Retrieving a Web Application Security Event Log record using a support_id.¶
Overview¶
Describes how you use the REST API to retrieve a Web Application Security Event Log record using a support_id.
Prerequisites¶
- A Logging Node is configured with the Web Application Security service enabled.
- Events are sent from BIG-IP to the Logging Node.
Description¶
Describes how you use the REST API to retrieve a Web Application Security Event Log record using a support_id.
REST API actions.¶
1. Perform a POST operation to perform a search of the logs by a given support_id.¶
POST: https:/<BIG-IQ>//mgmt/cm/shared/es/logiq/asmindex/_search
{
"query":{
"query_string":{
"query":"support_id: 10961136626817826933"
}
},
"from":0,
"size":50,
"sort":{
"date_time":"desc"
}
}
The following is the JSON response from the POST operation:
{
"took": 19,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 1,
"max_score": null,
"hits": [
{
"_index": "asmindex_2016-11-13t05-05-22-0800",
"_type": "syslog",
"_id": "AVho9JvuqfHiZKdO7Wah",
"_score": null,
"_source": {
"unit_hostname": "omar.olympus.f5net.com",
"management_ip_address": "172.29.41.125",
"http_class_name": "/Common/EVENTlOGtEST",
"web_application_name": "/Common/EVENTlOGtEST",
"policy_name": "/Common/EVENTlOGtEST",
"policy_apply_date": "2016-11-13 09:31:59",
"violations": [
"HTTP protocol compliance failed",
"JSON data does not comply with format settings",
"Access from disallowed User/Session/IP",
"Mandatory HTTP header is missing"
],
"support_id": "10961136626817826933",
"request_status": "alerted",
"response_code": "200",
"ip_client": "192.168.188.148",
"route_domain": "0",
"method": "GET",
"protocol": "HTTP",
"query_string": "json_qs={%22N%22:%20%221%22,%22M%22:%20[%20%221%22,%20%222%22,%20%223%22,%20%224%22,%20%225%22,%20%226%22,%20%227%22,%20%228%22,%20%229%22,%20%2210%22%20]%20}",
"x_forwarded_for_header_value": "N/A",
"sig_ids": [],
"sig_names": "",
"date_time": "2016-11-15 10:46:02",
"severity": "Error",
"attack_type": [
"Other Application Attacks",
"Abuse of Functionality",
"HTTP Parser Attack",
"JSON Parser Attack"
],
"geo_location": "N/A",
"ip_address_intelligence": "N/A",
"username": "N/A",
"session_id": "e7d07a35478f97c9",
"src_port": "55262",
"dest_port": "8080",
"dest_ip": "172.29.43.8",
"sub_violations": [
"HTTP protocol compliance failed:Host header contains IP address"
],
"virus_name": "N/A",
"uri": "/index2.php",
"violation_details": "<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>0000000000000000-0000000000000000</block><alarm>7cffffffffdffffb-c002000000000000</alarm><learn>7cffffffffdffffb-c000000000000000</learn><staging>0000000000000000-0000000000000000</staging></violation_masks><request-violations><violation><viol_index>14</viol_index><viol_name>VIOL_HTTP_PROTOCOL</viol_name><http_sanity_checks_status>2048</http_sanity_checks_status><http_sub_violation_status>2048</http_sub_violation_status><http_sub_violation>SG9zdCBoZWFkZXIgd2l0aCBJUCB2YWx1ZTogMTcyLjI5LjQzLjg=</http_sub_violation></violation><violation><viol_index>64</viol_index><viol_name>VIOL_MANDATORY_HEADER</viol_name><header_data><header_name>mandatory_header</header_name></header_data></violation><violation><viol_index>28</viol_index><viol_name>VIOL_JSON_FORMAT</viol_name><context>parameter</context><param_data><param_name>anNvbl9xcw==</param_name><staging>0</staging><param_value>eyJOIjogIjEiLCJNIjogWyAiMSIsICIyIiwgIjMiLCAiNCIsICI1IiwgIjYiLCAiNyIsICI4IiwgIjkiLCAiMTAiIF0gfQ==</param_value></param_data><staging>0</staging><content_profile_data><type>JSON</type><content_id>15</content_id><content_profile_id>12</content_profile_id><content_profile_name>json1_qs</content_profile_name><location>element value</location><error_code>32</error_code><specific_desc>Defense alert</specific_desc></content_profile_data><failed_defense>/policy/json/max_children</failed_defense><failed_defense_xpath>/policy/json/max_children</failed_defense_xpath><allowed_value>9</allowed_value><actual_value>10</actual_value></violation><violation><viol_index>50</viol_index><viol_name>VIOL_SESSION_AWARENESS</viol_name></violation></request-violations><info_violations><violation><session_awareness><violation_data><scope>sid</scope><flag>block_all</flag></violation_data><violation_data><scope>ip</scope><flag>block_all</flag></violation_data></session_awareness></violation></info_violations></BAD_MSG>",
"violation_rating": "5",
"websocket_direction": "N/A",
"websocket_message_type": "N/A",
"device_id": "N/A",
"staged_sig_ids": "",
"staged_sig_names": "",
"blocking_exception_reason": "N/A",
"header": "Host: a.com:8080\\r\\nConnection: keep-alive\\r\\nCache-Control: max-age=0\\r\\nUpgrade-Insecure-Requests: 1\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\\r\\nAccept-Encoding: gzip, deflate, sdch\\r\\nAccept-Language: en-US,en;q=0.8,he;q=0.6\\r\\n\\r\\n",
"request": "GET /index2.php?json_qs={%22N%22:%20%221%22,%22M%22:%20[%20%221%22,%20%222%22,%20%223%22,%20%224%22,%20%225%22,%20%226%22,%20%227%22,%20%228%22,%20%229%22,%20%2210%22%20]%20} HTTP/1.1\\r\\nHost: a.com:8080\\r\\nConnection: keep-alive\\r\\nCache-Control: max-age=0\\r\\nUpgrade-Insecure-Requests: 1\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\\r\\nAccept-Encoding: gzip, deflate, sdch\\r\\nAccept-Language: en-US,en;q=0.8,he;q=0.6\\r\\n\\r\\n",
"response": "HTTP/1.1 200 OK\\r\\nDate: Tue, 15 Nov 2016 20:30:39 GMT\\r\\nVary: User-Agent\\r\\nContent-Length: 13\\r\\nKeep-Alive: timeout=15, max=97\\r\\nConnection: Keep-Alive\\r\\nContent-Type: text/html; charset=UTF-8\\r\\n\\r\\n<html></html>"
},
"sort": [
1479206762000
]
}
]
}
}