Collect F5 BIG-IP LTM logs

Supported in:

This document describes how you can collect F5 BIG-IP Local Traffic Manager (LTM) logs by using a Google Security Operations forwarder.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the F5_BIGIP_LTM ingestion label.

Configure F5 BIG-IP LTM

  1. Sign in to SSH using root credentials.
  2. Sign in to the Traffic Management Shell (tmsh) with the following command:

    tmsh

  3. Send filtered log messages to remote syslog servers with the following command:

    modify /sys syslog remote-servers none

  4. Remove the remote-servers statement and then add a syslog include statement that defines a filter rule and the remote server.

  5. To define the required syslog filter that references the remote server, use the following command:

    edit /sys syslog all-properties

  6. Replace the include none command with the following filter and add the IP address and port number.

    include "
    
    filter f_remote_loghost {
    
    level(debug..emerg);
    
    };
    
    filter f_ssl_acc {
    
    not match(\"ssl_acc\");
    
    };
    
    filter f_ssl_req {
    
    not match(\"ssl_req\");
    
    };
    
    destination d_remote_loghost {
    
    udp(IP_ADDRESS PORT);
    
    };
    
    log {
    
    source(s_syslog_pipe);
    
    filter(f_remote_loghost);
    
    filter(f_ssl_acc);
    
    filter(f_ssl_req);
    
    destination(d_remote_loghost);
    
    };
    
    "
    

    Replace IP_ADDRESS with the Google Security Operations forwarder IP address and port with the high port number.

  7. To exit the text editor, press Esc and then enter wq!.

  8. Save the configuration with the following command:

    save /sys config

Configure Google Security Operations forwarder and syslog to ingest F5 BIG-IP LTM logs

  1. Go to SIEM Settings > Forwarders.
  2. Click Add new forwarder.
  3. In the Forwarder Name field, enter a unique name for the forwarder.
  4. Click Submit. The forwarder is added and the Add collector configuration window appears.
  5. In the Collector name field, type a name.
  6. Select F5 BIGIP LTM as the Log type.
  7. Select Syslog as the Collector type.
  8. Configure the following mandatory input parameters:
    • Protocol: specify the protocol.
    • Address: specify the Google Security Operations forwarder IP address.
    • Port: specify the port.
  9. Click Submit.

For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation. For information about requirements for each forwarder type, see Forwarder configuration by type.

If you encounter issues when you create forwarders, contact Google Security Operations support.

Field mapping reference

This parser normalizes F5 BIG-IP Local Traffic Manager (LTM) logs, handling both key-value and syslog formats. It extracts fields like IP addresses, usernames, actions, and descriptions, mapping them to the UDM, and categorizes events based on log content and extracted fields, including network connections, user logins/logouts, and generic events.

