Overview: WAF Event Management

Manage application safety by monitoring traffic that generated security events recognized by your Web Application Security policy. When the logging format is appropriately configured to your application security policy, the system logs every violation identified in a specific request as a single log message. To view events you must attach a WAF policy to an application currently receiving traffic.

About application security logging

Application security event logs provide information about transactions to your applications, regardless of the legal or illegal status assigned by the WAF profile. These events are generated based on the settings in your WAF profile. While policy templates are set to trigger events (alert/block) for the most common or severe violations in application traffic, you might need to fine tune your policy to optimize which events are logged.

When viewing an application security event log, you are able to view, query and search traffic logs (requests) and any detected WAF violations over time. To search the application security events WAF profiles, you can filter events by multiple parameters and/or values detected (or not detected) within the event.

In addition, the event log can be exported to a PDF for further use.

General information

The following event parameters are displayed in the list of events. Each of these parameters or their values can be filtered in the log. You can drill down into each event to view additional information.

For more information about the full details provided in each event, see Reference: Event Logs.

  • Status - The current status of how the policy handled the request, depending on the event invoked. You can receive one of the following statuses:

    • Passed - The request was detected as legal traffic.

    • Alerted - The request was detected as illegal but was not blocked.

    • Blocked - The request was detected as illegal and was blocked.

  • URI - The URI in the request.

  • Time- The date and time of the recorded event.

  • Source Location- The recorded location of the client request.

  • Source IP - The IP address of the client request.

  • Policy - The name of the WAF policy that detected the event.

  • Violation Rating - The risk of the request on a scale from 1-5 based on violation assessment of WAF. See Reference: Violation Protection.