Tag-Insights Home

MagnetoAI Device Monitor

Continuous F5 BIG-IP telemetry, AI analytics, and real-time monitoring in one service.

MagMonitor connects to your managed BIG-IP fleet on a defined interval, collects device health and security telemetry, and ships it to the MagnetoAI cloud AI analytics endpoint for proactive fault detection and log intelligence.

Explore Getting Started Download Install Guide AI Analytics

Why It Matters

Built for teams that need continuous visibility across their BIG-IP estate.

Operational Challenge

Distributed BIG-IP environments are difficult to monitor manually. Health degradation and security events often go unnoticed until they cause an outage or compliance exposure.

Who It Supports

Network operations teams, security engineers, and platform owners responsible for the reliability and security posture of managed F5 infrastructure.

Outcome

A persistent, low-overhead monitoring service that delivers device telemetry to the MagnetoAI cloud for AI-driven analysis, alerting, and proactive fault detection.

Key Capabilities

Telemetry collection, AI analytics, and real-time operational control.

Device Telemetry Collection

Connects to all registered BIG-IP devices in parallel on each collection cycle via iControlREST. Gathers CPU (per-core), memory, disk volumes, network interface counters, and software version per device.

AI-Powered Cloud Analytics

Ships structured telemetry and F5 security logs to the MagnetoAI cloud analytics endpoint. Enables proactive fault detection and anomaly surfacing without manual log review.

Embedded HTTPS Dashboard

Provides a built-in web dashboard with automatic TLS 1.3 and self-signed certificate generation. HTTP-to-HTTPS redirects are enabled by default. Access is configurable by CIDR allowlist.

Real-Time WebSocket Streaming

Maintains a bidirectional WebSocket connection to the MagnetoAI cloud. Emits lifecycle and telemetry events as they occur and accepts remote commands for controlled update execution.

Device Log Capture (Optional)

Pulls security logs from up to 7 configurable BIG-IP modules via iControlREST. Logs are filtered, redacted, and summarized by AI on-premises before being forwarded. Disabled by default.

Network Reachability Probing

Runs ICMP and HTTP-level pre-checks against managed devices before each collection cycle. Skips unreachable devices gracefully and reports reachability status alongside telemetry.

AI Analytics

Turn raw device telemetry and security logs into actionable intelligence — automatically.

Most monitoring tools tell you what happened. MagMonitor's AI analytics layer tells you what it means — and what to do about it. Instead of reviewing hundreds of raw log lines per cycle, your team receives structured, AI-summarized insights surfaced from across your entire BIG-IP fleet.

Proactive, Not Reactive

The AI analytics engine continuously processes telemetry across your managed fleet — identifying anomalies, capacity trends, and security signals before they escalate into incidents. You don't wait for a threshold alert. The system surfaces what matters.

Fleet-Scale Pattern Recognition

Because MagMonitor aggregates data from every managed device in your deployment group, the cloud analytics layer can identify cross-device patterns — correlating CPU spikes, connection table growth, interface errors, and log anomalies that no single-device view would reveal.

Security Log Intelligence

When log capture is enabled, raw F5 module logs — WAF blocks, firewall denies, DoS events, SSL interception records — are passed through an AI model that extracts what is operationally relevant, discards noise, and returns a concise summary of what your devices actually saw. No manual review required.

Eliminates Manual Log Review at Scale

A 20-device fleet generating 5,000 log entries per cycle produces more data than any operations team can meaningfully review. MagMonitor's AI layer compresses that into structured, time-stamped summaries — giving your team the signal without the noise.

Input Raw telemetry + security logs from every device in your fleet
AI Layer Anomaly detection, pattern correlation, log summarization
Output Actionable insights, alerts, and structured summaries — no manual review

MagnetoAI Cloud Analytics

Structured device telemetry is forwarded to the MagnetoAI cloud analytics endpoint after each collection cycle. The cloud layer runs pattern recognition and fault detection models against your fleet's historical and current metrics, returning scored observations and alerts to the dashboard.

On-Premises Log AI

When log capture is enabled, AI log processing runs on-premises using local LLM models — not cloud AI providers. Raw log data stays on your network. The local model summarizes, classifies, and scores entries before any data is forwarded, so only structured intelligence leaves your environment.

Bring Your Own AI (BYOAI)

For teams with existing AI infrastructure, BYOAI lets you route log processing through your own model endpoint — OpenAI, Anthropic, Google, Azure OpenAI, AWS Bedrock, Mistral, Groq, or a fully on-premises model. You control the model, the data path, and the API key.

Device Logging & AI

Granular, opt-in log capture from managed BIG-IP modules — with built-in sanitization and AI summarization.