UDM Mapping Table

Log Field UDM Mapping Logic
Access_Profile event.idm.read_only_udm.additional.fields[].key:"Access_Profile", event.idm.read_only_udm.additional.fields[].value.string_value Directly mapped from the Access_Profile key in the parsed key-value pairs.
Client_IP event.idm.read_only_udm.principal.ip[], event.idm.read_only_udm.principal.asset.ip[] Directly mapped from the Client_IP key in the parsed key-value pairs. Also used to populate principal asset IP. Sets has_principal to true.
Country event.idm.read_only_udm.principal.location.country_or_region Directly mapped from the Country key in the parsed key-value pairs.
Listener event.idm.read_only_udm.additional.fields[].key:"Listener", event.idm.read_only_udm.additional.fields[].value.string_value Directly mapped from the Listener key in the parsed key-value pairs.
Session_ID event.idm.read_only_udm.network.session_id Directly mapped from the Session_ID key in the parsed key-value pairs.
State event.idm.read_only_udm.principal.location.state Directly mapped from the State key in the parsed key-value pairs.
Virtual_IP event.idm.read_only_udm.target.ip[], event.idm.read_only_udm.target.asset.ip[] Directly mapped from the Virtual_IP key in the parsed key-value pairs. Also used to populate target asset IP. Sets has_target to true.
about event.idm.read_only_udm.about Populated from various fields like snat, vs_name, path, query, node, pool_member, vs, client, blade, and device if they are present in the raw log and successfully parsed.
action_data event.idm.read_only_udm.target.process.command_line Directly mapped for scriptd process logs.
attack_type event.idm.read_only_udm.security_result.category_details[] Directly mapped.
blade event.idm.read_only_udm.about.resource.attribute.labels[].key:"blade", event.idm.read_only_udm.about.resource.attribute.labels[].value Directly mapped from the blade key in the parsed key-value pairs.
bytes_in event.idm.read_only_udm.network.received_bytes Directly mapped, converted to unsigned integer.
bytes_out event.idm.read_only_udm.network.sent_bytes Directly mapped, converted to unsigned integer.
captcha_result event.idm.read_only_udm.additional.fields[].key:"captcha_result", event.idm.read_only_udm.additional.fields[].value.string_value Directly mapped.
client event.idm.read_only_udm.about.resource.attribute.labels[].key:"client", event.idm.read_only_udm.about.resource.attribute.labels[].value Directly mapped from the client key in the parsed key-value pairs.
client_ip event.idm.read_only_udm.principal.ip[], event.idm.read_only_udm.principal.asset.ip[] Directly mapped. Also used to populate principal asset IP. Sets has_principal to true.
client_port event.idm.read_only_udm.principal.port Directly mapped, converted to integer.
collection_time event.timestamp The Log Entry's timestamp is used as the event timestamp.
command_line event.idm.read_only_udm.target.process.command_line Directly mapped for CROND process logs and some logger logs.
data message The raw log message. This is parsed and used to populate various UDM fields.
dgl_count event.idm.read_only_udm.principal.resource.attribute.labels[].key:"DataGroup_Value", event.idm.read_only_udm.principal.resource.attribute.labels[].value Directly mapped.
dgl_value event.idm.read_only_udm.principal.resource.attribute.labels[].key:"DataGroup_List", event.idm.read_only_udm.principal.resource.attribute.labels[].value Directly mapped.
description event.idm.read_only_udm.metadata.description, event.idm.read_only_udm.security_result.description Directly mapped for some log types, or used as part of the security result description.
device event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname, event.idm.read_only_udm.about.resource.attribute.labels[].key:"device", event.idm.read_only_udm.about.resource.attribute.labels[].value Directly mapped. Also used to populate principal asset hostname. Sets has_principal to true.
dest_ip event.idm.read_only_udm.target.ip, event.idm.read_only_udm.target.asset.ip Directly mapped. Also used to populate target asset IP. Sets has_principal to true.
dest_port event.idm.read_only_udm.target.port Directly mapped.
dvc event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname, event.idm.read_only_udm.intermediary.hostname Parsed to extract hostname or IP. Used to populate principal hostname or intermediary hostname.
