|
HSL | "<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_dnat_log_version>","LSN_CFG","<lsn_result>","<lsn_pool_name>","<lsn_dnat_source_list>","<lsn_dnat_prefix_list>","<lsn_dnat_port_range_min>","<lsn_dnat_port_range_max>","<tmm_daglib_state>","<lsn_dnat_state>","<lsn_dnat_dag_id>","<timestamp>"
|
Splunk | hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",date_time="<date_time>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="2",errdefs_msg_name="LSNDNAT
Config
Event",lsn_event="LSN_CFG",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_source_list="<lsn_dnat_source_list>",lsn_dnat_prefix_list="<lsn_dnat_prefix_list>",lsn_dnat_port_range_min="<lsn_dnat_port_range_min>",lsn_dnat_port_range_max="<lsn_dnat_port_range_max>",lsn_dnat_log_version="<lsn_dnat_log_version>",lsn_result="DNAT
config
change",severity="6",tmm_daglib_state="<tmm_daglib_state>",lsn_pool_name="<lsn_pool_name>",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_dag_id="<lsn_dnat_dag_id>",timestamp="<timestamp>"
|
IPFIX is not implemented for DNAT configuration.
Type | Format |
---|---|
HSL | "LSN_CONNECTION","<start>","<end>","<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>","<lsn_address>%<lsn_rtdomid>:<lsn_port>","<destination_port>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_CONNECTION",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>",destination_port="<destination_port>",start="<start>",end="<end>"
|
LTM log | DNAT connection: dnat: start=<start time in secs> end=<end time in
secs> server=<destination_address>,<destination_port>
local=<lsn_address>,<lsn_port> proto=<protocol_id>
client=<client_ipv4_address> |
IPFIX is not implemented for DNAT session delete.
Type | Format |
---|---|
HSL | "LSN_QUOTA_EXCEEDED""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool> |
Field | Bytes | Description |
---|---|---|
observationTimeMilliseconds | 8 | |
ingressVRFID | 4 | The client routing domain ID. |
sourceIPv4Address | 4 | |
natEvent | 1 | Session Quota Exceeded/Port Quota Exceeded. |
natPoolName | Variable | This IE is omitted for NetFlow v9 compatible configurations. |
Type | Description |
---|---|
HSL | "LSN_QUOTA_EXCEEDED""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | lip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool> |
Field | Bytes | Description |
---|---|---|
observationTimeMilliseconds | 8 | |
ingressVRFID | 4 | The client routing domain ID. |
sourceIPv6Address | 16 | |
natEvent | 1 | Session Quota Exceeded/Port Quota Exceeded. |
natPoolName | Variable | This IE is omitted for NetFlow v9 compatible configurations. |
Type | Description |
---|---|
HSL | "LSN_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>"
|
Splunk | ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>"
|
Field | Bytes | Description |
---|---|---|
observationTimeMilliseconds | 8 | |
ingressVRFID | 4 | The client routing domain ID. |
sourceIPv4Address | 4 | |
sourceIPv6Address | 16 | IPv6 address for remote endpoint of the DS-Lite tunnel. |
natEvent | 1 | Session Quota Exceeded/Port Quota Exceeded |
natPoolName | Variable | This IE is omitted for NetFlow v9 compatible configurations. |
BIG-IP version 11.6.0 log reference
This reference content describes the logging format specific to BIG-IP software version
11.6.0.
This release provides the following logging changes:
- PBA Logging introduced.
- Added ports exhausted message for NAT44, NAT64, and DSLITE
- Log for DNAT inbound connections on connection end
Log Message | Type | Format |
---|---|---|
NAT44 session create | HSL | "LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid
>:<lsn_port>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid
>:<lsn_port>" | |
NAT44 session delete | HSL | "LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid
>:<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid
>:<lsn_port>",duration="<duration>" | |
NAT44 session create | HSL | "LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>" "<lsn_address>%<egress_rtdomid
>:<lsn_port>""<destination_address>""<destination_port>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid
>:<lsn_port>" | |
NAT44 session delete | HSL | "LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",start="<start>",lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>" | |
NAT44 inbound session create | HSL | "LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>" | |
NAT44 inbound session delete | HSL | "LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>" | |
NAT64 session create | HSL | "LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>" | |
NAT64 session delete | HSL | "LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>" | |
NAT64 session create | HSL | "LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>" | |
NAT64 session delete | HSL | "LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>" | |
NAT64 inbound session create | HSL | "LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>" | |
NAT64 inbound session delete | HSL | "LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>" | |
DSLITE session create | HSL | "LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>" | |
DSLITE session delete | HSL | "LSN_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>" | |
DSLITE session create | HSL | "LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>" | |
