Log

The Alert Logic Managed Web Application Firewall (WAF) Log page includes the following sections. Click on the link to go to the corresponding section to learn more:

To go to the documentation for the previous section of Alert Logic Managed Web Application Firewall (WAF), see Learning Settings. To go to the documentation for next subsection in the WAF section, see Reports.

To access the Log page in the WAF management interface:

  1. On the left panel, under Services, click Websites.
  2. On the Websites page, click the website you want to manage.
  3. Under Log, click Deny log to access the first section.

To save configuration changes or edits you make to any features and options, you must click Save on the lower-right of the section or page where you are making changes. Click apply changes on the upper-left corner of the page, and then click OK. Your changes will not be stored if you do not properly save your changes.

Deny log

The Deny log window provides access to all denied request to the proxy. Filtering functions allows for specification of fine grained filtering of log information.

Specifying filter criteria

The filter function allows you to specify conditions for showing a subset of the log entries. Until reset the filter conditions also apply to the log report.

When the log filter section is not expanded, a Filter button and current filter criteria is shown on a general level. When filter criteria are defined, a RESET button will be available at the left of the filter button. When the reset button is pressed, the filter criteria will be reset.

When the Filter button is clicked, the filter section expands and filter criteria can be specified. Following filter criteria are available:

ID

Input field

Number identifying a log entry.

Valid input

Number of type integer.

Input example

20567

Default value

<none>

Path

Input field

Pattern or string specifying filter based on the URL path.

Valid input

A string or a simple wildcard.

Use the following characters to specify wildcards:

* = any string any length.

? = one occurrence of any character.

Input example

  • /store/* - matches all URL paths beginning with string /store/ including the string itself.

  • *.php - matches all url paths in all sub directories with the extension .php .

Default value

<none>

IP

Input field

Source IP address of the originating client

Valid input

An IP address in the format xxx.xxx.xxx.xxx

Input example

192.168.45.17

Default value

<none>

Host

Input field

Host information from the request blocked.

Valid input

A string or a simple wildcard.

Use the following characters to specify wildcards:

* = any string any length.

? = one ocurrence of any character.

Input example

www.mycompany.com

*.mycompany.com

Default value

<none>

Date from

Input field

Filter based on request timestamp. Date from specifies the date of the oldest log records that should be included.

Valid input

A date string in the format: mm/dd/yyyy

Input example

04/27/2021

Default value

<none>

Date to

Input field

Filter based on request timestamp. Date to specifies the date of the newest log records that should be included.

Use Date from and Date to to specify a time interval.

Valid input

A date string in the format: mm/dd/yyyy

Input example

04/29/2021

Default value

<none>

Risk

Drop down menu

Risk classification of the log entry. Options are:

  • Critical
  • High
  • Medium
  • Low
  • None

Deny action

Multiple check boxes

Deny action taken on the request. Options are:

Allow

The request was allowed, either because the current mode and white list configuration or because the requests was allowed according to policy. If the request was allowed by policy the reason for the request being logged in the deny log is typically that the backend server responded with an error. Expand the request to see details.

Block

The request was blocked by WAF.

Block-IP

The request was blocked by WAF and the source IP was blacklisted resulting in further requests from that source being blocked at the network level.

Strip

The offending part of the request was stripped before allowing the request. Used for instance to remove session cookies for expired sessions.

Attack classification

Attack classification

Options are:

  • Unclassified
  • SQL injection
  • XPath injection
  • SSI injection
  • OS commanding
  • XSS (Cross Site Scripting)
  • Path traversal
  • Enumeration
  • Format string
  • Buffer overflow
  • DoS attempt
  • Worm probe
  • Access violation
  • Malformed request
  • HTML tags
  • Session invalid
  • XSRF (Cross Site Request Forgery)
  • Session expired
  • Detection evasion
  • File inclusion
  • CRLF injection
  • HTTP request smuggling
  • XQuery injection
  • LDAP injection
  • XML injection
  • Null byte injection
  • Information leak
  • Backend error
  • Broken robot
  • Broken int. link
  • Broken ext. link
  • Other
  • None
  • False positive
  • Friendly

Policy violations

Path unknown No policy rules allow the path segment of the URL, either because it does not match a positive policy rule or because it matches a negative policy rule - a signature.
Path denied The path is explicitly denied by an URL blocking policy rule.
Query unknown No positive policy rules match the name of the request parameter.
Query illegal No policy rules allow the value of the request parameter, either because it does not match a positive policy rule or because it matches a negative policy rule - a signature.
Session validation failed The request session ID is not valid, either because the session token has been tampered with or hijacked.
Form validation failed The form submitted cannot be verified as having been issued by the web application in a response to a request from the current user session. This is an indication of a CSRF attack.
Session expired The request session has exceeded the idle expiration threshold configured in WAF for the web application.
Malformed XML Submitted XML request is malformed and hence cannot be parsed and validated.
Authorization failed User is not authorized to access requested resource.
Header unknown Request header not RFC 2616 compliant.
Header illegal Header value failed strict validation.
Header validation failed Header value failed pragmatic validation.
Output illegal

