A200161411/web-application-firewall-dedicated
1
0
Fork 0
forked from docs/web-application-firewall-dedicated
Code Pull Requests Activity
web-application-firewall-de.../umn/source/enabling_lts_for_waf_logging.rst
proposalbot 392c14c1f9 Changes to wafd_umn from docs/doc-exports#694 (WAF Dedicated UMN 20230329 versio 
Reviewed-by: Belejkanic, Lukas <lukas.belejkanic@t-systems.com>
Co-authored-by: proposalbot <proposalbot@otc-service.com>
Co-committed-by: proposalbot <proposalbot@otc-service.com>
2023-04-20 07:55:56 +00:00

78 KiB
Raw Permalink Blame History

original_name

waf_01_0172.html

Enabling LTS for WAF Logging

After you authorize WAF to access Log Tank Service (LTS), you can use the WAF logs recorded by LTS for quick and efficient real-time analysis, device O&M management, and analysis of service trends.

LTS analyzes and processes a large number of logs. It enables you to process logs in real-time, efficiently, and securely. Logs can be stored in LTS for seven days by default but you can configure LTS for up to 30 days if needed. Logs earlier than 30 days are automatically deleted. However, you can configure LTS to dump those logs to an Object Storage Service (OBS) bucket or enable Data Ingestion Service (DIS) for long-term storage.

Prerequisites

  • You have applied for your WAF.
  • The website to be protected has been added to WAF.

Impact on the System

Enabling LTS for WAF does not affect WAF performance.

Enabling LTS for WAF Protection Event Logging

  1. Log in to the management console.

  2. Click image1 in the upper left corner of the management console and select a region or project.

  3. Click image2 in the upper left corner and choose Web Application Firewall (Dedicated) under Security.

  4. In the navigation pane on the left, choose Events.

  5. Click the Configure Logs tab, enable LTS (image3), and select a log group and log stream. Table 1 <waf_01_0172__table11535733111515> describes the parameters.

    Figure 1 Configuring logs
    Table 1 Log configuration
    Parameter Description Example Value
    Log Group Select a log group or click View Log Group to go to the LTS console and create a log group. lts-group-waf
    Attack Log

    Select a log stream or click View Log Stream to go to the LTS console and create a log stream.

    An attack log includes information about event type, protective action, and attack source IP address of each attack.

    		 lts-topic-waf-attack
    Access Log

    Select a log stream or click View Log Stream to go to the LTS console and create a log stream.

    An access log includes key information about access time, client IP address, and resource URL of each HTTP access requests.

    		 lts-topic-waf-access

  6. Click OK.

    You can view WAF protection event logs on the LTS console.

Viewing WAF Protection Event Logs on LTS

After enabling LTS, perform the following steps to view and analyze WAF logs on the LTS console.

  1. Log in to the management console.
  2. Click image4 in the upper left corner of the management console and select a region or project.
  3. Click image5 in the upper left corner of the page and choose Management & Deployment > Log Tank Service.
  4. In the log group list, click image6 to expand the WAF log group (for example, lts-group-waf).
  5. View protection event logs.
    • View attack logs.

      1. In the log stream list, click the name of the configured attack log stream.

      2. View attack logs.

        Figure 2 Viewing attack logs
    • View access logs.

      1. In the log stream list, click the name of the configured access log stream.

      2. View access logs.

        Figure 3 Viewing access logs

WAF access_log Field

Field Type Field Description Description
requestid string Random ID The value is the same as the last eight characters of the req_id field in the attack log.
time string Time an access request is received. GMT time a log is generated.
eng_ip string IP address of the WAF engine -
hostid string Domain name identifier of the access request. Protected domain name ID (upstream_id).
tenantid string Account ID Your account
projectid string ID of the project the protected domain name belongs to Project ID of a user in a specific region.
remote_ip string IP address from which a client request originates.

IP address from which a client request originates.

Important

NOTICE: If a layer-7 proxy is deployed in front of WAF, this field indicates the IP address of the proxy node closest to WAF. The real IP address of the visitor is specified by the x-forwarded-for and x_real_ip fields.
x-forwarded-for string A string of IP addresses for a proxy when the proxy is deployed in front of WAF.

The sting includes one or more IP addresses.

The leftmost IP address is the originating IP address of the client. Each time the proxy server receives a request, it adds the source IP address of the request to the right of the originating IP address.
x_real_ip string Real IP address of the client when a proxy is deployed in front of WAF. Real IP address of the client, which is identified by the proxy.
cdn_src_ip string Client IP address identified by CDN when CDN is deployed in front of WAF

This field specifies the real IP address of the client if CDN is deployed in front of WAF.

Important

NOTICE: Some CDN vendors may use other fields. WAF records only the most common fields.
scheme string Request protocol

Protocols that can be used in the request:

