Oracle Cloud Infrastructure Documentation

Logs

Logs displays log activity and the details of each logged event within a specified time frame. Logs enable you to understand what rules and countermeasures are triggered by requests and are used as a basis to move request handling into block mode. Logs can come from Access Control, Protection Rules, or Bot events.

Note

If you have concerns over General Data Protection Regulation (GDPR) requirements, Logs can be disabled for the WAF service. You can use My Oracle Support to file a service request to disable Logs.

Using the Console

To view Logs

  1. Open the navigation menu. Under Governance and Administration, go to Security and click WAF Policies.
  2. Click the name of the WAF Policy you want to view logs for. The WAF Policy overview appears.
  3. Click Logs. Logs for the WAF policy appear.
  4. To help find a log, you can use the following filter options:
    • To view alerting activity data for a specific time range, enter a Start Date, Start Time, End Date, or End Time.
    • To view logs for a URL, enter a Request URL.
    • To view logs for a client IP address, select an address from the Client IP Address drop-down menu.
    • To view logs for a country, select a country from the Country Name drop-down list.
    • To find a type of action, select an Action check box.
    • To find a type of log, select a Log Type check box from the following options:
      • Access Rules
      • CAPTCHA Challenge
      • JavaScript Challenge
      • Protection Rules
      • Human Interaction Challenge
      • Device Fingerprinting Challenge
      • Threat Intelligence Feeds
      • Address Rate Limiting
      • Access
  5. Click the plus sign next to the Alert Type you want to view.

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use the ListWafLogs API operation to display log activity. You can use filters to help find a log.

Example

You can filter logs by the following logType:

  • ACCESS_RULES
  • CAPTCHA_CHALLENGE
  • JAVASCRIPT_CHALLENGE
  • PROTECTION_RULES
  • HUMAN_INTERACTION_CHALLENGE
  • DEVICE_FINGERPRINT_CHALLENGE
  • THREAT_INTELLIGENCE_FEEDS
  • ADDRESS_RATE_LIMITING
  • ACCESS

Logs can be filtered by logType by making the following request:

GET /20181116/waasPolicies/<unique_ID>/wafLogs?logType=<logType>&timeObservedGreaterThanOrEqualTo=<timestamp>&timeObservedLessThan=<timestamp>&compartmentId=<unique_ID>

For example:

GET /20181116/waasPolicies/ocid1.waaspolicy.oc1../wafLogs?logType=PROTECTION_RULES&timeObservedGreaterThanOrEqualTo=2019-10-24T13:00:00+00:00&timeObservedLessThan=2019-10-24T13:47:00+00:00&compartmentId=ocid1.compartment.oc1..

The following response output for the filtered logs is returned:

[

    {

        "action": "BLOCK",

        "clientAddress": "192.0.2.0",

        "countryCode": "US",

        "countryName": "United States",

        "domain": "example.com",

        "httpHeaders": {

            "Accept": "*/*",

            "Host": "example.com",

            "Referer": "",

            "Request-Id": "2019-10-24T13:46:25Z|fa68cab479|192.0.2.0|uwDPcqR0Qt",

            "User-Agent": "curl/7.54.0",

            "X-Client-Ip": "192.0.2.0",

            "X-Country-Code": "US",

            "X-Forwarded-For": "192.0.2.0, 192.0.2.0"

        },

        "httpMethod": "GET",

        "httpVersion": "HTTP/1.1",

        "incidentKey": "2019-10-24T13:46:25Z|fa68cab479|192.0.2.0|uwDPcqR0Qt",

        "logType": "PROTECTION_RULES",

        "protectionRuleDetections": {

            "950002": {

                "Message": "System Command Access. Matched Data: cmd.exe found within ARGS:abc: cmd.exe",

                "Message details": "Access denied with code 403 (phase 2). Pattern match \"\\\\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\\\\.exe\\\\b|cmd(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c))\" at ARGS:abc."