DSLITE session delete | HSL | "LSN_DELETE"""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>"<destination_address>""<destination_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>" | |
DSLITE inbound session create | HSL | "LSN_INBOUND_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>" | |
DSLITE inbound session delete | HSL | "LSN_INBOUND_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>" | |
Translation failed | HSL | "<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","NAPT
- Translation
failed","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>" |
Splunk | hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",client_ip="<client_ipv4_address/client_ipv6_address>",client_port="<client_port>",date_time="<date_time>",dest_ip="<destination_address>",dest_port="<destination_port>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="1",errdefs_msg_name="LSN
Translation
Event",lsn_translated_client_ip="<lsn_address>",lsn_translated_client_port="<lsn_port>",lsn_event="LSN_ERR",lsn_result="NAPT
- Translation
failed",lsn_translated_route_domain="<lsn_rtdomid>",cli="<client_ipv4_address/client_ipv6_address>:<client_port>",nat="<lsn_address>:<lsn_port>",dslite="<dslite_ipv6_remote_ip>",severity="6",route_domain="<client_rtdomid>" | |
DNAT config | HSL | "<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_dnat_log_version>","LSN_CFG","<lsn_result>","<lsn_pool_name>","<lsn_dnat_source_list>","<lsn_dnat_prefix_list>","<lsn_dnat_port_range_min>","<lsn_dnat_port_range_max>","<tmm_daglib_state>","<lsn_dnat_state>","<lsn_dnat_dag_id>","<timestamp>" |
Splunk | hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",date_time="<date_time>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="2",errdefs_msg_name="LSNDNAT
Config
Event",lsn_event="LSN_CFG",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_source_list="<lsn_dnat_source_list>",lsn_dnat_prefix_list="<lsn_dnat_prefix_list>",lsn_dnat_port_range_min="<lsn_dnat_port_range_min>",lsn_dnat_port_range_max="<lsn_dnat_port_range_max>",lsn_dnat_log_version="<lsn_dnat_log_version>",lsn_result="DNAT
config
change",severity="6",tmm_daglib_state="<tmm_daglib_state>",lsn_pool_name="<lsn_pool_name>",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_dag_id="<lsn_dnat_dag_id>",timestamp="<timestamp>" | |
DNAT session delete (on connection end, and inbound connection end) | HSL | "LSN_CONNECTION","<start>","<end>","<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>","<lsn_address>%<lsn_rtdomid>:<lsn_port>","<destination_port>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>",destination_port="<destination_port>",start="<start>",end="<end>" | |
NAT44 client quota exceeded | HSL | "LSN_QUOTA_EXCEEDED""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
NAT64 client quota exceeded | HSL | "LSN_QUOTA_EXCEEDED""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
DSLITE client quota exceeded | HSL | "LSN_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
NAT44 Port-block allocated | HSL | "LSN_PB_ALLOCATED""<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" |
Splunk | lsn_event="LSN_PB_ALLOCATED",
lsn_client="<client_ipv4_address>%<client_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" | |
NAT44 Port-block released | HSL | "LSN_PB_RELEASED""<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" |
Splunk | lsn_event="LSN_PB_RELEASED",
lsn_client="<client_ipv4_address>%<client_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" | |
NAT44 Client block limit reached | HSL | "LSN_BLOCK_QUOTA_EXCEEDED""<client_ip4_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
NAT44 Ports Exhausted | HSL | "LSN_PORTS_EXHAUSTED""<client_ip4_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
NAT64 Port-block allocated | HSL | "LSN_PB_ALLOCATED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" |
Splunk | lsn_event="LSN_PB_ALLOCATED",
lsn_client="<client_ipv6_address>%<client_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" | |
NAT64 Port-block released | HSL | "LSN_PB_RELEASED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" |
Splunk | lsn_event="LSN_PB_RELEASED",
lsn_client="<client_ipv6_address>%<client_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" | |
NAT64 Client block limit reached | HSL | "LSN_BLOCK_QUOTA_EXCEEDED""<client_ip6_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
NAT64 Ports Exhausted | HSL | ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
DSLITE Port-block allocated | HSL | "LSN_PB_ALLOCATED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" |
Splunk | lsn_event="LSN_PB_ALLOCATED",
lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" | |
DSLITE Port-block released | HSL | lsn_event="LSN_PB_ALLOCATED",
lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" |
Splunk | lsn_event="LSN_PB_RELEASED",
lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" | |
DSLITE Client block limit reached | HSL | "LSN_BLOCK_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_BLOCK_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
DSLITE Ports Exhausted | HSL | "LSN_PORTS_EXHAUSTED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" |
BIG-IP version 11.6.0 log formats
This reference content describes the log format changes specific to BIG-IP software version 11.6.0.