errdefs_msgno event.idm.read_only_udm.additional.fields[].key:"errdefs_msgno", event.idm.read_only_udm.additional.fields[].value.string_value Directly mapped from the errdefs_msgno key in the parsed key-value pairs.
error_reason event.idm.read_only_udm.principal.resource.attribute.labels[].key:"error_reason", event.idm.read_only_udm.principal.resource.attribute.labels[].value Directly mapped.
false_positive event.idm.read_only_udm.additional.fields[].key:"false_positive", event.idm.read_only_udm.additional.fields[].value.string_value Directly mapped.
function_id event.idm.read_only_udm.principal.resource.attribute.labels[].key:"function_id", event.idm.read_only_udm.principal.resource.attribute.labels[].value Directly mapped.
geoContinent event.idm.read_only_udm.principal.location.continent Not mapped in the provided example, but would map to continent if available.
geoCountry event.idm.read_only_udm.principal.location.country_or_region Directly mapped.
geoState event.idm.read_only_udm.principal.location.state Directly mapped.
header.Referer event.idm.read_only_udm.network.http.referral_url Directly mapped.
header.User-Agent event.idm.read_only_udm.network.http.user_agent, event.idm.read_only_udm.network.http.parsed_user_agent Directly mapped. Also converted to parsed user agent.
header.X-Forwarded-For event.idm.read_only_udm.principal.ip[], event.idm.read_only_udm.principal.asset.ip[] Parsed to extract IPs and merge them into principal IP and principal asset IP.
host event.idm.read_only_udm.target.hostname, event.idm.read_only_udm.target.asset.hostname Directly mapped. Also used to populate target asset hostname. Sets has_target to true.
http_host event.idm.read_only_udm.target.hostname, event.idm.read_only_udm.target.asset.hostname Directly mapped. Also used to populate target asset hostname. Sets has_target to true.
http_method event.idm.read_only_udm.network.http.method Directly mapped. Sets event_type to NETWORK_HTTP if present.
ip_client event.idm.read_only_udm.principal.ip[], event.idm.read_only_udm.principal.asset.ip[] Directly mapped. Also used to populate principal asset IP. Sets has_principal to true.
kv_msg Various fields Parsed as key-value pairs and used to populate various UDM fields.
Level event.idm.read_only_udm.security_result.severity Mapped to severity if the severity field is not present. Converted to UDM severity values (e.g., "Info" -> "INFORMATIONAL").
Listener event.idm.read_only_udm.additional.fields[].key:"Listener", event.idm.read_only_udm.additional.fields[].value.string_value Directly mapped.
log_message event.idm.read_only_udm.principal.resource.attribute.labels[].value, event.idm.read_only_udm.security_result.description Further parsed to extract request_uri or description.
log_type event.idm.read_only_udm.metadata.log_type Directly mapped from the raw log's log_type field.
loglevel event.idm.read_only_udm.security_result.severity Mapped to severity. Converted to UDM severity values (e.g., "warning" -> "MEDIUM", "err" -> "HIGH"). Also used for alert/significant event logic.
manage_ip_addr event.idm.read_only_udm.principal.ip[], event.idm.read_only_udm.principal.asset.ip[] Directly mapped. Also used to populate principal asset IP. Sets has_principal to true.
method event.idm.read_only_udm.network.http.method Directly mapped. Sets event_type to NETWORK_HTTP.
method_req event.idm.read_only_udm.network.http.method Directly mapped.
msg1 event.idm.read_only_udm.security_result.description Used as the security result description if not parsed further.
node event.idm.read_only_udm.about.resource.attribute.labels[].key:"node", event.idm.read_only_udm.about.resource.attribute.labels[].value Directly mapped from the node key in the parsed key-value pairs.
partition_name event.idm.read_only_udm.additional.fields[].key:"partition_name", event.idm.read_only_udm.additional.fields[].value.string_value Directly mapped.
path event.idm.read_only_udm.target.url, event.idm.read_only_udm.about.resource.attribute.labels[].key:"path", event.idm.read_only_udm.about.resource.attribute.labels[].value Directly mapped.
policy_name event.idm.read_only_udm.security_result.detection_fields[].key:"policy_name", event.idm.read_only_udm.security_result.detection_fields[].value Directly mapped.
pool_member event.idm.read_only_udm.about.resource.attribute.labels[].key:"pool_member", event.idm.read_only_udm.about.resource.attribute.labels[].value Directly mapped from the pool_member key in the parsed key-value pairs.