What Is Pulled

Logs are collected from managed BIG-IP devices via the iControlREST API. You enable or disable collection per module, and set a maximum log count per module per cycle. A global cap applies across all modules combined.

Module
F5 Source
Multi-Vendor Equivalents
Configurable
SSLO Interception
SSL Orchestrator (SSLO)
Palo Alto SSL Decryption · Fortinet Deep Inspection · A10 SSLi
Toggle + Max
User Policy Manager
APM (Access Policy Manager)
Palo Alto User-ID · Fortinet Network Access Control · A10 AAM
Toggle + Max
DNS & Traffic Mgmt
DNS / GTM
Palo Alto DNS Security · Fortinet DNS Filter · A10 GSLB
Toggle + Max
Web App Firewall
ASM / Advanced WAF
Palo Alto Threat Prevention · Fortinet FortiWeb · A10 Thunder WAF
Toggle + Max
Network Firewall
AFM (Advanced Firewall Manager)
Palo Alto Zone-Based Firewall · Fortinet NGFW · A10 Thunder CFW
Toggle + Max
DoS / DDoS Protection
DoS Protection (AFM)
Palo Alto Zone Protection · Fortinet FortiDDoS · A10 Thunder TPS
Toggle + Max
Load Balancing & Proxy
LTM (Local Traffic Manager)
Fortinet FortiADC · A10 Thunder ADC
Always On
Global cap — max total logs across all modules per cycle
Default: 5,000

How It's Pulled & How Often

Transport: iControlREST

Log entries are fetched from each managed device using the F5 iControlREST API — the same authenticated API used for device health telemetry. No agent or syslog integration is required on the device. Credentials are shared from the existing device configuration file.

Poll Interval

The collection cycle runs at a configurable interval — how frequently MagMonitor queries each managed device for new log entries. The default is 300 seconds (5 minutes). The minimum is 30 seconds; the maximum is 86,400 seconds (24 hours). This is set globally in the cloud settings panel and applies to all devices in your account.

Per-Device, Per-Module Caps

Each enabled module has its own maximum log count per cycle, and a combined global cap prevents any single cycle from becoming a data flood. Modules with no new entries in a cycle are skipped efficiently without counting against the cap.

Filtering, Sanitization & Redaction

Both controls below are enabled by default. They apply before any log data is processed by AI or forwarded anywhere.

Filter & Sanitize Logs

Before any AI processing or forwarding, captured log entries pass through a sanitization stage. Non-actionable noise, duplicate entries, and malformed records are removed. Only structurally valid, operationally relevant entries are passed downstream. This reduces AI processing time and ensures the model receives clean input.

Default: On

Redact Sensitive Data

A redaction pass runs over filtered log entries before they reach the AI layer. Known patterns for usernames, IP addresses in certain contexts, session tokens, credentials, and other sensitive fields are masked or removed. This ensures that even if logs contain identifiable information, it does not propagate into AI summaries or cloud storage.

Default: On

Data Retention

Raw Log Retention

After logs have been processed by the AI summarization layer, raw log data is securely deleted. The retention window defines how long raw entries are kept before summarization runs. Default is 24 hours. Only the structured AI summary is retained afterward.

Summarized Data Retention

AI-summarized log data — actionable insights, classified events, and scored anomalies — is retained for a configurable period. Default is 14 days. This gives your team a rolling window of processed intelligence without long-term raw log storage.

Privacy-First Design

Raw log data is never sent to any cloud AI provider (including OpenAI, Anthropic, Google, AWS, or others) unless you explicitly configure a BYOAI cloud provider. By default, AI log processing runs on-premises using local models. Your raw network data does not leave your environment.

AI Processing Options

Log summarization requires an AI processing backend. Two modes are available — they are mutually exclusive.

Local AI / LLM Models

By default, log summarization runs through on-premises AI/LLM models managed by the MagnetoAI platform. Log data is analyzed and summarized entirely within your network boundary. No log data is sent to any third-party cloud AI service.

The local model produces structured summaries — classifying events, scoring severity, and extracting indicators of compromise or capacity risk — which are then retained per the configured summary retention window.

Default: On (when log capture is enabled)

Bring Your Own AI (BYOAI)

If you have existing AI infrastructure or prefer a specific provider, BYOAI lets you route log processing through your own endpoint. When BYOAI is active, the local AI option is automatically disabled — they cannot run simultaneously.

Supported cloud providers: OpenAI (ChatGPT), Anthropic (Claude), Google (Gemini), Microsoft Azure OpenAI, AWS Bedrock, Mistral AI, Cohere, Meta AI (Llama API), Groq, Together AI.

In-house / on-prem: Connect to any self-hosted model endpoint using host, port, model name, optional TLS, and optional bearer token or API key authentication. Extended chain-of-thought reasoning is available for supported models.

