Options
WAF Event Logging
LouisMELS
Member ✭
Hello,
About WAF Event Logging, is there a way to get the "host" or the full URL in the logs instead of only the destination IP address?
Here is a sample log message:
Dec 22 17:13:03 CEF:0|A10|AX3200|2.7.1|WAF|http-check|2|src=20.20.25.10 spt=32462
dst=20.20.25.130 dpt=80 req="GET /tours/index.html HTTP/1.1" 0 msg="Learning: Updating
allowed HTTP methods" cs1=waf1 act=n md=learn
Since there can be multiple hosts using the same VIP (app switching), it is pretty useless to only get the dst ip...
About WAF Event Logging, is there a way to get the "host" or the full URL in the logs instead of only the destination IP address?
Here is a sample log message:
Dec 22 17:13:03 CEF:0|A10|AX3200|2.7.1|WAF|http-check|2|src=20.20.25.10 spt=32462
dst=20.20.25.130 dpt=80 req="GET /tours/index.html HTTP/1.1" 0 msg="Learning: Updating
allowed HTTP methods" cs1=waf1 act=n md=learn
Since there can be multiple hosts using the same VIP (app switching), it is pretty useless to only get the dst ip...
0
Comments
Yes it is possible to get the host value in the syslog message. The hst value seems to be what you are looking for. The documentation for the WAF logging does not contain any info about some fields and the hst field is one of them.
Here a exemple of a real WAF syslog message and not the one from the doc.
May 14 11:28:09 172.25.112.5 CEF:1|A10|TH1030S|2.7.2-P4|WAF|May 14 2015 11:28:08|buf-ovf|6|src=192.168.1.1 spt=3143 dst=192.168.1.10 dpt=80 hst="yoursite.example.com" cs1=WAF_Template cs2=c2b5ea9f069d52d3 act=deny md=active svc=http req="GET /index.php?id=3530%20select*%20from%20table HTTP/1.1" 0 msg="URI length 43 over limit (10)"
I have asked some modifications to the doc for future release.