principalHost event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname Directly mapped. Also used to populate principal asset hostname. Sets has_principal to true.
principalIp event.idm.read_only_udm.principal.ip[], event.idm.read_only_udm.principal.asset.ip[], event.idm.read_only_udm.observer.ip Directly mapped. Also used to populate principal asset IP and observer IP. Sets has_principal to true.
principalPort event.idm.read_only_udm.principal.port Directly mapped, converted to integer.
process event.idm.read_only_udm.target.application Directly mapped.
product_event_type event.idm.read_only_udm.metadata.product_event_type Directly mapped.
proto event.idm.read_only_udm.network.ip_protocol Mapped to IP protocol after converting protocol number to protocol name using a lookup.
query event.idm.read_only_udm.about.resource.attribute.labels[].key:"query", event.idm.read_only_udm.about.resource.attribute.labels[].value Directly mapped from the query key in the parsed key-value pairs.
query_string event.idm.read_only_udm.additional.fields[].key:"query_string", event.idm.read_only_udm.additional.fields[].value.string_value Directly mapped.
reason event.idm.read_only_udm.security_result.description Directly mapped for apmd process logs with warning or error loglevel.
reason_code event.idm.read_only_udm.principal.resource.attribute.labels[].key:"reason_code", event.idm.read_only_udm.principal.resource.attribute.labels[].value Directly mapped.
req_status event.idm.read_only_udm.security_result.detection_fields[].key:"req_status", event.idm.read_only_udm.security_result.detection_fields[].value Directly mapped.
request event.idm.read_only_udm.principal.resource.attribute.labels[].key:"request_type", event.idm.read_only_udm.principal.resource.attribute.labels[].value, event.idm.read_only_udm.network.application_protocol Used to determine the application protocol (HTTP) and mapped as a label.
request_status event.idm.read_only_udm.additional.fields[].key:"request_status", event.idm.read_only_udm.additional.fields[].value.string_value Directly mapped.
request_uri event.idm.read_only_udm.target.url Directly mapped.
resp_code event.idm.read_only_udm.network.http.response_code Directly mapped, converted to integer.
response_code event.idm.read_only_udm.network.http.response_code Directly mapped, converted to integer.
rule_name event.idm.read_only_udm.security_result.rule_name Directly mapped.
sec_action event.idm.read_only_udm.security_result.action[] Mapped to action. "Continue" is converted to "ALLOW". Other values are converted to "BLOCK".
security_result event.idm.read_only_udm.security_result Merged into the security_result object.
session_id event.idm.read_only_udm.network.session_id Directly mapped.
severity event.idm.read_only_udm.security_result.severity Mapped to severity. Converted to UDM severity values (e.g., "Error" -> "ERROR", "Informational" -> "INFORMATIONAL").
sig_ids event.idm.read_only_udm.additional.fields[].key:"sig_ids", event.idm.read_only_udm.additional.fields[].value.string_value Directly mapped.
sig_names event.idm.read_only_udm.additional.fields[].key:"sig_names", event.idm.read_only_udm.additional.fields[].value.string_value Directly mapped.
sni_host event.idm.read_only_udm.network.tls.client.server_name Directly mapped.
snat event.idm.read_only_udm.about.resource.attribute.labels[].key:"snat", event.idm.read_only_udm.about.resource.attribute.labels[].value Directly mapped from the snat key in the parsed key-value pairs.
snat_ip event.idm.read_only_udm.principal.nat_ip[] Directly mapped.
snat_port event.idm.read_only_udm.principal.nat_port Directly mapped, converted to integer.
src_ip event.idm.read_only_udm.principal.ip[], event.idm.read_only_udm.principal.asset.ip[] Directly mapped. Also used to populate principal asset IP.
src_port event.idm.read_only_udm.principal.port Directly mapped.
ssl_cipher event.idm.read_only_udm.network.tls.cipher Directly mapped.
ssl_function event.idm.read_only_udm.principal.resource.attribute.labels[].key:"ssl_function", event.idm.read_only_udm.principal.resource.attribute.labels[].value Directly mapped.
ssl_version event.idm.read_only_udm.network.tls.version_protocol Directly mapped.
staged_sig_ids event.idm.read_only_udm.additional.fields[].key:"staged_sig_ids", event.idm.read_only_udm.additional.fields[].value.string_value Directly mapped.