Default: Off

Log Capture Settings Reference (settings.json)

# These values are pushed from the MagnetoAI cloud after authentication.
# They can also be set locally in settings.json for offline or advanced deployments.

{
  "log_capture_enabled":   false,    // Master switch — disabled by default
  "log_poll_interval":     300,      // Seconds between log collection cycles (default: 300)
  "log_filter_sanitize":   true,     // Strip noise and malformed entries before processing
  "log_redact_sensitive":  true,     // Mask usernames, tokens, and sensitive fields
  "log_raw_retention_hrs": 24,       // Hours to keep raw logs before secure deletion (default: 24)
  "log_retention_days":    14,       // Days to retain AI-summarized data (default: 14)
  "log_use_local_ai":      true,     // Use on-prem AI models for summarization (default: true)
  "byoai_enabled":         false,    // Enable Bring Your Own AI (mutually exclusive with local AI)
  "byoai_provider":        "",       // Provider: openai, anthropic, google, azure, aws, inhouse, etc.
  "byoai_cloud_apikey":    ""        // API key for cloud BYOAI provider
}

SaaS & API Integrations

Cloud analytics, real-time signaling, log intelligence, and device-level data collection.

MagnetoAI Cloud API

Authentication, device list retrieval, telemetry ingestion, and AI analytics endpoint reporting.

MagnetoAI WebSocket Service

Bidirectional real-time channel for lifecycle events, per-device telemetry streaming, and remote update commands.

F5 Log Ingestion API

Structured, AI-summarized log payloads from BIG-IP devices are forwarded to the cloud log analytics endpoint each cycle.

BYOAI Log Intelligence

Cloud-assigned or in-house AI model endpoint for enriched F5 log analysis. Provider, model, and credentials are configured per account.

How It Works

End-to-end flow from startup to recurring collection cycle.

  1. 1Authenticate with the MagnetoAI cloud API and load device configuration and log capture settings.
  2. 2Run startup preflight checks: port availability, firewall state, and cloud endpoint reachability.
  3. 3Start the embedded HTTPS dashboard and persistent WebSocket connection.
  4. 4Establish the local MCP bridge for remote update control.
  5. 5Begin the collection loop: probe all managed BIG-IP devices in parallel via ICMP and HTTP.
  6. 6Collect CPU, memory, disk, network interface, and software version telemetry per reachable device.
  7. 7If log capture is enabled — pull security log entries per configured module via iControlREST, applying per-module and global caps.
  8. 8Filter and sanitize raw log entries; redact sensitive fields; pass to local AI or BYOAI model for summarization.
  9. 9Publish telemetry, per-device events, and AI-summarized log data to the MagnetoAI cloud. Delete raw logs per retention policy.
  10. 10Sleep for the configured interval and repeat. Handles SIGINT/SIGTERM for clean shutdown.

Architecture

Modular layers with clear operational ownership.

Collection & Telemetry Layer

Manages parallel device polling via iControlREST, per-device metric aggregation, ICMP/HTTP reachability probing, and software version tracking.

Log Capture & Intelligence Layer

When enabled: pulls per-module security logs, applies filtering and redaction, routes entries through local AI or BYOAI for summarization, and enforces retention policies.

Cloud Integration Layer

Handles MagnetoAI API authentication, structured telemetry payload construction, REST delivery, AI-summarized log forwarding, and cloud settings sync.

Real-Time Streaming Layer

Maintains the persistent WebSocket channel, emits lifecycle and per-device telemetry events, and processes inbound remote commands such as policy update triggers.

Dashboard & TLS Layer

Serves the embedded HTTPS dashboard, manages self-signed TLS 1.3 certificate generation, and handles HTTP-to-HTTPS redirect listeners.

Local Control & Update Layer

Automates the embedded MCP bridge at startup for local update orchestration. Supports remote-triggered execution of the f5_urlrep_cm updater binary.

Collection Cycle Summary

Authenticate -> Preflight -> Dashboard Start -> WebSocket Connect
-> Device Probe (parallel) -> Telemetry Aggregation
-> Log Capture (if enabled) -> Filter + Redact -> AI Summarize
-> Cloud Publish -> Raw Log Purge -> Sleep(interval) -> Repeat

Getting Started

Install and run MagMonitor on your managed host in a few steps.

1. Prepare Install Directory

Create a dedicated folder (for example, under $HOME or /opt) and run installation from there.

2. Run the Unified Installer

get_latest.php auto-detects OS, downloads the correct binary, and verifies checksum and signature.

3. Validate and Operate

Confirm version output, review startup output for dashboard URL and preflight results, and monitor logs for ongoing cycle health.

