Oracle Cloud Infrastructure Documentation

Logs

Logs displays log activity and the details of each logged event within a specified time frame. Logs enable you to understand what rules and countermeasures are triggered by requests and are used as a basis to move request handling into block mode. Logs can come from Access Control, Protection Rules, or Bot events.

Note

If you have concerns about General Data Protection Regulation (GDPR) requirements, Logs can be disabled for the WAF service. You can use My Oracle Support to file a service request to disable Logs.

When working with the WAF service, consider the following information:

  • The log retention policy for the WAF service is seven days; however, you can request to set up an S3 bucket and have more logs delivered to it. The logs in your bucket can be kept as long as you want.
  • Only "Standard" OCI buckets are supported. The "Archive" storage tier isn't supported.
  • Log delivery to ELK Stack is only supported to OCI and S3 buckets. Raw logs are sent to the buckets. From the buckets, you can implement them into elastic search.

Viewing Logs

Describes the different methods to view logs for an edge policy.

You can filter logs by the following log types:

  • Access Rules

  • CAPTCHA Challenge

  • JavaScript Challenge

  • Protection Rules

  • Human Interaction Challenge

  • Device Fingerprinting Challenge

  • Threat Intelligence Feeds

  • Address Rate Limiting

  • Access

Use one of the following methods to view logs for an edge policy.

    1. Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.

      Alternatively, open the Web Application Firewall page and click Policies under Resources.

      The WAF Policies page appears.

    2. Select the Compartment from the list.

      All the WAF policies in that compartment are listed in tabular form.

    3. (Optional) Apply one or more of the following Filters to limit the WAF policies displayed:

      • Name

      • Policy Type

      • Status

    4. Select the edge policy whose logs you want to view.
      The Edge Policy Details dialog box appears.
    5. Click Logs under Resources.

      The Logs list appears.

    6. (Optional) Complete one or more of the following Filters to limit the log information to the values you enter:

      • Start date

      • Start time

      • End date

      • End time

      • Request URL

      • Client IP address

      • Country name

    7. (Optional) Check one or more of the following Action filters to limit the log information to the selected options:

      • Detect

      • Block

      • Bypass

      • Log

      • Redirected

    8. (Optional) Check one or more of the following Log type filters to limit the log information to the selected options:

      • Access rules

      • CAPTCHA challenge

      • JavaScript challenge

      • Protection rules

      • Human interaction challenge

      • Device fingerprinting challenge

      • Threat intelligence feeds

      • Address rate limiting

      • Access

      Only log information containing the checked actions is displayed.

    9. Click the plus sign next to the Alert Type you want to view.
    Log entries are displayed based on the options you chose.

  • This task can't be performed using the CLI.

  • Run the ListWafLogs operation to view log activity.

    You can filter logs by the following logType options:

    • ACCESS_RULES

    • CAPTCHA_CHALLENGE

    • JAVASCRIPT_CHALLENGE

    • PROTECTION_RULES

    • HUMAN_INTERACTION_CHALLENGE

    • DEVICE_FINGERPRINT_CHALLENGE

    • THREAT_INTELLIGENCE_FEEDS

    • ADDRESS_RATE_LIMITING

    • ACCESS

    Logs can be filtered by logType by making the following request:

    GET /20181116/waasPolicies/unique_ID/wafLogs?logType=logType&timeObservedGreaterThanOrEqualTo=timestamp&timeObservedLessThan=timestamp&compartmentId=unique_ID

    For example:

    GET /20181116/waasPolicies/ocid1.waaspolicy.oc1../wafLogs?logType=PROTECTION_RULES&timeObservedGreaterThanOrEqualTo=2019-10-24T13:00:00+00:00&timeObservedLessThan=2019-10-24T13:47:00+00:00&compartmentId=ocid1.compartment.oc1..

    The following response output for the filtered logs is returned:

    [
    {
        "action": "BLOCK",
        "clientAddress": "192.0.2.0",
        "countryCode": "US",
        "countryName": "United States",
        "domain": "example.com",
        "httpHeaders": {
            "Accept": "*/*",
            "Host": "example.com",
            "Referer": "",
            "Request-Id": "2019-10-24T13:46:25Z|fa68cab479|192.0.2.0|uwDPcqR0Qt",
            "User-Agent": "curl/7.54.0",
            "X-Client-Ip": "192.0.2.0",
            "X-Country-Code": "US",
            "X-Forwarded-For": "192.0.2.0, 192.0.2.0"
        },
        "httpMethod": "GET",
        "httpVersion": "HTTP/1.1",
        "incidentKey": "2019-10-24T13:46:25Z|fa68cab479|192.0.2.0|uwDPcqR0Qt",
        "logType": "PROTECTION_RULES",
        "protectionRuleDetections": {
            "950002": {
                "Message": "System Command Access. Matched Data: cmd.exe found within ARGS:abc: cmd.exe",
                "Message details": "Access denied with code 403 (phase 2). Pattern match \"\\\\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\\\\.exe\\\\b|cmd(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c))\" at ARGS:abc."
            }
        },
        "requestUrl": "/?abc=cmd.exe",
        "timestamp": "Thu, 24 Oct 2019 13:46:25 GMT",
        "userAgent": "curl/7.54.0"
    },
    {
        "action": "BLOCK",
        "clientAddress": "192.0.2.0",
        "countryCode": "US",
        "countryName": "United States",
        "domain": "example.com",
        "httpHeaders": {
            "Accept": "*/*",
            "Host": "example.com",
            "Referer": "",
            "Request-Id": "2019-10-24T13:46:25Z|43bd96b710|192.0.2.0|E04WECJbcY",
            "User-Agent": "curl/7.54.0",
            "X-Client-Ip": "192.0.2.0",
            "X-Country-Code": "US",
            "X-Forwarded-For": "192.0.2.0, 192.0.2.0"
        },
        "httpMethod": "GET",
        "httpVersion": "HTTP/1.1",
        "incidentKey": "2019-10-24T13:46:25Z|43bd96b710|192.0.2.0|E04WECJbcY",
        "logType": "PROTECTION_RULES",
        "protectionRuleDetections": {
            "950002": {
                "Message": "System Command Access. Matched Data: cmd.exe found within ARGS:abc: cmd.exe",
                "Message details": "Access denied with code 403 (phase 2). Pattern match \"\\\\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\\\\.exe\\\\b|cmd(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c))\" at ARGS:abc."
            }
        },
        "requestUrl": "/?abc=cmd.exe",
        "timestamp": "Thu, 24 Oct 2019 13:46:25 GMT",
        "userAgent": "curl/7.54.0"
    }
]

Delivering WAF Logs to Object Storage

Describes how to deliver WAF logs to an object storage bucket for longer-term storage and access.

This task requires creating an object storage bucket or using an existing one. Familiarize yourself with object storage buckets and how to create and manage them before proceeding with delivering WAF log data. See Object Storage Buckets.

WAF logs have a limited retention rate. You can save them indefinitely by delivering your WAF log data to an object storage bucket within your tenancy. Create and configure your object storage bucket first, then submit a support request to Oracle with the required information to have your WAF logs delivered to the bucket.

  1. Access the Object Storage service and create a bucket with manage-object-family permissions.

    Only Standard object storage buckets are supported. The Archive storage tier is not supported. Decide on Oracle or user-managed keys. User-managed keys must be in KMS. See Object Storage Buckets for more information.

  2. Set the bucket's Visibility to Public.
  3. Create or configure a user with a customer secret key.

    The WAF needs a key and secret to authenticate to OCI bucket for writing. This key is attached to a user. This user must have write permission on the bucket for WAF logs. Record the access key and secret for the user and store in a save location.

  4. Add a user to a group, and create an identity policy to grant permission for that group to be able to write to bucket.

    For example, if the bucket is in compartment MSSpoc and group name is wafBucketLogGroup, the identity statement would be:

    allow group wafBucketLogGroup to manage object-family in compartment MSSpoc

    The policy is created in the compartment MSSpoc.

  5. Create a file in the bucket that includes the following credentials:

    • Web App (domain name for WAF policy):

    • SecretKey:

    • AccessKey:

    • Object storage bucket_region:

    • Object storage bucket_name:

    • Namespace:

    • Endpoint Url: https://namespace.compat.objectstorage.region.oraclecloud.com

    • Upload prefix (file format for the logs. Default is %{[webapp_domain]}_/%{+YYYY}/%{+MM}/%{+dd}):

    Note

    All logs for the web application (including other domains) go into a single folder named based on the main domain. You cannot set the log delivery only for the main domain or only for the additional domain.

  6. Create a pre-authenticated request for a specific object as follows:
    1. Open the navigation menu and click Storage. Under Object Storage & Archive Storage, click Buckets.
    2. Choose the compartment where the bucket is located.
    3. Click the bucket name.
    4. Click Objects under Resources to display the list of objects.
    5. Select the file that contains bucket credentials, and then click Pre-Authenticated Requests under Resources.
    6. Click Create Pre-Authenticated Request.
  7. Create an Oracle Support request (My Oracle Support) to have your WAF logs delivered to the object storage bucket. Your support request must contain the Pre-Authenticated Request URL with the file you created that contains the bucket credentials.

    Only "Standard" OCI buckets are supported. The "Archive" storage tier is not supported.