staged_sig_names event.idm.read_only_udm.additional.fields[].key:"staged_sig_names", event.idm.read_only_udm.additional.fields[].value.string_value Directly mapped.
staged_sig_set_names event.idm.read_only_udm.additional.fields[].key:"staged_sig_set_names", event.idm.read_only_udm.additional.fields[].value.string_value Directly mapped.
staged_threat_campaign_names event.idm.read_only_udm.additional.fields[].key:"staged_threat_campaign_names", event.idm.read_only_udm.additional.fields[].value.string_value Directly mapped.
status event.idm.read_only_udm.security_result.summary Directly mapped for scriptd process logs.
summary event.idm.read_only_udm.security_result.summary Directly mapped for some log types.
support_id event.idm.read_only_udm.additional.fields[].key:"Support_Id", event.idm.read_only_udm.additional.fields[].value.string_value Directly mapped.
systems event.idm.read_only_udm.principal.asset.attribute.labels[].key, event.idm.read_only_udm.principal.asset.attribute.labels[].value Parsed to extract system information and map it as labels to the principal asset.
targetFile event.idm.read_only_udm.target.file.full_path Directly mapped for scriptd process logs.
targetIp event.idm.read_only_udm.target.ip, event.idm.read_only_udm.target.asset.ip Directly mapped. Also used to populate target asset IP. Sets has_target to true.
targetPort event.idm.read_only_udm.target.port Directly mapped, converted to integer.
threat_campaign_names event.idm.read_only_udm.additional.fields[].key:"threat_campaign_names", event.idm.read_only_udm.additional.fields[].value.string_value Directly mapped.
timestamp event.timestamp Directly mapped after parsing and rebasing.
tls_version event.idm.read_only_udm.network.tls.version Directly mapped.
tlsproto event.idm.read_only_udm.network.tls.version_protocol Directly mapped. If value is HTTP/1.1, then "HTTP" is mapped.
unit_host event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname Directly mapped. Also used to populate principal asset hostname. Sets has_principal to true.
uri event.idm.read_only_udm.target.url Directly mapped.
uri_path event.idm.read_only_udm.target.url Directly mapped, concatenated with uri_query if present.
url event.idm.read_only_udm.principal.url Directly mapped.
url_string event.idm.read_only_udm.network.http.referral_url Directly mapped.
user_agent event.idm.read_only_udm.network.http.user_agent Directly mapped.
userId event.idm.read_only_udm.principal.user.userid, event.idm.read_only_udm.target.user.userid Directly mapped. Also used to populate target user ID. Sets has_principal_user to true.
vendor_name event.idm.read_only_udm.metadata.vendor_name Hardcoded to "F5".
violations event.idm.read_only_udm.security_result.detection_fields[].key:"violations", event.idm.read_only_udm.security_result.detection_fields[].value Directly mapped.
vs event.idm.read_only_udm.about.resource.attribute.labels[].key:"vs", event.idm.read_only_udm.about.resource.attribute.labels[].value Directly mapped from the vs key in the parsed key-value pairs.
vs_name event.idm.read_only_udm.about.resource.attribute.labels[].key:"vs_name", event.idm.read_only_udm.about.resource.attribute.labels[].value Directly mapped from the vs_name key in the parsed key-value pairs.
N/A event.idm.read_only_udm.metadata.event_type Determined by parser logic based on the presence of certain fields. Defaults to GENERIC_EVENT. Can be NETWORK_CONNECTION, USER_LOGIN, USER_LOGOUT, USER_UNCATEGORIZED, STATUS_UPDATE, or NETWORK_HTTP.
N/A event.idm.read_only_udm.metadata.product_name Hardcoded to "BIG-IP Local Traffic Manager (LTM)".
N/A event.idm.read_only_udm.metadata.vendor_name Hardcoded to "F5".
N/A event.idm.read_only_udm.metadata.event_timestamp Copied from the top-level event.timestamp.
N/A event.idm.read_only_udm.security_result.severity Determined by parser logic based on the severity or Level fields, if present. Defaults to UNKNOWN_SEVERITY. Can be INFORMATIONAL, LOW, MEDIUM, HIGH, or CRITICAL.
N/A event.idm.read_only_udm.security_result.summary Set to "Authentication failure" for specific apmd logs.
N/A event.idm.read_only_udm.extensions.auth.type Set to "VPN" for specific apmd and sshd logs. Otherwise, set to AUTHTYPE_UNSPECIFIED for USER_LOGIN and USER_LOGOUT events.
N/A event.idm.read_only_udm.network.ip_protocol Defaults to "TCP" if proto is not present. Otherwise, determined by the proto field.
N/A event.idm.is_alert, event.idm.is_significant Set to true if loglevel is "alert", "crit", "emer".