This release includes log messages for the following translation modes:
Port Block Allocation (PBA)
Message | Type | Format |
---|---|---|
Port block allocated | HSL | NAT44:
"LSN_PB_ALLOCATED"<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" NAT64:
"LSN_PB_ALLOCATED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" DSLITE:
"LSN_PB_ALLOCATED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" |
Splunk | NAT44: lsn_event="LSN_PB_ALLOCATED",
lsn_client="<client_ipv4_address>%<client_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" NAT64: lsn_event="LSN_PB_ALLOCATED",
lsn_client="<client_ipv6_address>%<client_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" DSLITE: lsn_event="LSN_PB_ALLOCATED",
lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" | |
Port-block released | HSL | NAT44:
"LSN_PB_RELEASED""<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" NAT64:
"LSN_PB_RELEASED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" DSLITE:
"LSN_PB_RELEASED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" |
Splunk | NAT44: lsn_event="LSN_PB_RELEASED",
lsn_client="<client_ipv4_address>%<client_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" NAT64: lsn_event="LSN_PB_RELEASED",
lsn_client="<client_ipv6_address>%<client_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" DSLITE: lsn_event="LSN_PB_RELEASED",
lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" | |
Client block limit reached | HSL | NAT44: "LSN_BLOCK_QUOTA_EXCEEDED""<Client IPV4
address%rtdomid>:<Client port>""<LSN pool name>" NAT64: "LSN_BLOCK_QUOTA_EXCEEDED""<Client IPV6
address%rtdomid>:<Client port>""<LSN pool name>" DSLITE: "LSN_BLOCK_QUOTA_EXCEEDED""<DSLITE IPV6
address%rtdomid>""<Client IPV4 address%rtdomid>:<Client
port>""<LSN pool name>" |
Splunk | NAT44: lsn_event="LSN_BLOCK_QUOTA_EXCEEDED", cli="<Client IPV4
address%rtdomid>:<Client port>", sa_translation_pool="<LSN pool
name>" NAT64: lsn_event="LSN_BLOCK_QUOTA_EXCEEDED", cli="<Client IPV6
address%rtdomid>:<Client port>", sa_translation_pool="<LSN pool
name>" DSLITE: lsn_event="LSN_BLOCK_QUOTA_EXCEEDED", cli="<Client IPV6
address%rtdomid>:<Client port>", dslite="<DSLITE IPV6
address%rtdomid>" sa_translation_pool="<LSN pool name>" | |
Ports exhausted | HSL | NAT44:
"LSN_PORTS_EXHAUSTED""<client_ip4_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" NAT64:
"LSN_PORTS_EXHAUSTED""<client_ip6_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" DSLITE:
"LSN_PORTS_EXHAUSTED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | NAT44:
ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" NAT64:
ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" DSLITE:
ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" |
IPFIX
Field | Size (Bytes) | IANA IPFIX ID | Description |
---|---|---|---|
timeStamp | 8 | 323 | |
ingressVRFID | 4 | 234 | The client routing domain ID. |
egressVRFID | 4 | 235 | The egress routing domain ID. |
sourceIPv4Address | 4 | 8 | Not applicable |
postNATSourceIPv4Address | 4 | 225 | Not applicable |
PortRangeStart | 2 | 361 | Not applicable |
PortRangeEnd | 2 | 362 | Not applicable |
natEvent | 1 | 230 | 13 for allocation. 14 for released. |
Field | Size (Bytes) | IANA IPFIX ID | Description |
---|---|---|---|
timeStamp | 8 | 323 | |
ingressVRFID | 4 | 234 | The client routing domain ID. |
egressVRFID | 4 | 235 | The egress routing domain ID. |
sourceIPv4Address | 16 | 8 | Not applicable |
postNATSourceIPv4Address | 4 | 225 | Not applicable |
PortRangeStart | 2 | 361 | Not applicable |
PortRangeEnd | 2 | 362 | Not applicable |
natEvent | 1 | 230 | 13 for allocation. 14 for released. |
Field | Size (Bytes) | IANA IPFIX ID | Description |
---|---|---|---|
timeStamp | 8 | 323 | |
ingressVRFID | 4 | 234 | The client routing domain ID. |
egressVRFID | 4 | 235 | The egress routing domain ID. |
sourceIPv4Address | 16 | 8 | DSLITE remote endpoint address. |
postNATSourceIPv4Address | 4 | 235 | Not applicable |
PortRangeStart | 2 | 361 | Not applicable |
PortRangeEnd | 2 | 362 | Not applicable |
natEvent | 1 | 230 | 13 for allocation. 14 for released. |
Field | Size (Bytes) | IANA IPFIX ID | Description |
---|---|---|---|
observationTimeMilliseconds | 8 | 323 | |
ingressVRFID | 4 | 234 | The client routing domain ID. |
sourceIPv4Address | 4 | 8 | The egress routing domain ID. |
natEvent | 1 | 230 | Client block limit reached (15) or ports exhausted (16). |
natPoolName | Variable | 284 | This IE is omitted for NetFlow v9 compatible configurations. |
Field | Size (Bytes) | IANA IPFIX ID | Description |
---|---|---|---|
observationTimeMilliseconds | 8 | 323 | |
ingressVRFID | 4 | 234 | The client routing domain ID. |
sourceIPv4Address | 16 | 27 | The egress routing domain ID. |
natEvent | 1 | 230 | Client block limit reached (15) or ports exhausted (16). |
natPoolName | Variable | 284 | This IE is omitted for NetFlow v9 compatible configurations. |
Field | Size (Bytes) | IANA IPFIX ID | Description |
---|---|---|---|
natEvent | 1 | 230 | Client block limit reached (15) or ports exhausted (16). |
sourceIPv4Address | 16 | 27 | IPv6 address for remote endpoint of the DS-Lite tunnel. |
ingressVRFID | 4 | 234 | The client routing domain ID. |
natPoolName | Variable | 284 | This IE is omitted for NetFlow v9 compatible configurations. |
observationTimeMilliseconds | 8 | 323 | |
sourceIPv4Address | 4 | 8 |
BIG-IP version 12.0.0 log reference
This reference content describes the logging format specific to BIG-IP software version
12.0.0.
This release provides the following logging changes:
- Port-block released (added start and duration)
- Start time added to LSN_ADD messages.
