Reference: Web Application Event Logs

Web Application event logs provide information about transactions to your WAF-protected application.

Note: If a WAF policy is deployed to multiple virtual servers on a single BIG-IP Next instance, events will be generated per virtual server. This means that a single policy might detect a web protection event, while separate log entries will appear in the event logs. Each log entry will be associated with the virtual server attached to the policy (see Stack in the event’s detailed view).

For information about L7 DoS events, see Reference: L7 DoS Event Logs

General information

The following event parameters are displayed in the list of events. Each of these parameters or their values can be filtered in the log.

  • Status - The current status of how the policy handled the request or response, depending on the event invoked. You can receive one of the following statuses:

    • Passed - The request was detected as legal or valid traffic.

    • Alerted - The request was detected as illegal but was not blocked.

    • Blocked - The request was detected as illegal and was blocked.

  • URI - The URI in the request/response.

  • Time- The date and time of the recorded event.

  • Source Location- The recorded location of the client request.

  • Source IP - The IP address of the client request.

  • Policy - The name of the WAF policy that detected the event.

  • Violation Rating - The risk of the request on a scale from 1-5 based on violation assessment of WAF. See

Event Details

When you view a specific event, you are able to view details about the request, detected violation (if applicable), HTTP request/response headers and bodies (when available), and Policy Builder learning suggestions.

If you are using BIG-IP Next Central Manager, the following is an example of an event panel with Detail view enabled:

image

If you would like to manage policy settings directly from the request you can select Accept Request to review and update your policy’s settings.

Note: This action is not available when Policy Builder is disabled.

The image below is an event with a learning suggestion from Policy Builder. You can select the suggestion and choose to Accept, Accept Globally or Accept and Stage, or you can further review suggestion details to either Accept, Ignore, or Delete the request suggestion.

image

Request information

  • Geolocation - The two-letter country code of origin based on the source IP address.

  • Source IP Address - The IP address and port from which the request originated.

  • Host - The IP address of the BIG-IP Next instance that received the request.

  • Violation Rating - The risk of the request on a scale from 1-5 based on violation assessment of WAF.

  • Request Status - The current status of how the policy handled the request or response, depending on the event invoked. You can receive one of the following statuses:

    • Passed - The request was detected as legal or valid traffic.

    • Alerted - The request was detected as illegal but was not blocked.

    • Blocked - The request was detected as illegal and was blocked.

  • Application - The name of the application in the request.

  • Policy - The name of the WAF policy that detected the event.

  • Response Code - The response code returned by the application (if applicable).

  • Support ID - An ID number assigned to the request by the system to allow the system administrator to track it.

  • Date and Time - The time BIG-IP Next received the request.

  • Attack Type - The specific area within the system/application the attack exploits.

  • Destination IP Address - The IP address to which the request is sent.

  • Stack - The name of the BIG-IP Next application service and virtual server names that received the request.

  • Method - The HTTP method used in the request (if applicable).

  • Source IP Intelligence - The client IP address blocked by the IP intelligence database (if applicable and IP intelligence is configured).

Triggered violations

If a violation was detected, the name of the violation is provided. You can expand the field to see details about the violation and how the WAF policy handled the request. See Reference:Violation Protection for a list of violations.

  • Violation Name - The name of the traffic violation detected by your WAF policy.

  • Risk - System evaluation of the potential damage the violation might cause if it is successful:

    • Low- Indicates the attack does not cause direct damage or reveal high sensitivity data.

    • Medium - Indicates the attack may reveal sensitive data or cause moderate damage.

    • High - Indicates the attack may cause a full system compromise.

  • Attack Type - The specific area within the system/application the attack exploits.

  • Examples - Samples of the triggered violation.

  • Detected Pattern - The pattern used to detect a violation during the staging period.

  • Context - How the violation was detected according to policy settings.

  • Enforcement URL - The URL detected in a violation when an explicit URL is added to a WAF policy.

  • Applied Blocking Protection - The enforcement applied to a detected violation:

    • Learn - The policy uses the traffic data to create policy suggestions.

    • Alarm - The policy recognized the violation but did not block traffic.

    • Block - The policy recognized the violation and blocked the traffic.