            }

        },

        "requestUrl": "/?abc=cmd.exe",

        "timestamp": "Thu, 24 Oct 2019 13:46:25 GMT",

        "userAgent": "curl/7.54.0"

    },

    {

        "action": "BLOCK",

        "clientAddress": "192.0.2.0",

        "countryCode": "US",

        "countryName": "United States",

        "domain": "example.com",

        "httpHeaders": {

            "Accept": "*/*",

            "Host": "example.com",

            "Referer": "",

            "Request-Id": "2019-10-24T13:46:25Z|43bd96b710|192.0.2.0|E04WECJbcY",

            "User-Agent": "curl/7.54.0",

            "X-Client-Ip": "192.0.2.0",

            "X-Country-Code": "US",

            "X-Forwarded-For": "192.0.2.0, 192.0.2.0"

        },

        "httpMethod": "GET",

        "httpVersion": "HTTP/1.1",

        "incidentKey": "2019-10-24T13:46:25Z|43bd96b710|192.0.2.0|E04WECJbcY",

        "logType": "PROTECTION_RULES",

        "protectionRuleDetections": {

            "950002": {

                "Message": "System Command Access. Matched Data: cmd.exe found within ARGS:abc: cmd.exe",

                "Message details": "Access denied with code 403 (phase 2). Pattern match \"\\\\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\\\\.exe\\\\b|cmd(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c))\" at ARGS:abc."

            }

        },

        "requestUrl": "/?abc=cmd.exe",

        "timestamp": "Thu, 24 Oct 2019 13:46:25 GMT",

        "userAgent": "curl/7.54.0"

    }

]

Example

Logs can be filtered by clientAddress and time range by making the following request:

GET /20181116/waasPolicies/<unique_ID>/wafLogs?clientAddresss=<IP address>&timeObservedGreaterThanOrEqualTo=<timestamp>&timeObservedLessThan=<timestamp>&compartmentId=<unique_ID>

For example:

GET /20181116/waasPolicies/ocid1.waaspolicy.oc1../wafLogs?clientAddresss=192.0.2.0&timeObservedGreaterThanOrEqualTo=2019-10-24T13:26:47+00:00&timeObservedLessThan=2019-10-24T13:26:56+00:00&compartmentId=ocid1.compartment.oc1..

The following response output for the filtered logs is returned:

[

    {

        "clientAddress": "192.0.2.0",

        "countryName": "Unknown",

        "domain": "example.com",

        "fingerprint": "-",

        "httpHeaders": {

            "Accept": "*/*",

            "Host": "example.com",

            "Referer": "",

            "User-Agent": "curl/7.54.0",

            "X-Client-Ip": "192.0.2.01",

            "X-Country-Code": "AU",

            "X-Forwarded-For": "192.0.2.0, 192.0.2.0"

        },

        "httpMethod": "GET",

        "httpVersion": "1.1",

        "incidentKey": "2019-10-24T13:26:55Z|43bd96b710|192.0.2.0|ytQbBpuerK",

        "logType": "ACCESS",

        "originAddress": "130.35.212.39:80",

        "originResponseTime": "0.2500",

        "requestUrl": "/",

        "responseCode": 200,

        "responseSize": 4978,

        "timestamp": "Thu, 24 Oct 2019 13:26:55 GMT",

        "userAgent": "curl/7.54.0"

    },

    {

        "clientAddress": "192.0.2.0",

        "countryName": "Unknown",

        "domain": "example.com",

        "fingerprint": "-",

        "httpHeaders": {

            "Accept": "*/*",

            "Host": "example.com",

            "Referer": "",

            "User-Agent": "curl/7.54.0",

            "X-Client-Ip": "192.0.2.0",

            "X-Country-Code": "AU",

            "X-Forwarded-For": "192.0.2.0, 192.0.2.0"

        },

        "httpMethod": "GET",

        "httpVersion": "1.1",

        "incidentKey": "2019-10-24T13:26:53Z|4d7583f67c|192.0.2.0|KR8qhtyJnG",

        "logType": "ACCESS",

        "originAddress": "198.51.100.0:24",

        "originResponseTime": "0.5070",

        "requestUrl": "/",

        "responseCode": 200,

        "responseSize": 4978,

        "timestamp": "Thu, 24 Oct 2019 13:26:54 GMT",

        "userAgent": "curl/7.54.0"

    }

]