How To: Create and Manage WAF Event Logs on BIG-IP Next Central Manager

WAF event logs provide information about transactions captured by the WAF policy. There are two types of WAF event logs:

  • General WAF events

  • L7 DoS (denial-of-service) events

Each event log provides status information about your protected applications, and any activities that indicate a change in the application’s traffic security.

For general WAF events, you can view application activities based on violations, signatures and detected attacks. Review events as they are captured, and select specific events to drill down into their details, whether the transaction was blocked, the violation that triggered the event (when applicable), and the request message details (when available).

For L7 DoS you can view information specific to DoS attacks. Event logs list application and time information, in addition to changes in traffic data that indicate the initiation, severity, mitigation, and end of a DoS- type attack.

For more information about the details found in the general WAF event log, see Reference: Event Logs. For more information about the details found in the L7 DoS event log, see Reference: L7 DoS Event Logs.

Prerequisites

To view general events in the WAF event log, you must have the following:

  • A WAF policy configured to log events.

  • A WAF-protected application deployed to a BIG-IP Next instance.

  • Ensure the WAF-protected application is receiving traffic.

To view L7 DoS events, you must have the following:

  • L7 DoS Protection is Enabled.

  • The application protected against L7 DoS attacks is receiving traffic.

Setting up general WAF event logs

If you created a WAF policy using a template, the policy settings captures all illegal transactions by default. You can change these settings to capture all traffic, or disable event logging.

  1. Login to your BIG-IP Next Central Manager.

  2. Click the workspace icon next to the F5 icon, and click Security.

  3. From the left menu click WAF.

  4. Select the policy name you would like to edit.

  5. From the General Settings, go to the Log Events section.

  6. Select the setting that meets your logging needs:

    1. None - None of the requests detected are logged.

    2. Illegal - Only illegal requests are added to the events log.

    3. Illegal, including staging - Both illegal requests and legal requests that include staged attack signatures or staged threat campaigns are added to the events log.

    4. All - All requests regardless of their outcome are added to the events log.

  7. Click Deploy to deploy the changes to BIG-IP Next instances.

Setting up L7 DoS event logs

Setting up L7 DoS event logs requires L7 DoS Protection to be enabled on WAF policies protecting your applications.

The following procedure describes how to enable DoS L7 Protection.

Ensure you have read Special instructions for L7 Dos Protection before you configure L7 DoS protection.

  1. Login to your BIG-IP Next Central Manager.

  2. Click the workspace icon next to the F5 icon, and click Security.

  3. From the left menu click WAF.

  4. Select the policy name you would like to edit.

  5. From panel menu, select L7 DoS Protection.

  6. Ensure L7 DoS Protection is Enabled.

  7. Click Deploy to deploy the changes to BIG-IP Next instances.

General event log management

The event log provides details about the traffic to your WAF-protected applications or L7 DoS protection.

Depending on your security settings, the event log captures either illegal or all transactions. See Reference: Event Logs for more about the information captured in each event.

For more information about L7 DoS events, see Reference: L7 DoS Event Logs

The log presents the events in chronological order from when they were received. You can filter these logs for specific event details. See Filtering event logs for more information.

If you are not seeing events, review your policy’s settings, see Setting up general WAF event logs, Prerequisites, or ensure that your application is receiving traffic.

  1. Click the workspace icon next to the F5 icon, and click Security.

  2. From the left menu click Event Logs. By default, general WAF events are displayed. Select L7 DoS to view DoS events.

    Note: All events are displayed in chronological order. You can click on the column header to sort by ascending or descending alphabetical/numeric order of the header information.

  3. (General WAF events only) Click the event row to display a panel for that event.

    1. From the top right of the panel enable Detail view to show all information captured.

Policy tuning directly from the event log

Events in the log can result in immediate policy tuning decisions by accepting suggestions for violating requests. This can be done directly from the event log.

In addition, you can choose to ignore or delete suggestions that are not required for your application security.

If the logged event comes from a policy with On Demand learning mode enabled, then suggestions can be accepted, ignored, or deleted directly from the event, but these suggestions do not include a learning score or samples. Suggestions detected where Policy Builder is enabled in Manual or Automatic modes, include a learning score and provide traffic samples. For more information about manually accepting suggestions from Policy Builder, see Manually manage learning suggestions.

Note: Accepting suggestions is not available when Policy Builder is disabled.

  1. Click the workspace icon next to the F5 icon, and click Security.

  2. From the left menu click Event Logs.

  3. Click the row of the event you would like to review.

  4. From the top right of the panel, click Accept Request.

  5. Select the check box next to one or more suggestions (all are selected by default), click the Accept button to the top right of the panel and select one of the following:

    1. Accept - Accepts a suggestion to modify the policy, or policy entity, according to the suggestion.

    2. Accept & Stage - Accepts this suggestion to modify the policy entity, according to the suggestion and either enables staging for the entity.

    3. Accept Globally - Accepts a suggestion and adds enforcement to all entities in the policy.

  6. Confirm your action to update the WAF policy.

  7. To review each suggestion, click the Suggested Action name. If the suggestion came from a policy with Policy Builder enabled in Manual or Automatic modes, you can view the number of traffic samples collected and the learning score. You can further click on the traffic samples to further review the violation.

  8. To manage the selected suggestion, select one of the following from the top right of the panel:

    1. Accept - Accepts a suggestion to modify the policy, or policy entity, according to the suggestion.

    2. Accept & Stage - Accepts a suggestion to modify the policy entity, according to the suggestion and either enables staging for the entity.

    3. Accept Globally - Accepts a suggestion and adds enforcement to all entities in the policy.

    4. Delete - Removes the learning suggestion from the list, but Policy Builder will suggest this action if detected again in traffic.

    5. Ignore - Removes the learning suggestion and this action will no loger be suggested if detected again in traffic.

  9. Confirm your action to update the WAF policy.

Result: If you accepted suggestions, these changes are reflected in the WAF policy’s settings. These changes are not yet deployed.

Filtering event logs

Create advanced filters to refine the events shown in the log. With advanced filters you can stack captured event details with inclusive and exclusive operators. To export a list of events, see Export a WAF event log.

  1. Click the workspace icon next to the F5 icon, and click Security.

  2. From the left menu click Event Logs. By default, general WAF events are displayed. Select L7 DoS to view DoS events.

  3. Click Show Filter from the upper right side of the event log.

    The + Add Filter button is displayed under the filter search bar.

  4. Click + Add Filter.

  5. Select an event detail from the list. You can type in key words to filter the option list.

  6. Select an operator from the list to determine whether the list filters the selection in or out. You must select an operator.

  7. Select or enter an event detail to filter.

    Note: The event log updates immediately.

  8. To add more filters, click + Add Filter, and repeat the selection process.

The request log is refined according to the completed filter options. You can clear the filters by clicking X Clear All to the right of the filter list.

Export a WAF event log

Use the following procedure to export selected WAF log events from Central Manager. The exported information provides all captured details associated with the selected event. You can pair this procedure with log filtering, to export a series of events that share common details.

  1. Click the workspace icon next to the F5 icon, and click Security.

  2. From the left menu click Events & Reports.

  3. Select the check box next to each event you would like to export in a single PDF file. You can select up to 100 events.

    Note: You can view the number of events selected in the lower right corner of the screen. You can also click Clear Selection to remove all selected items.

  4. Click Export from the upper right side on the event log.

    Note: The number of events selected impacts the time required to export the file.

The export is loaded using the print preview option on your local system.