Logs

Logs displays log activity and the details of each logged event within a specified time frame. Logs enable you to understand what rules and countermeasures are triggered by requests and are used as a basis to move request handling into block mode. Logs can come from Access Control, Protection Rules, or Bot events.

Note

If you have concerns about General Data Protection Regulation (GDPR) requirements, Logs can be disabled for the WAF service. You can use My Oracle Support to file a service request to disable Logs.

When working with the WAF service, consider the following information:

The log retention policy for the WAF service is seven days; however, you can request to set up an S3 bucket and have more logs delivered to it. The logs in your bucket can be kept as long as you want.
Only "Standard" OCI buckets are supported. The "Archive" storage tier isn't supported.
Log delivery to ELK Stack is only supported to OCI and S3 buckets. Raw logs are sent to the buckets. From the buckets, you can implement them into elastic search.

Viewing Logs

Describes the different methods to view logs for an edge policy.

You can filter logs by the following log types:

Access Rules
CAPTCHA Challenge
JavaScript Challenge
Protection Rules
Human Interaction Challenge
Device Fingerprinting Challenge
Threat Intelligence Feeds
Address Rate Limiting
Access

Use one of the following methods to view logs for an edge policy.

1. Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.
  
  Alternatively, open the Web Application Firewall page and click Policies under Resources.
  
  The WAF Policies page appears.
2. Select the Compartment from the list.
  
  All the WAF policies in that compartment are listed in tabular form.
3. (Optional) Apply one or more of the following Filters to limit the WAF policies displayed:
  
  Name
  
  Policy Type
  
  Status
4. Select the edge policy whose logs you want to view.
  The Edge Policy Details dialog box appears.
5. Click Logs under Resources.
  
  The Logs list appears.
6. (Optional) Complete one or more of the following Filters to limit the log information to the values you enter:
  
  Start date
  
  Start time
  
  End date
  
  End time
  
  Request URL
  
  Client IP address
  
  Country name
7. (Optional) Check one or more of the following Action filters to limit the log information to the selected options:
  
  Detect
  
  Block
  
  Bypass
  
  Log
  
  Redirected
8. (Optional) Check one or more of the following Log type filters to limit the log information to the selected options:
  
  Access rules
  
  CAPTCHA challenge
  
  JavaScript challenge
  
  Protection rules
  
  Human interaction challenge
  
  Device fingerprinting challenge
  
  Threat intelligence feeds
  
  Address rate limiting
  
  Access
  
  Only log information containing the checked actions is displayed.
9. Click the plus sign next to the Alert Type you want to view.
Log entries are displayed based on the options you chose.
This task can't be performed using the CLI.

Run the ListWafLogs operation to view log activity.

You can filter logs by the following logType options:

ACCESS_RULES
CAPTCHA_CHALLENGE
JAVASCRIPT_CHALLENGE
PROTECTION_RULES
HUMAN_INTERACTION_CHALLENGE
DEVICE_FINGERPRINT_CHALLENGE
THREAT_INTELLIGENCE_FEEDS
ADDRESS_RATE_LIMITING
ACCESS

Logs can be filtered by logType by making the following request:

GET /20181116/waasPolicies/unique_ID/wafLogs?logType=logType&timeObservedGreaterThanOrEqualTo=timestamp&timeObservedLessThan=timestamp&compartmentId=unique_ID

For example:

GET /20181116/waasPolicies/ocid1.waaspolicy.oc1../wafLogs?logType=PROTECTION_RULES&timeObservedGreaterThanOrEqualTo=2019-10-24T13:00:00+00:00&timeObservedLessThan=2019-10-24T13:47:00+00:00&compartmentId=ocid1.compartment.oc1..

The following response output for the filtered logs is returned:

[
    {
        "action": "BLOCK",
        "clientAddress": "192.0.2.0",
        "countryCode": "US",
        "countryName": "United States",
        "domain": "example.com",
        "httpHeaders": {
            "Accept": "*/*",
            "Host": "example.com",
            "Referer": "",
            "Request-Id": "2019-10-24T13:46:25Z|fa68cab479|192.0.2.0|uwDPcqR0Qt",
            "User-Agent": "curl/7.54.0",
            "X-Client-Ip": "192.0.2.0",
            "X-Country-Code": "US",
            "X-Forwarded-For": "192.0.2.0, 192.0.2.0"
        },
        "httpMethod": "GET",
        "httpVersion": "HTTP/1.1",
        "incidentKey": "2019-10-24T13:46:25Z|fa68cab479|192.0.2.0|uwDPcqR0Qt",
        "logType": "PROTECTION_RULES",
        "protectionRuleDetections": {
            "950002": {
                "Message": "System Command Access. Matched Data: cmd.exe found within ARGS:abc: cmd.exe",
                "Message details": "Access denied with code 403 (phase 2). Pattern match \"\\\\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\\\\.exe\\\\b|cmd(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c))\" at ARGS:abc."
            }
        },
        "requestUrl": "/?abc=cmd.exe",
        "timestamp": "Thu, 24 Oct 2019 13:46:25 GMT",
        "userAgent": "curl/7.54.0"
    },
    {
        "action": "BLOCK",
        "clientAddress": "192.0.2.0",
        "countryCode": "US",
        "countryName": "United States",
        "domain": "example.com",
        "httpHeaders": {
            "Accept": "*/*",
            "Host": "example.com",
            "Referer": "",
            "Request-Id": "2019-10-24T13:46:25Z|43bd96b710|192.0.2.0|E04WECJbcY",
            "User-Agent": "curl/7.54.0",
            "X-Client-Ip": "192.0.2.0",
            "X-Country-Code": "US",
            "X-Forwarded-For": "192.0.2.0, 192.0.2.0"
        },
        "httpMethod": "GET",
        "httpVersion": "HTTP/1.1",
        "incidentKey": "2019-10-24T13:46:25Z|43bd96b710|192.0.2.0|E04WECJbcY",
        "logType": "PROTECTION_RULES",
        "protectionRuleDetections": {
            "950002": {
                "Message": "System Command Access. Matched Data: cmd.exe found within ARGS:abc: cmd.exe",
                "Message details": "Access denied with code 403 (phase 2). Pattern match \"\\\\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\\\\.exe\\\\b|cmd(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c))\" at ARGS:abc."
            }
        },
        "requestUrl": "/?abc=cmd.exe",
        "timestamp": "Thu, 24 Oct 2019 13:46:25 GMT",
        "userAgent": "curl/7.54.0"
    }
]

Delivering WAF Logs to Object Storage

Describes how to deliver WAF logs to an object storage bucket for longer-term storage and access.

This task requires creating an object storage bucket or using an existing one. Familiarize yourself with object storage buckets and how to create and manage them before proceeding with delivering WAF log data. See Object Storage Buckets.

WAF logs have a limited retention rate. You can save them indefinitely by delivering your WAF log data to an object storage bucket within your tenancy. Create and configure your object storage bucket first, then submit a support request to Oracle with the required information to have your WAF logs delivered to the bucket.

Access the Object Storage service and create a bucket with manage-object-family permissions.

Only Standard object storage buckets are supported. The Archive storage tier is not supported. Decide on Oracle or user-managed keys. User-managed keys must be in KMS. See Object Storage Buckets for more information.
Set the bucket's Visibility to Public.
Create or configure a user with a customer secret key.

The WAF needs a key and secret to authenticate to OCI bucket for writing. This key is attached to a user. This user must have write permission on the bucket for WAF logs. Record the access key and secret for the user and store in a save location.
Add a user to a group, and create an identity policy to grant permission for that group to be able to write to bucket.
For example, if the bucket is in compartment MSSpoc and group name is wafBucketLogGroup, the identity statement would be:
```
allow group wafBucketLogGroup to manage object-family in compartment MSSpoc
```
The policy is created in the compartment MSSpoc.
Create a file in the bucket that includes the following credentials:
- Web App (domain name for WAF policy):
- SecretKey:
- AccessKey:
- Object storage bucket_region:
- Object storage bucket_name:
- Namespace:
- Endpoint Url: https://namespace.compat.objectstorage.region.oraclecloud.com
- Upload prefix (file format for the logs. Default is %{[webapp_domain]}_/%{+YYYY}/%{+MM}/%{+dd}):
Note

All logs for the web application (including other domains) go into a single folder named based on the main domain. You cannot set the log delivery only for the main domain or only for the additional domain.
Create a pre-authenticated request for a specific object as follows:
1. Open the navigation menu and click Storage. Under Object Storage & Archive Storage, click Buckets.
2. Choose the compartment where the bucket is located.
3. Click the bucket name.
4. Click Objects under Resources to display the list of objects.
5. Select the file that contains bucket credentials, and then click Pre-Authenticated Requests under Resources.
6. Click Create Pre-Authenticated Request.
Create an Oracle Support request (My Oracle Support) to have your WAF logs delivered to the object storage bucket. Your support request must contain the Pre-Authenticated Request URL with the file you created that contains the bucket credentials.

Only "Standard" OCI buckets are supported. The "Archive" storage tier is not supported.

Oracle Cloud Infrastructure Documentation Try Free Tier

Logs

Viewing Logs 🔗

Delivering WAF Logs to Object Storage 🔗

Oracle Cloud Infrastructure Documentation
Try Free Tier

Viewing Logs

Delivering WAF Logs to Object Storage