WAF messages filter
Hi all,
I've applied a WAF template on my vThunder (release 2.7.2-P10) to test the impact on my application. I also added a logging template to send messages to my log server and it is working fine. Is there a way to filter messages sent by the vThunder so only denied actions are logged?
Thanks
Luca
I've applied a WAF template on my vThunder (release 2.7.2-P10) to test the impact on my application. I also added a logging template to send messages to my log server and it is working fine. Is there a way to filter messages sent by the vThunder so only denied actions are logged?
Thanks
Luca
Tagged:
0
Comments
There are 2 options you can do within 2.7.2 WAF code:
1. You can create an aFleX script that captures the WAF logs and parse the output to only log "denied actions".
2. Use the logging template within ACOS and send it to log server such as rsyslog. The only limitation here is that you would not be able to parse the denied actions automatically other than creating a script to parse the specific denied actions.
The difference between the two is that option 1 saves the file on the host(vThunder) device while the option 2, logs will be stored on the log server.
Another option would be to use "show log | inc denied". Let me know if this works otherwise request an FR to your regional SE.
Genard
option 1 does not suit well because I don't want to store log on the local machine. At the moment I configured logging template to log on a remote server but I would like to send only denied messages and not all the sessions log. Is that possible in your opinion?
Thanks
Luca