Changes

2024-05-06

  • Added support to handle a new format of KV logs.
  • Mapped "tlsproto" to "network.tls.version_protocol".
  • Mapped "method_req" to "network.http.method".
  • Mapped "path" to "target.url".
  • Mapped "url" to "principal.url".
  • Mapped "client_ip" to "principal.ip" and "principal.asset.ip".
  • Mapped "device" to "principal.hostname" and "principal.asset.hostname".
  • Mapped "host" to "target.hostname" and "target.asset.hostname".
  • Mapped "vip" to "target.ip" and "target.asset.ip".
  • Mapped "client_port" to "principal.port".
  • Mapped "snat_ip" to "principal.nat_ip".
  • Mapped "snat_port" to "principal.nat_port".
  • Mapped "vs_name", "path", "query", "node", "pool_member", "vs", "device", "blade", "client", and "snat" to "about.resource.attribute.labels".

2024-03-23

  • Added gsub to remove unwanted characters to parse the logs.
  • Mapped "support_id", "query_string", and "request_status" to "additional.fields".
  • Mapped "uri" to "target.url".

2024-02-23

  • enhancement
  • Added a "kv" block to retrieve key-value format data.
  • Added support for CSV format logs.
  • Added a Grok pattern to extract key-value fields.
  • Mapped "dest_ip" to "target_ip".
  • Mapped "dest_port" to "targetPort"
  • Mapped "src_port" to "principalPort"
  • Mapped "dest_port" to "targetPort"
  • Mapped "ip_client" and "manage_ip_addr" to "principal.ip" and "principal.asset.ip"
  • Mapped "target_ip" and "Virtual_IP to "target.ip" and "target.asset.ip"
  • Mapped "severity" to "security_result.severity"
  • Mapped "session_id" to "network.session_id"
  • Mapped "network" to "network.http.method"
  • Mapped "violations", "policy_name" and "req_status" to "security_result.detection_fields.".
  • Mapped "protocol" to "network.application_protocol"
  • Mapped "staged_threat_campaign_names","staged_sig_ids","threat_campaign_names","staged_sig_names","captcha_result","sig_set_names","staged_sig_set_names", "sig_ids", "sig_names","resp_code" and "false_positive" to "additional.fields".

2024-01-24

  • bug-fix
  • Changed mapping of "uri_pathuri_query" and "header.Referer".
  • Changed mapping of "uri_pathuri_query" to "target.url" from "network.http.referral_url".
  • Changed mapping of "header.Referer" to "network.http.referral_url" from "security_result.about.resource.attribute.labels".

2023-12-14

  • enhancement
  • Added support for JSON format logs.

2023-08-28

  • enhancement
  • Added a "kv" block to retrieve key-value format data.
  • Mapped "process" to "target.application".
  • Mapped "Country" to "principal.location.country_or_region".
  • Mapped "State" to "principal.location.state".
  • Mapped "Client_IP" to "principal.ip".
  • Mapped "Virtual_IP" to "target.ip".
  • Mapped "Session_ID" to "network.session_id".
  • Mapped "errdefs_msgno", "partition_name", "Listener", "Access_Profile" to "additional.fields".

2023-07-18

  • Parsed logs where "process" is "apmd" and "loglevel" is "notice".

2023-05-18

  • Enhancement - Added Grok patterns to parse the logs containing "tmm".
  • Parsed the logs containing "anacron", "run-parts" and "syslog-ng".

2023-05-09

  • bug-fix
  • The hostname which is being mapped to intermediary.hostname mapped to principal.hostname for Syslogs.

2023-03-14

  • enhancement
  • Mapped "intermediary.hostname" for event_type "USER_LOGIN" and "NETWORK_CONNECTION".
  • The logs which are parsing as "GENERIC_EVENT" if "principal.user.userid" present then mapped to "USER_UNCATEGORIZED".
  • The logs which are parsing as "GENERIC_EVENT" if "principal.ip" present then mapped to "STATUS_UPDATE".

2023-02-23

  • enhancement
  • Updated Grok pattern for the process types "httpd" and "tmm".

2023-02-06

  • enhancement
  • Updated grok pattern for the process type "tmm".
  • Removed "target.hostname" redundant code and made as generic/global.
  • changed mapping of "target.hostname" to "intermediary.hostname".

2023-02-02

  • enhancement
  • updated grok pattern for the process type "tmm".
  • changed mapping of "target.hostname" to "intermediary.hostname".
  • Modified metadata.event_type from "GENERIC_EVENT" when principal.ip is present to "STATUS_UPDATE".

2022-06-21

  • bug-fix
  • updated grok pattern for the process type "tmm"

2022-05-02

  • bug-fix
  • Removed duplicate mappings for "event.idm.read_only_udm.security_result".
  • Parsed the logs failing during Validation API testing.