FAQ

In Managed WAF log analysis function,please tell me the meaning of each item displayed in the field of Raw log.

(:Last updated)

In Managed WAF log analysis function,the main items in the Raw log and their meanings are as follows.

Reference: Tutorial - Managed WAF - Log Analytics

1.These are descriptions when the log type is traffic.

ItemMeaning of item
date=The date is displayed.
time=The time is displayed.
log_id=The ID used internally is displayed.
msg_id=The ID used internally is displayed.
vd=The ID used internally is displayed.
timezone=The time zone of Managed WAF is displayed.
type=Displays the type of log. [Traffic] is output in case of Traffic related Log.
subtype=Displays the type of log. In case of Traffic related Log [http] is output.

※ It becomes [http] also in case of HTTPS communication.

pri=The log priority is displayed.
proto=The protocol described in the IP header is displayed.
service=[http] or [https] is displayed.
status=If communication succeeds in the traffic log related output, it will be output as [success], and if failure, it will output [failure].
reason=The status reason is displayed.
policy=Server Policy is displayed.
src=Displays the IP address of the communication source.
src_port=The port number of the communication source is displayed.
dst=The IP address of the communication destination is displayed.
dst_port=Displays the port number of the communication destination.
http_request_time=Displays the time (ms) taken to process the request.
http_response_time=The time (ms) taken to process the response is displayed.
http_request_bytes=Displays the number of bytes for the request.
http_response_bytes=The number of bytes of the response is displayed.
http_method=The HTTP method is displayed.
http_url=The URL is displayed.
http_agent=The User Agent is displayed.
http_retcode=The HTTP return code is displayed.
msg=A message will be displayed.
srccountry=The country from which the communication was sent is displayed.
server_pool_name=The Real Server Name is displayed.
http_host=host is displayed.

2.These are descriptions when the log type is Security detection.

ItemMeaning of item
date=The date is displayed.
time=The time is displayed.
log_id=The ID used internally is displayed.
msg_id=The ID used internally is displayed.
vd=The ID used internally is displayed.
timezone=The time zone of Managed WAF is displayed.
type=Displays the type of log. In case of detection related log in WAF [attack] is output.
subtype=Displays the type of log. For security detection log, the detected function such as [subtype = waf_signature_detection] is displayed.
pri=The log priority is displayed.
trigger_policy=Displays the policy name that detected the attack.
severtity_level=The severity level of the log is displayed.
proto=The protocol described in the IP header is displayed.
service=[http] or [https] is displayed.
action=Displays output about security detection logs and one of the following actions upon detection:

Alert_Deny ... This blocks communication.
Alert ... This does not block communication. (Displayed if the signature is set to alert only.)

Erace ... This communicates by removing some information from the HTTP response.
*In addition, in monitor mode, there is no change in the display of the action, but the operation is as follows.

Alert_Deny ... This does not block communication.
Alert ... This does not block communication.
Erace ... It communicates without erasing information.

policy=The ServerPolicy that matches the communication in Managed WAF is displayed.
src=Displays the IP address of the communication source.
src_port=The port number of the communication source is displayed.
dst=The IP address of the communication destination is displayed.
dst_port=Displays the port number of the communication destination.
http_method=The HTTP method is displayed.
http_url=The URL is displayed.
http_host=host is displayed.
http_agent=The User Agent is displayed.
http_session_id=The Session ID is displayed.
msg=The content at the time of detection is displayed.
signature_subclass=The subclass name of the signature is displayed.
signature_id=The signature ID is displayed.
srccountry=The country from which the communication was sent is displayed.
server_pool_name=The applied Server Pool is displayed.
false_positive_mitigation=Display whether to execute syntax check in addition to SQL injection signature.

 

Is this page helpful?

Yes No

We appreciate your cooperation in improving the site

Did this FAQ be helpful? If you have any comments, please let us know.

Thank you

Your feedback has been received.