Log Message | Type | Format |
---|---|---|
NAT44 session create | HSL | "LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>"
"<protocol>""<lsn_address>%<egress_rtdomid
>:<lsn_port>""<start>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid
>:<lsn_port>",start="<start>" | |
NAT44 session delete | HSL | "LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid
>:<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid
>:<lsn_port>",duration="<duration>" | |
NAT44 session create (with log.lsn.session.destination
enabled) | HSL | "LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>"
"<lsn_address>%<egress_rtdomid
>:<lsn_port>""<destination_address>""<destination_port>""<start>"
|
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid
>:<lsn_port>",start="<start>" | |
NAT44 session delete (with log.lsn.session.destination
enabled) | HSL | "LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",start="<start>",lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>" | |
NAT44 inbound session create | HSL | "LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>"
|
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>",start="<start>" | |
NAT44 inbound session delete | HSL | "LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>" | |
NAT64 session create | HSL | "LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",start="<start>" | |
NAT64 session delete | HSL | "LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>" | |
NAT64 session create (with log.lsn.session.destination enabled) | HSL | "LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",start="<start>" | |
NAT64 session delete (with log.lsn.session.destination enabled) | HSL | "LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>" | |
NAT64 inbound session create | HSL | "LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",start="<start>" | |
NAT64 inbound session delete | HSL | "LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>" | |
DSLITE session create | HSL | "LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>" | |
DSLITE session delete | HSL | "LSN_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>" | |
DSLITE session create (with log.lsn.session.destination enabled) | HSL | "LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>" | |
DSLITE session delete (with log.lsn.session.destination enabled) | HSL | "LSN_DELETE"""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>"<destination_address>""<destination_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>" | |
DSLITE inbound session create | HSL | "LSN_INBOUND_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>" | |
DSLITE inbound session delete | HSL | "LSN_INBOUND_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>" | |
Translation failed | HSL | "<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","NAPT
- Translation
failed","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>" |
Splunk | hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",client_ip="<client_ipv4_address/client_ipv6_address>",client_port="<client_port>",date_time="<date_time>",dest_ip="<destination_address>",dest_port="<destination_port>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="1",errdefs_msg_name="LSN
Translation
Event",lsn_translated_client_ip="<lsn_address>",lsn_translated_client_port="<lsn_port>",lsn_event="LSN_ERR",lsn_result="NAPT
- Translation
failed",lsn_translated_route_domain="<lsn_rtdomid>",cli="<client_ipv4_address/client_ipv6_address>:<client_port>",nat="<lsn_address>:<lsn_port>",dslite="<dslite_ipv6_remote_ip>",severity="6",route_domain="<client_rtdomid>" | |
DNAT config | HSL | "<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_dnat_log_version>","LSN_CFG","<lsn_result>","<lsn_pool_name>","<lsn_dnat_source_list>","<lsn_dnat_prefix_list>","<lsn_dnat_port_range_min>","<lsn_dnat_port_range_max>","<tmm_daglib_state>","<lsn_dnat_state>","<lsn_dnat_dag_id>","<timestamp>" |
Splunk | hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",date_time="<date_time>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="2",errdefs_msg_name="LSNDNAT
Config
Event",lsn_event="LSN_CFG",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_source_list="<lsn_dnat_source_list>",lsn_dnat_prefix_list="<lsn_dnat_prefix_list>",lsn_dnat_port_range_min="<lsn_dnat_port_range_min>",lsn_dnat_port_range_max="<lsn_dnat_port_range_max>",lsn_dnat_log_version="<lsn_dnat_log_version>",lsn_result="DNAT
config
change",severity="6",tmm_daglib_state="<tmm_daglib_state>",lsn_pool_name="<lsn_pool_name>",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_dag_id="<lsn_dnat_dag_id>",timestamp="<timestamp>" | |
DNAT session delete (on connection end, and inbound connection end) | HSL | "LSN_CONNECTION","<start>","<end>","<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>","<lsn_address>%<lsn_rtdomid>:<lsn_port>","<destination_port>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_CONNECTION",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>",destination_port="<destination_port>",start="<start>",end="<end>" | |
NAT44 client quota exceeded | HSL | "LSN_QUOTA_EXCEEDED""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
NAT64 client quota exceeded | HSL | "LSN_QUOTA_EXCEEDED""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
DSLITE client quota exceeded | HSL | "LSN_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
NAT44 Port-block allocated | HSL | "LSN_PB_ALLOCATED""<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" |
Splunk | lsn_event="LSN_PB_ALLOCATED",
lsn_client="<client_ipv4_address>%<client_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" | |
NAT44 Port-block released | HSL | "LSN_PB_RELEASED""<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>""<start>""<duration>" |
Splunk | lsn_event="LSN_PB_RELEASED",
lsn_client="<client_ipv4_address>%<client_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>",start="<start>",duration="<duration>" | |
NAT44 Client block limit reached | HSL | "LSN_BLOCK_QUOTA_EXCEEDED""<client_ip4_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
NAT44 Ports Exhausted | HSL | "LSN_PORTS_EXHAUSTED""<client_ip4_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
NAT64 Port-block allocated | HSL | "LSN_PB_ALLOCATED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" |
Splunk | lsn_event="LSN_PB_ALLOCATED",
lsn_client="<client_ipv6_address>%<client_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" | |
NAT64 Port-block released | HSL | "LSN_PB_RELEASED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>""<start>""<duration>" |
Splunk | lsn_event="LSN_PB_RELEASED",
lsn_client="<client_ipv6_address>%<client_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>",start="<start>",duration="<duration>" | |
NAT64 Client block limit reached | HSL | "LSN_BLOCK_QUOTA_EXCEEDED""<client_ip6_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
NAT64 Ports Exhausted | HSL | "LSN_PORTS_EXHAUSTED""<client_ip6_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
DSLITE Port-block allocated | HSL | "LSN_PB_ALLOCATED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" |
Splunk | lsn_event="LSN_PB_ALLOCATED",
lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" | |
DSLITE Port-block released | HSL | "LSN_PB_RELEASED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>""<start>""<duration>" |
Splunk | lsn_event="LSN_PB_RELEASED",
lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>",start="<start>",duration="<duration>" | |
DSLITE Client block limit reached | HSL | "LSN_BLOCK_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_BLOCK_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
DSLITE Ports Exhausted | HSL | "LSN_PORTS_EXHAUSTED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" |
BIG-IP version 12.0.0 log formats
This reference content describes the log format changes specific to BIG-IP software version 12.0.0.