  • HTTP
  • HTTPS
response_code string Response code Response status code returned by the origin server to WAF.
method string Request method. Request type in a request line. Generally, the value is GET or POST.
http_host string Domain name of the requested server. Address, domain name, or IP address entered in the address box of a browser.
url string Request URL. Path in a URL (excluding the domain name).
request_length string Request length. The request length includes the access request address, HTTP request header, and number of bytes in the request body.
bytes_send string Total number of bytes sent to the client. Number of bytes sent by WAF to the client.
body_bytes_sent string Total number of bytes of the response body sent to the client Number of bytes of the response body sent by WAF to the client
upstream_addr string Address of the backend server. IP address of the origin server for which a request is destined. For example, if WAF forwards requests to an ECS, the IP address of the ECS is returned to this parameter.
request_time string Request processing time Processing time starts when the first byte of the client is read.
upstream_response_time string Backend server response time. Time when the backend server responds to the WAF request.
upstream_status string Response code of the backend server. Response status code returned by the backend server to WAF.
upstream_connect_time string Time elapsed for origin servers to connect to backend servers Time for the origin server to establish a connection to its backend servers. If the backend service uses an encryption protocol, this parameter includes the handshake time.
upstream_header_time string Time used by the backend server to receive the first byte of the response header. -
bind_ip string WAF engine back-to-source IP address. Back-to-source IP address used by the WAF engine.
group_id string LTS log group ID ID of the log group for interconnecting WAF with LTS.
access_stream_id string Log stream ID. ID of access_stream of the user in the log group identified by the group_id field.
engine_id string WAF engine ID Unique ID of the WAF engine.
time_iso8601 string ISO 8601 time format of logs. -
sni string Domain name requested through SNI. -
tls_version string Protocol version for establishing an SSL connection. TLS version used in the request.
ssl_curves string Curve group list supported by the client. -
ssl_session_reused string SSL session reuse

Whether the SSL session can be reused

r: Yes

.: No
process_time string Detection duration -

WAF request_log field description

Field Type Field Description Description
scheme string Request protocol

Protocols that can be used in the request:

  • HTTP
  • https
hport string Listening port for the engine -
body_bytes_sent string Total number of bytes of the response body sent to the client. -
hostid string Protected domain name ID (upstream_id). -
time_iso8601 string ISO 8601 time format of logs. -
host string Domain name of the requested server. -
tenantid string Account ID -
inet_ip string IP address of the engine -
backend.protocol string Current backend protocol -
backend.alive string Current backend status -
backend.port string Current backend port -
backend.host string Current backend host value -
backend.type string Current backend host type Type of the backend host. It can be a domain name or an IP address.
id string Request ID The last eight characters are the same as the first eight characters of the requestid in the access log.
sip string IP address from which a client request originates. -
sport string Port used by the IP address from which a client request originates. -
projectid string ID of the project the protected domain name belongs to -
cookie string Cookie -
method string Request method. -
uri string Request URI -
request_stream_id string Log stream ID ID of request_stream of the user in the log group identified by the group_id field.
group_id string Log group ID LTS log group ID
engine_id string Unique ID of the engine -
header string Header content -
time string Log time -
category string Log category The value is request.
status string Response code -

WAF attack_log field description

Field Type Field Description Description
category string Log category The value is attack.
time string Log time -
time_iso8601 string ISO 8601 time format of logs. -
policy_id string Policy ID -
level string Protection level

Protection level of a built-in rule in basic web protection

  • 1: Low
  • 2: Medium
  • 3: High
attack string Type of attack

Attack type. This parameter is listed in attack logs only.

  • default: default attacks
  • sqli: SQL injections
  • xss: cross-site scripting (XSS) attacks
  • webshell: web shells
  • robot: malicious crawlers
  • cmdi: command injections
  • rfi: remote file inclusion attacks
  • lfi: local file inclusion attacks
  • illegal: unauthorized requests
  • vuln: exploits
  • cc: attacks that hit the CC protection rules
  • custom_custom: attacks that hit a precise protection rule
  • custom_whiteip: attacks that hit an IP address blacklist or whitelist rule
  • custom_geoip: attacks that hit a geolocation access control rule
  • antitamper: attacks that hit a web tamper protection rule
  • anticrawler: attacks that hit the JS challenge anti-crawler rule
  • leakage: vulnerabilities that hit an information leakage prevention rule
  • followed_action: The source is marked as a known attack source.
action string Protective action

WAF defense action.

  • block: WAF blocks attacks.
  • log: WAF only logs detected attacks.
  • captcha: Verification code
sub_type string Crawler types

When attack is set to robot, this parameter cannot be left blank.

  • script_tool: Script tools
  • search_engine: Search engines
  • scanner: Scanning tools
  • uncategorized: Other crawlers
rule string ID of the triggered rule or the description of the custom policy type. -
location string Location triggering the malicious load -
hit_data string String triggering the malicious load -
resp_headers string Response header -
resp_body string Response body -
backend string Address of the backend server to which the request is forwarded. -
status string Response status code -
reqid string Random ID -
id string Attack ID ID of the attack
method string Request method -
sip string Client request IP address -
sport string Client request port -
host string Requested domain name -
http_host string Domain name of the requested server. -
hport string Port of the requested server. -
uri string Request URL. The domain is excluded.
header A JSON string. A JSON table is obtained after the string is decoded. Request header -
multipart A JSON string. A JSON table is obtained after the string is decoded. Request multipart header This parameter is used to upload files.
cookie A JSON string. A JSON table is obtained after the string is decoded. Cookie of the request -
params A JSON string. A JSON table is obtained after the string is decoded. Params value following the request URI. -
body_bytes_sent string Total number of bytes of the response body sent to the client. Total number of bytes of the response body sent by WAF to the client.
upstream_response_time string Backend server response time. -
process_time string Detection duration -
engine_id string Unique ID of the engine -
group_id string Log group ID LTS log group ID
attack_stream_id string Log stream ID ID of access_stream of the user in the log group identified by the group_id field.
hostid string Protected domain name ID (upstream_id). -
tenantid string Account ID -
projectid string ID of the project the protected domain name belongs to -