Reference: L7 DoS Event Logs

The L7 DoS event logs provide details about DoS attacks that the system detected and logged in the event logs.

For information about L7 DoS events, see Reference: Web Application Event Logs.

Ensure you have read Special instructions for L7 Dos Protection before you configure L7 DoS protection. If you do not apply best practices for L7 DoS protection configuration and deployment, the information in the L7 DoS event log might be inaccurate.

Types of L7 DoS Events

By default, Attack Status is the default view. The image below shows how to select the view for the event list:


The following are the event types in the L7 DoS event logs:

  • Attack Status:

    • Attack Started - WAF detected DoS attack conditions, and the mitigation starts working (depending on the level of behavioral protection you selected).

    • Attack Ended - WAF no longer detects DoS attack conditions in traffic and mitigation ended.

  • Bad Actors - WAF identifies IP addresses of bad actors by examining traffic behavior and anomaly detection.

  • Signatures - WAF identifies L7 DoS attack signatures in application traffic.

  • All Event Types - All events collected for L7 DoS protection.

  • No Attack/Under Attack - (Available under All Event Types) An event sent periodically (every 15 seconds) to inform and/or summarize L7 DoS attack statuses, traffic and mitigation to your protected applications.

General information

The following event parameters are displayed in the list of L7 DoS events. Each of these parameters or their values can be filtered in the log.

  • Event Type - The type of DoS event detected by your WAF policy. See Types of L7 DoS Events

  • Time- The date and time of the recorded event.

  • Application- The name of the application on which the event was detected.

  • Attack ID - The unique attack number per application.

  • Stress Level - An attack indicator by detecting increased server latency and requests per second. Any value over 1 is considered a DoS attack.

  • Baseline RPS - An RPS (requests per second) value based on normal traffic flowing between clients and application servers in data centers for Layer 7 (HTTP) and Layers 3 and 4.

  • Incoming RPS - The number of incoming requests per second (RPS) to the application.

  • Successful RPS - The number of successful client requests per second (RPS) to the application (any response value other than 5XX).

  • Mitigated requests per second - The number of requests to the application that were mitigated by L7 DoS protection.