This release includes log messages for the following:
- Port-block released (added start and duration)
- Start time added to LSN_ADD messages and LSN_INBOUND_CREATE messages
Translation Mode | Type | Format |
---|---|---|
Port Block Allocation (PBA) log formats | HSL | NAT44:"LSN_PB_RELEASED""<Client IPV4
address%rtdomid>""<Translated IPV4 address%rtdomid>:<Port range
start>:<Port range end>""<start>""<duration>" NAT64: "LSN_PB_RELEASED""<Client IPV6
address%rtdomid>""<Translated IPV4 address%rtdomid>:<Port range
start>-<Port range end>""<start>""<duration>" DSLITE: "LSN_PB_RELEASED""<DSLITE IPV6
address%rtdomid>""<Translated IPV4 address%rtdomid>:<Port range
start>-<Port range end>""<start>""<duration>" |
Splunk | NAT44: lsn_event="LSN_PB_RELEASED", lsn_client="<Client IPV4
address%rtdomid>", lsn_pb="<Translated IPV4 address%rtdomid>:<Port
range start>-<Port range
end>",start="<start>",duration="<duration>" NAT64: lsn_event="LSN_PB_RELEASED", lsn_client="<Client IPV6
address%rtdomid>", lsn_pb="<Translated IPV4 address%rtdomid>:<Port
range start>-<Port range
end>",start="<start>",duration="<duration>" DSLITE: lsn_event="LSN_PB_RELEASED", lsn_dslite_client="<DSLITE IPV6
address%rtdomid>", lsn_pb="<Translated IPV4 address%rtdomid>:<Port
range start>-<Port range
end>",start="<start>",duration="<duration>" | |
NAT 44 session create | HSL | "LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>%<lsn_rtdomid>:<lsn_port>""<start>" With destination logging (log.lsn.session.destination) enabled: "LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid
>:<lsn_port>""<destination_address>""<destination_port>""<start>"
|
Splunk | ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid
>:<lsn_port>",start="<start>" With destination logging (log.lsn.session.destination) enabled: ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid
>:<lsn_port>",start="<start>" | |
NAT 64 session create | HSL | "LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>" With destination logging (log.lsn.session.destination) enabled: "LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",start="<start>" With destination logging (log.lsn.session.destination) enabled: ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",start="<start>" | |
DSLITE session create | HSL | "LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>" With destination logging (log.lsn.session.destination) enabled: "LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>" With destination logging (log.lsn.session.destination) enabled: ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>" | |
NAT44 Inbound session create | HSL | "LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>",start="<start>" | |
NAT64 Inbound session create | HSL | "LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",start="<start>" | |
DSLITE Inbound session create | HSL | "LSN_INBOUND_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>" |
BIG-IP version 12.1.0 log formats
This reference content describes the log format changes specific to BIG-IP software version 12.1.0.
This release includes log messages for translation failures, specifically, when a suggested
resource is unavailable for iRules, or a preserve strict source port setting applies.
Message | Type | Format |
---|---|---|
Translation failed - iRules suggested port busy | HSL | "<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","Translation
failed - iRule port
busy","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>" |
Translation failed - iRules suggested address busy | HSL | "<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","Translation
failed - iRule address
busy","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>" |
Translation failed - Preserve strict source port busy | HSL | "<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","Translation
failed - Preserve strict source port
busy","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>" |
BIG-IP version 12.1.1 log reference
This reference content describes the logging format specific to BIG-IP software version
12.1.1.
This release provides the following logging changes:
- Log specific translation failed messages when a suggested resource is unavailable (for iRules and source port preserve strict).