Server response contains illegal string.
HTTP Protocol version HTTP protocol version not allowed.
Method illegal HTTP method not allowed.
Missing hostname Request does not specify host name.
Invalid hostname Not website proxy is configured for the requested host name.
Request line maximum length Entire request line (URI?query) exceeds allowed maximum length.
Request path maximum length Request path exceeds allowed maximum length.
Query string maximum length Request query exceeds allowed maximum length.
Content type not enabled Request content type is supported but not enabled.
Header name length Header name exceeds allowed maximum length.
Header value length Header value exceeds allowed maximum length.
Maximum number of headers Header number exceeds allowed maximum.
Upload attempt Upload attempted but upload not allowed.
Payload length exceeded POST payload exceeds allowed maximum size.
Maximum number of upload files Number of files to upload in a request exceeds allowed maximum.
Total upload size Total size of upload files in request exceeds allowed maximum.
Maximum file size Size of a single upload file exceeds allowed maximum.
Cookie version not allowed Request cookie version not allowed.
Maximum number of cookies Number of cookies in request exceeds allowed maximum.
Cookie name length Name of a cookie exceeds allowed maximum length.
Cookie value length Value of a cookie exceeds allowed maximum length.
Maximum number of GET parameters GET parameter number exceeds allowed maximum.
GET parameter name length GET parameter name exceeds allowed maximum length.
GET parameter value length GET parameter value exceeds allowed maximum length.
GET parameter combined length Combined length of GET parameter name and value exceeds allowed maximum length.
Maximum number of POST parameters POST parameter number exceeds allowed maximum.
POST parameter name length POST parameter name exceeds allowed maximum length.
POST parameter value length POST parameter value exceeds allowed maximum length.
POST parameter combined length Combined length of POST parameter name and value exceeds allowed maximum length.
General request violation Other generic violations.

Lower button bar for filter criteria

Reset

Button

Resets the filter criteria to default values.
Apply

Button

Applies defined filter to deny log database.
Close

Button

Closes the filter section.

Blocked and failed requests

Displays requests for resources for the selected proxy that were blocked by WAF.

HTTP headers, URL, parameters and values (if any) that were blocked in the request are highlighted in red color.

Also failed requests are shown in the deny log allowing for identifying broken internal and external links and broken robots not abiding the 404 not found message.

Total number of log entries matching the current filter criteria (if specified) is displayed as Query returned #number records. If the total number of records is larger then the Entries per page selection, use navigation arrows to navigate the log record back and forth.

Details are expandable: Click details icon in the rightmost column to expand.

Checkbox

Mark log entry for adding to the access policy.

To allow further requests based on the information in the selected log entry/entries, select them and click on the Add selected to ACL button.

Note: parameters that are defined as regexp in web applications and global policy are not automatically updated to allow new values based on the input from the logged requests. In this case, values need to be updated manually.

If adding is not possible the check box is inactive.
Time

Date and time the request was logged.
Source IP

Source IP the request originated from.

Click on IP-address to get whois information.

Host

Hostname from the original request or none if none was present.
Risk

Risk classification of the log entry. Options are:

  • Critical

  • High

  • Medium

  • Low

  • None
Class

Attack classification of the log entry. Options are:

  • SQL injection

  • XPath injection

  • SSI injection

  • OS commanding

  • XSS (Cross Site Scripting)

  • Path traversal

  • Enumeration

  • Format string

  • Buffer overflow

  • DoS attempt

  • Worm probe

  • Access violation

  • Malformed request

  • HTML tags

  • Session invalid

  • XSRF (Cross Site Request Forgery)

  • Session expired

  • Detection evasion

  • Remote file inclusion

  • Information leak

  • Backend error

  • Broken robot

  • Broken int. link

  • Broken ext. link

  • Other

  • None

  • False positive

  • Friendly
Action

Block action taken on the request. Options are:

Allow

The request was allowed, either because the current mode and white list configuration or because the requests was allowed according to policy. If the request was allowed by policy the reason for the request being logged in the deny log is typically that the backend server responded with an error. Expand the request to see details.

Block

The request was blocked by WAF.

Block-IP

The request was blocked by WAF and the source IP was blacklisted resulting in further requests from that source being blocked at the network level.

Strip

The offending part of the request was stripped before allowing the request. Used for instance to remove session cookies for expired sessions.

URL Path

The URL path requested.

To view all entries in the list expanded click the Report button in the lower button bar.

In order not to lock the management interface by returning huge amounts of data a maximum of 500 log entries at a time will be displayed in the interactive log interface.

Use the XML export function to download larger lists (or the complete log) for off line analysis and archival purposes.

Lower button bar

The lower button bar contains the following buttons.

Flush log

Button

Use with caution!

When clicking this button and accepting the confirm pop-up window, all log data for that proxy is deleted.
Log report

Button

 Generate a printable report based on defined filter criteria (if any).
Add selected to ACL

Button

 Adds selected log records to access policy.

Access log

Under Log, click Access log to access this page.

When access logging is enabled, all requests to the website are logged.

The access log is generated on a per day basis. The current log can be monitored and viewed and closed logs are made available for download.

The fields displayed depends on the selected access log format.

Access log files

Under Log, click Access log files to access this page.

When log files are available for download the file name is an active link. To download an access log file click on the file name.

When remote backup is enabled, the latest access log file made available for download will be compressed (using gzip) and copied to the remote backup destination along with the backup of the system configuration.

Several log file formats are available. A condensed WAF specific and some standardized formats, like NCSA Combined (Apache Combined), suitable for importing into log analysis and report generation tools.

See Access Log Formats for log format definitions.