I am building a similar setup where our F5 sends logs to a syslog server catching the System logs, APM logs, and LTM logs and then having a UF.
For ingesting, you mentioned putting the source type as f5:bigip:syslog it sounds like for all the modules. Won't be difficult to distinguish between the logs having it organized like this?
... View more