Log Message | Type | Format |
---|---|---|
NAT44 session create | HSL | "LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid
>:<lsn_port>""<start>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid
>:<lsn_port>",start="<start>" | |
NAT44 session delete | HSL | "LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid
>:<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid
>:<lsn_port>",duration="<duration>" | |
NAT44 session create (with log.lsn.session.destination
enabled) | HSL | "LSN_ADD""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>
""<lsn_address>%<egress_rtdomid
>:<lsn_port>;""<destination_address>""<destination_port>""<start>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid
>:<lsn_port>",start="<start>" | |
NAT44 session delete (with log.lsn.session.destination
enabled) | HSL | "LSN_DELETE""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>:<destination_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",start="<start>",lsn_event="LSN_DELETE",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>" | |
NAT44 inbound session create | HSL | "LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>",start="<start>" | |
NAT44 inbound session delete | HSL | "LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv4_address>%<client_rtdomid>:<client_port>" | |
NAT64 session create | HSL | "LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",start="<start>" | |
NAT64 session delete | HSL | "LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>" | |
NAT64 session create (with log.lsn.session.destination enabled) | HSL | "LSN_ADD""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",start="<start>" | |
NAT64 session delete (with log.lsn.session.destination enabled) | HSL | "LSN_DELETE""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="destination_port>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",duration="<duration>" | |
NAT64 inbound session create | HSL | "LSN_INBOUND_ADD""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",start="<start>" | |
NAT64 inbound session delete | HSL | "LSN_INBOUND_DELETE""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>" | |
DSLITE session create | HSL | "LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>" | |
DSLITE session delete | HSL | "LSN_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>" | |
DSLITE session create (with log.lsn.session.destination enabled) | HSL | "LSN_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>""<destination_address>""<destination_port>""<start>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_ADD",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>" | |
DSLITE session delete (with log.lsn.session.destination enabled) | HSL | "LSN_DELETE"""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<lsn_address>%<egress_rtdomid>:<lsn_port>"<destination_address>""<destination_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<destination_address>"dest_port="<destination_port>",lsn_event="LSN_DELETE",start="<start>",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<egress_rtdomid>:<lsn_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",duration="<duration>" | |
DSLITE inbound session create | HSL | "LSN_INBOUND_ADD""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_ADD",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>",start="<start>" | |
DSLITE inbound session delete | HSL | "LSN_INBOUND_DELETE""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>""<protocol>""<client_ipv6_address>%<client_rtdomid>:<client_port>""<lsn_address>""<lsn_port>""<start>""<duration>" |
Splunk | ip_protocol="<protocol>",dest_ip="<lsn_address>,dest_port="<lsn_port>",lsn_event="LSN_INBOUND_DELETE",cli="<internet_client_ipv4_address>%<internet_client_rtdomid>:<internet_client_port>",nat="<client_ipv6_address>%<client_rtdomid>:<client_port>",dslite="<dslite_ipv6_remote_ip%<dslite_rtdomid>" | |
Translation failed | HSL | "<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_event>","<lsn_result>","<client_ipv4_address/client_ipv6_address>","<client_port>","<client_rtdomid>","<protocol>","<lsn_address>","<lsn_port>","<lsn_rtdomid>" |
Splunk | hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",client_ip="<client_ipv4_address/client_ipv6_address>",client_port="<client_port>",date_time="<date_time>",dest_ip="<destination_address>",dest_port="<destination_port>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="1",errdefs_msg_name="LSN
Translation
Event",lsn_translated_client_ip="<lsn_address>",lsn_translated_client_port="<lsn_port>",lsn_event="LSN_ERR",lsn_result="<lsn_result>",lsn_translated_route_domain="<lsn_rtdomid>",cli="<client_ipv4_address/client_ipv6_address>:<client_port>",nat="<lsn_address>:<lsn_port>",dslite="<dslite_ipv6_remote_ip>",severity="6",route_domain="<client_rtdomid>" | |
DNAT config | HSL | "<date_time>","<bigip_mgmt_ip_address>","<bigip_hostname>","<lsn_dnat_log_version>","LSN_CFG","<lsn_result>","<lsn_pool_name>","<lsn_dnat_source_list>","<lsn_dnat_prefix_list>","<lsn_dnat_port_range_min>","<lsn_dnat_port_range_max>","<tmm_daglib_state>","<lsn_dnat_state>","<lsn_dnat_dag_id>","<timestamp>" |