Installation Details

Quick Start (Recommended)

mkdir -p "$HOME/mag_monitor"
cd "$HOME/mag_monitor"
curl -fsSLO https://cdn.tag-insights.com/apps/updater/get_latest.php
bash ./get_latest.php
./mag_monitor --version

One-liner Curl Mode

cd "$HOME/mag_monitor"
curl -fsSL https://cdn.tag-insights.com/apps/updater/get_latest.php | bash

Install Output and Logs

  • Binary: $PWD/mag_monitor
  • Installer: $PWD/get_latest.php
  • State: $PWD/.mag_monitor_installer/
  • Logs: /var/log/mag_monitor preferred, local fallback if needed

Cron Auto-Update Behavior

Installer creates or updates a weekly cron run (Sunday at 04:00) and can skip cron setup when requested.

bash ./get_latest.php --no-cron

Uninstall Workflow

curl -fsSLO https://cdn.tag-insights.com/apps/mag_monitor/uninstall-latest.sh
bash ./uninstall-latest.sh

Removes binary, installer script, state directory, and installer cron marker.

CLI Usage

Run once for validation, target a deployment group, or run continuously in the background.

Run Once Flag

Use --once to execute a single collection cycle and exit. Useful for testing connectivity and verifying telemetry delivery before committing to continuous operation. 

# Execute one cycle and exit
./mag_monitor --once

# One cycle with debug output
./mag_monitor --once --debug

Deployment Group Flag

Use --dg (or --deployment_group) to scope a collection run to a named deployment group. Only devices assigned to that group are polled. Omitting the flag targets the all group. 

# Short form
./mag_monitor --dg <group-name>

# Long form (equivalent)
./mag_monitor --deployment_group <group-name>

Common Usage Patterns

# Continuous operation (default — runs until stopped)
./mag_monitor

# Single validation cycle with verbose output
./mag_monitor --once --debug

# Scope to a named group for targeted monitoring
./mag_monitor --dg production

# Run and scope, then exit after one cycle
./mag_monitor --dg lab --once
CLI Reference & Settings

Argument Reference

  • --once — Run one collection cycle and exit
  • --debug / -d — Enable verbose debug output
  • --dg <name> / --deployment_group <name> — Target a named deployment group
  • --version — Print installed version and exit
  • --no-cron — Skip cron schedule setup during install

Key settings.json Controls

  • collect_interval_seconds — Device telemetry poll interval (default: 300)
  • max_device_workers — Parallel device collection threads (default: 20)
  • web_enabled — Enable or disable the built-in dashboard (default: true)
  • web_tls_enabled — Enable TLS 1.3 for the dashboard (default: true)
  • web_allowed_cidrs — CIDR allowlist for dashboard access (default: open)
  • websocket_enabled — Enable real-time WebSocket streaming (default: true)
  • log_capture_enabled — Enable device log collection (default: false)
  • log_poll_interval — Log collection interval in seconds (default: 300)

Dashboard & TLS Defaults

By default, MagMonitor starts an HTTPS dashboard on port 443 (with fallback to 4433) and redirects HTTP port 80 to HTTPS. A self-signed TLS 1.3 certificate is generated automatically on first launch. To use a certificate you provide, set web_tls_cert_source to provided and configure the cert and key paths. 

# Example settings.json TLS override
{
  "web_tls_cert_source": "provided",
  "web_tls_cert_file": "/etc/ssl/certs/my-cert.pem",
  "web_tls_key_file": "/etc/ssl/private/my-key.pem"
}

Important Notes

Reliability, security, and operational behaviors emphasized in the platform design.

What happens if a device is unreachable?

Unreachable devices are skipped for that cycle and reported. A single failing device does not stop collection from the rest of the fleet.

How is the dashboard secured?

The dashboard uses TLS 1.3 with either a self-signed certificate or one you provide. Access can be restricted by CIDR allowlist in settings.

Does log capture require any changes on the BIG-IP?

No additional agents or syslog configurations are needed. Logs are pulled via the same iControlREST API used for telemetry collection, using existing device credentials.

Does raw log data leave my network?

Not unless you configure a BYOAI cloud provider. With the default local AI option, log processing runs on-premises and only AI-summarized structured data is forwarded.

How are credentials handled?

Credentials are loaded from an encrypted configuration file shared with other Cassandra client tools. Decrypted material is not written to disk during operation.

How is continuous operation maintained?

MagMonitor runs as a long-lived process. Signal handling ensures clean shutdown on SIGINT or SIGTERM. Parallelized collection and timeout controls support stable repeat execution.

Continuous telemetry, AI analytics, and real-time visibility across your managed BIG-IP fleet.

MagMonitor delivers persistent, low-overhead monitoring with cloud-backed AI analysis, optional on-premises log intelligence, a secure embedded dashboard, and real-time event streaming — all from a single deployed binary.

Back to Top