Logs
Logs displays log activity and the details of each logged event within a specified time frame. Logs enable you to understand what rules and countermeasures are triggered by requests and are used as a basis to move request handling into block mode. Logs can come from Access Control, Protection Rules, or Bot events.
If you have concerns about General Data Protection Regulation (GDPR) requirements, Logs can be disabled for the WAF service. You can use My Oracle Support to file a service request to disable Logs.
When working with the WAF service, consider the following information:
- The log retention policy for the WAF service is seven days; however, you can request to set up an S3 bucket and have more logs delivered to it. The logs in your bucket can be kept as long as you want.
- Only "Standard" OCI buckets are supported. The "Archive" storage tier isn't supported.
- Log delivery to ELK Stack is only supported to OCI and S3 buckets. Raw logs are sent to the buckets. From the buckets, you can implement them into elastic search.
Viewing Logs
Describes the different methods to view logs for an edge policy.
You can filter logs by the following log types:
-
Access Rules
-
CAPTCHA Challenge
-
JavaScript Challenge
-
Protection Rules
-
Human Interaction Challenge
-
Device Fingerprinting Challenge
-
Threat Intelligence Feeds
-
Address Rate Limiting
-
Access
Use one of the following methods to view logs for an edge policy.
Log entries are displayed based on the options you chose. This task can't be performed using the CLI.
Run the ListWafLogs operation to view log activity.
You can filter logs by the following logType options:
-
ACCESS_RULES
-
CAPTCHA_CHALLENGE
-
JAVASCRIPT_CHALLENGE
-
PROTECTION_RULES
-
HUMAN_INTERACTION_CHALLENGE
-
DEVICE_FINGERPRINT_CHALLENGE
-
THREAT_INTELLIGENCE_FEEDS
-
ADDRESS_RATE_LIMITING
-
ACCESS
Logs can be filtered by logType by making the following request:
GET /20181116/waasPolicies/unique_ID/wafLogs?logType=logType&timeObservedGreaterThanOrEqualTo=timestamp&timeObservedLessThan=timestamp&compartmentId=unique_ID
For example:
GET /20181116/waasPolicies/ocid1.waaspolicy.oc1../wafLogs?logType=PROTECTION_RULES&timeObservedGreaterThanOrEqualTo=2019-10-24T13:00:00+00:00&timeObservedLessThan=2019-10-24T13:47:00+00:00&compartmentId=ocid1.compartment.oc1..
The following response output for the filtered logs is returned:
[ { "action": "BLOCK", "clientAddress": "192.0.2.0", "countryCode": "US", "countryName": "United States", "domain": "example.com", "httpHeaders": { "Accept": "*/*", "Host": "example.com", "Referer": "", "Request-Id": "2019-10-24T13:46:25Z|fa68cab479|192.0.2.0|uwDPcqR0Qt", "User-Agent": "curl/7.54.0", "X-Client-Ip": "192.0.2.0", "X-Country-Code": "US", "X-Forwarded-For": "192.0.2.0, 192.0.2.0" }, "httpMethod": "GET", "httpVersion": "HTTP/1.1", "incidentKey": "2019-10-24T13:46:25Z|fa68cab479|192.0.2.0|uwDPcqR0Qt", "logType": "PROTECTION_RULES", "protectionRuleDetections": { "950002": { "Message": "System Command Access. Matched Data: cmd.exe found within ARGS:abc: cmd.exe", "Message details": "Access denied with code 403 (phase 2). Pattern match \"\\\\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\\\\.exe\\\\b|cmd(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c))\" at ARGS:abc." } }, "requestUrl": "/?abc=cmd.exe", "timestamp": "Thu, 24 Oct 2019 13:46:25 GMT", "userAgent": "curl/7.54.0" }, { "action": "BLOCK", "clientAddress": "192.0.2.0", "countryCode": "US", "countryName": "United States", "domain": "example.com", "httpHeaders": { "Accept": "*/*", "Host": "example.com", "Referer": "", "Request-Id": "2019-10-24T13:46:25Z|43bd96b710|192.0.2.0|E04WECJbcY", "User-Agent": "curl/7.54.0", "X-Client-Ip": "192.0.2.0", "X-Country-Code": "US", "X-Forwarded-For": "192.0.2.0, 192.0.2.0" }, "httpMethod": "GET", "httpVersion": "HTTP/1.1", "incidentKey": "2019-10-24T13:46:25Z|43bd96b710|192.0.2.0|E04WECJbcY", "logType": "PROTECTION_RULES", "protectionRuleDetections": { "950002": { "Message": "System Command Access. Matched Data: cmd.exe found within ARGS:abc: cmd.exe", "Message details": "Access denied with code 403 (phase 2). Pattern match \"\\\\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\\\\.exe\\\\b|cmd(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c))\" at ARGS:abc." } }, "requestUrl": "/?abc=cmd.exe", "timestamp": "Thu, 24 Oct 2019 13:46:25 GMT", "userAgent": "curl/7.54.0" } ]
-
Delivering WAF Logs to Object Storage
Describes how to deliver WAF logs to an object storage bucket for longer-term storage and access.
This task requires creating an object storage bucket or using an existing one. Familiarize yourself with object storage buckets and how to create and manage them before proceeding with delivering WAF log data. See Object Storage Buckets.
WAF logs have a limited retention rate. You can save them indefinitely by delivering your WAF log data to an object storage bucket within your tenancy. Create and configure your object storage bucket first, then submit a support request to Oracle with the required information to have your WAF logs delivered to the bucket.