Splunk | hostname="<bigip_hostname>",bigip_mgmt_ip="<bigip_mgmt_ip_address>",date_time="<date_time>",device_product="CGNAT",device_vendor="F5",device_version="<bigip_software_version>",errdefs_msgno="2",errdefs_msg_name="LSNDNAT
Config
Event",lsn_event="LSN_CFG",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_source_list="<lsn_dnat_source_list>",lsn_dnat_prefix_list="<lsn_dnat_prefix_list>",lsn_dnat_port_range_min="<lsn_dnat_port_range_min>",lsn_dnat_port_range_max="<lsn_dnat_port_range_max>",lsn_dnat_log_version="<lsn_dnat_log_version>",lsn_result="DNAT
config
change",severity="6",tmm_daglib_state="<tmm_daglib_state>",lsn_pool_name="<lsn_pool_name>",lsn_dnat_state="<lsn_dnat_state>",lsn_dnat_dag_id="<lsn_dnat_dag_id>",timestamp="<timestamp>" | |
DNAT session delete (on connection end, and inbound connection end) | HSL | "LSN_CONNECTION","<start>","<end>","<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>","<lsn_address>%<lsn_rtdomid>:<lsn_port>","<destination_port>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_CONNECTION",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",nat="<lsn_address>%<lsn_rtdomid>:<lsn_port>",destination_port="<destination_port>",start="<start>",end="<end>" | |
NAT44 client quota exceeded | HSL | "LSN_QUOTA_EXCEEDED""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
NAT64 client quota exceeded | HSL | "LSN_QUOTA_EXCEEDED""<client_ipv6_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
DSLITE client quota exceeded | HSL | "LSN_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
NAT44 Port-block allocated | HSL | "LSN_PB_ALLOCATED""<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" |
Splunk | lsn_event="LSN_PB_ALLOCATED",
lsn_client="<client_ipv4_address>%<client_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" | |
NAT44 Port-block released | HSL | "LSN_PB_RELEASED""<client_ipv4_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>""<start>""<duration>" |
Splunk | lsn_event="LSN_PB_RELEASED",
lsn_client="<client_ipv4_address>%<client_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>",start="<start>",duration="<duration>" | |
NAT44 Client block limit reached | HSL | "LSN_BLOCK_QUOTA_EXCEEDED""<client_ip4_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
IPFIX | ||
NAT44 Ports Exhausted | HSL | "LSN_PORTS_EXHAUSTED""<client_ip4_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
NAT64 Port-block allocated | HSL | "LSN_PB_ALLOCATED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" |
Splunk | lsn_event="LSN_PB_ALLOCATED",
lsn_client="<client_ipv6_address>%<client_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" | |
NAT64 Port-block released | HSL | "LSN_PB_RELEASED""<client_ipv6_address>%<client_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>""<start>""<duration>" |
Splunk | lsn_event="LSN_PB_RELEASED",
lsn_client="<client_ipv6_address>%<client_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>",start="<start>",duration="<duration>" | |
NAT64 Client block limit reached | HSL | "LSN_BLOCK_QUOTA_EXCEEDED""<client_ip6_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_QUOTA_EXCEEDED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
NAT64 Ports Exhausted | HSL | "LSN_PORTS_EXHAUSTED""<client_ip6_address%client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",cli="<client_ipv6_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
DSLITE Port-block allocated | HSL | "LSN_PB_ALLOCATED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" |
Splunk | lsn_event="LSN_PB_ALLOCATED",
lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>" | |
DSLITE Port-block released | HSL | "LSN_PB_RELEASED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>""<start>""<duration>" |
Splunk | lsn_event="LSN_PB_RELEASED",
lsn_dslite_client="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",
lsn_pb="<lsn_address>%<lsn_rtdomid>:<port_range_start>-<port_range_end>",start="<start>",duration="<duration>" | |
DSLITE Client block limit reached | HSL | "LSN_BLOCK_QUOTA_EXCEEDED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_BLOCK_QUOTA_EXCEEDED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" | |
DSLITE Ports Exhausted | HSL | "LSN_PORTS_EXHAUSTED""<dslite_ipv6_remote_ip>%<dslite_rtdomid>""<client_ipv4_address>%<client_rtdomid>:<client_port>""<protocol>""<sa_trans_pool>" |
Splunk | ip_protocol="<protocol>",lsn_event="LSN_PORTS_EXHAUSTED",dslite="<dslite_ipv6_remote_ip>%<dslite_rtdomid>",cli="<client_ipv4_address>%<client_rtdomid>:<client_port>",sa_translation_pool="<sa_trans_pool>" |
BIG-IP 13.0.0 log formats
This reference content describes the log format changes specific to BIG-IP software version 13.0.0.
This release includes the following changes:
- In IPFIX logs, added flowStartMilliseconds to inbound/outbound NAT44, NAT64, and DSLITE create events, as well as PBA allocated/released events.
Field | Bytes | Description |
---|---|---|
observationTimeMilliseconds | 8 | |
ingressVRFID | 4 | The client routing domain ID. |
egressVRFID | 4 | The LSN routing domain ID. |
sourceIPv4Address | 4 | |
postNATSourceIPv4Address | 4 | |
protocolIdentifier | 1 | |
sourceTransportPort | 2 | |
postNAPTsourceTransportPort | 2 | |
destinationIPv4Address | 2 | 0, if obscured. |
destinationTransportPort | 2 | 0, if obscured. |
natOriginatingAddressRealm | 1 | 1 (Private/internal realm – Subscriber side). |
natEvent | 1 | 1 (Create Event) or 2 (Delete Event). |
flowStartMilliseconds | 8 | Start time, in ms since Epoch(1/1/1970). |
Field | Bytes | Description |
---|---|---|
observationTimeMilliseconds | 8 | |
ingressVRFID | 4 | The LSN routing domain ID |
egressVRFID | 4 | The client routing domain ID. |
sourceIPv4Address | 4 | |
protocolIdentifier | 1 | |
sourceTransportPort | 2 | |
destinationIPv4Address | 4 | |
postNAPTsourceTransportPort | 4 | |
destinationTransportPort | 2 | 0, if obscured. |
postNAPTDestinationTransportPort | 2 | |
natOriginatingAddressRealm | 1 | 2 (Public/external realm – Internet side). |
natEvent | 1 | 1 (Create Event) or 2 (Delete Event). |
flowStartMilliseconds | 8 | Start time, in ms since Epoch(1/1/1970). |
Field | Bytes | Description |
---|---|---|
observationTimeMilliseconds | 8 | |
ingressVRFID | 4 | The LSN routing domain ID |
egressVRFID | 4 | The client routing domain ID. |
sourceIPv6Address | 16 | |
postNATSourceIPv4Address | 4 | |
protocolIdentifier | 1 | |
sourceTransportPort | 2 | |
postNAPTsourceTransportPort | 2 | |
postNATDestinationIPV4Address | 4 | 0, if obscured. |
destinationTransportPort | 2 | 0, if obscured. |
postNAPTDestinationTransportPort | 2 | |
natOriginatingAddressRealm | 1 | 2 (Public/external realm – Internet side). |
natEvent | 1 | 1 (Create Event) or 2 (Delete Event). |
flowStartMilliseconds | 8 | Start time, in ms since Epoch(1/1/1970). |
Field | Bytes | Description |
---|---|---|
observationTimeMilliseconds | 8 | |
ingressVRFID | 4 | The LSN routing domain ID |
egressVRFID | 4 | The client routing domain ID. |
sourceIPv4Address | 4 | |
protocolIdentifier | 1 | |
sourceTransportPort | 2 | |
destinationIPv4Address | 4 | |
postNATDestinationIPV6Address | 16 | 0, if obscured. |
destinationTransportPort | 2 | |
postNAPTDestinationTransportPort | 2 | |
natOriginatingAddressRealm | 1 | 2 (Public/external realm – Internet side). |
natEvent | 1 | 1 (Create Event) or 2 (Delete Event). |
flowStartMilliseconds | 8 | Start time, in ms since Epoch(1/1/1970). |
Field | Bytes | Description |
---|---|---|
observationTimeMilliseconds | 8 | |
ingressVRFID | 4 | The LSN routing domain ID |
egressVRFID | 4 | The client routing domain ID. |
sourceIPv4Address | 4 | |
postNATSourceIPv4Address | 4 | |
protocolIdentifier | 1 | |
sourceTransportPort | 2 | |
postNAPTsourceTransportPort | 2 | |
sourceIPv6Address | 16 | IPv6 address for remote endpoint of the DS-Lite tunnel |
destinationIPv4Address | 2 | 0, if obscured. |
destinationTransportPort | 2 | |
natOriginatingAddressRealm | 1 | 2 (Public/external realm – Internet side). |
natEvent | 1 | 1 (Create Event) or 2 (Delete Event). |
flowStartMilliseconds | 8 | Start time, in ms since Epoch(1/1/1970). |
Field | Bytes | Description |
---|---|---|
observationTimeMilliseconds | 8 | |
ingressVRFID | 4 | The LSN routing domain ID |
egressVRFID | 4 | The client routing domain ID. |
sourceIPv4Address | 4 | |
protocolIdentifier | 1 | |
sourceTransportPort | 2 | |
destinationIPv4Address | 4 | |
postNATDestinationIPv6Address | 16 | DSLITE remote endpoint IPV6 address |
postNatDestinationIPv4Address | 4 | |
destinationTransportPort | 2 | |
postNAPTDestinationTransportPort | 2 | |
natOriginatingAddressRealm | 1 | 2 (Public/external realm – Internet side). |
natEvent | 1 | 1 (Create Event) or 2 (Delete Event). |
flowStartMilliseconds | 8 | Start time, in ms since Epoch(1/1/1970). |
Field | Bytes | IANA IPFIX ID | Description |
---|---|---|---|
timeStamp | 8 | 323 | |
ingressVRFID | 4 | 234 | The client routing domain ID. |
egressVRFID | 4 | 235 | The egress routing domain ID. |
sourceIPv4Address | 4 | 8 | |
postNATSourceIPv4Address | 4 | 225 | |
PortRangeStart | 2 | 361 | |
PortRangeEnd | 2 | 362 | |
natEvent | 1 | 230 | 13 for allocation, 14 for released |
flowStartMilliseconds | 8 | 152 | Start time, in ms since Epoch(1/1/1970) |
Field | Bytes | IANA IPFIX ID | Description |
---|---|---|---|
timeStamp | 8 | 323 | |
ingressVRFID | 4 | 234 | The client routing domain ID. |
egressVRFID | 4 | 235 | The egress routing domain ID. |
sourceIPv4Address | 16 | 27 | |
postNATSourceIPv4Address | 4 | 225 | |
PortRangeStart | 2 | 361 | |
PortRangeEnd | 2 | 362 | |
natEvent | 1 | 230 | 13 for allocation, 14 for released |
flowStartMilliseconds | 8 | 152 | Start time, in ms since Epoch(1/1/1970) |
Field | Bytes | IANA IPFIX ID | Description |
---|---|---|---|
timeStamp | 8 | 323 | |
ingressVRFID | 4 | 234 | The client routing domain ID. |
egressVRFID | 4 | 235 | The egress routing domain ID. |
sourceIPv6Address | 16 | 27 | DSLITE remote endpoint address. |
postNATSourceIPv4Address | 4 | 225 | |
PortRangeStart | 2 | 361 | |
PortRangeEnd | 2 | 362 | |
natEvent | 1 | 230 | 13 for allocation, 14 for released |
flowStartMilliseconds | 8 | 152 | Start time, in ms since Epoch(1/1/1970) |