Logging and Reporting : Using the security log
 
Using the security log
The Security Log table displays logs related to security features.
Figure 61 shows the security log table. By default, the log is filtered to display IP Reputation logs, and the table lists the most recent records first.
You can use the following category filters to review logs of interest:
IP Reputation—Traffic logged by the IP Reputation feature
DoS—Traffic logged by the SYN Flood feature
WAF—Traffic logged by the WAF feature
Geo—Traffic logged by the Geo IP block list feature
Figure 61: Security log
 
Within each category, you can use Filter Setting controls to filter the table based on the values of matching data:
Date
Time
Proto
Service
Src
Src_port
Dst
Dst_port
Policy
Action
The last column in each table includes a link to log details.
Before you begin:
You must have Read-Write permission for Log & Report settings.
To view and filter the log:
1. Go to Log & Report > Log Browsing.
2. Click the Security Logs tab to display the attack log.
3. Click Filter Settings to display the filter tools.
4. Use the tools to filter on key columns and values.
5. Click OK to apply the filter and redisplay the log.
Table 108 to Table 111 list the log columns in the order in which they appear in the log.
Table 108: IP Reputation log
Column
Example
Description
date
date=2014-12-02
Log date.
time
time=10:27:01
Log time.
log_id
log_id=0200004230
Log ID.
type
type=attack
Log type: attack.
subtype
subtype=ip_reputation
Log subtype: ip_reputation.
pri
pri=warning
Log level.
vd
vd=root
Virtual domain.
msg_id
msg_id=13065998
Message ID.
count
count=1
For IP reputation, count=1.
severity
severity=high
Rule severity.
proto
proto=0
Protocol.
service
service=http
Service.
src
src=173.177.99.94
Source IP address.
src_port
src_port=49301
Source port.
dst
dst=10.61.2.100
Destination IP address.
dst_port
dst_port=80
Destination port.
policy
policy=vs1
Virtual server name.
action
action=deny
Policy action.
srccountry
srccountry
Location of the source IP address.
dstcountry
dstcountry
Location of the destination IP address.
msg
msg=
Security rule name, category, subcategory, and description of the attack.
 
Table 109: DoS log
Column
Example
Description
date
date=2014-12-02
Log date.
time
time=10:27:01
Log time.
log_id
log_id=0200004230
Log ID.
type
type=attack
Log type: attack.
subtype
subtype=synflood
Log subtype: synflood.
pri
pri=warning
Log level.
vd
vd=root
Virtual domain.
msg_id
msg_id=13065998
Message ID.
count
count=1
For DoS, number of timeouts sent per destination.
severity
severity=high
Always “high” for DoS.
proto
proto=0
Protocol.
service
service=http
Service.
src
src=173.177.99.94
Source IP address.
src_port
src_port=49301
Source port.
dst
dst=10.61.2.100
Destination IP address.
dst_port
dst_port=80
Destination port.
policy
policy=unknown
For DoS, policy=unknown.
action
action=deny
Policy action.
srccountry
srccountry=Reserved
Location of the source IP address.
dstcountry
dstcountry=Reserved
Location of the destination IP address.
msg
msg=
Security rule name, category, subcategory, and description of the attack.
 
Table 110: WAF log
Column
Example
Description
date
date=2015-07-22
Log date.
time
time=10:27:01
Log time.
log_id
log_id=0202008074
Log ID.
type
type=attack
Log type: attack.
subtype
subtype=waf
Log subtype: waf.
pri
pri=alert
Log level.
vd
vd=root
Virtual domain.
msg_id
msg_id=1512
Message ID.
count
count=1
Rule match count.
severity
severity=low
Rule severity.
proto
proto=6
Protocol.
service
service=http
Service.
src
src=1.1.1.1
Source IP address.
src_port
src_port=34352
Source port.
dst
dst=2.2.2.2
Destination IP address.
dst_port
dst_port=80
Destination port.
policy
policy=vs1
Virtual server name.
action
action=pass
Policy action.
sigid
sigid=1
Attack signature ID.
subcat
subcat=waf_subtype
WAF module: waf_web_attack_signature, waf_url_access, waf_http_protocol_cont and waf_sql_xss_injection_detect.
http_host
http_host=192.168.1.140:8080
HTTP Host header in HTTP request. Maximum length is 64. Longer URIs are truncated and appended with ....
http_url
http_url=/bigdata
URI in HTTP request. Maximum length is 128. Longer URIs are truncated and appended with ....
pkt_hdr
pkt_hdr=header
Contents of the packet header that matched the attack signature.
srccountry
srccountry=Australia
Location of the source IP address.
dstcountry
dstcountry=France
Location of the destination IP address.
msg
msg="Find Attack ID: 1010010001 NAME: "HTTP Method Violation" CATEGORY: "HTTP Protocol Constraint" SUB_CATEGORY: "Request Method Rule""
Security rule name, category, subcategory, and description of the attack.
 
Table 111: Geo IP log
Column
Example
Description
date
date=2014-12-02
Log date.
time
time=10:27:01
Log time.
log_id
log_id=0200004230
Log ID.
type
type=attack
Log type: attack.
subtype
subtype=geo
Log subtype: geo.
pri
pri=warning
Log level.
vd
vd=root
Virtual domain.
msg_id
msg_id=13065998
Message ID.
count
count=1
Rule match count.
severity
severity=high
Rule severity.
proto
proto=0
Protocol.
service
service=http
Service.
src
src=173.177.99.94
Source IP address.
src_port
src_port=49301
Source port.
dst
dst=10.61.2.100
Destination IP address.
dst_port
dst_port=80
Destination port.
policy
policy=vs1
Virtual server name.
action
action=deny
Policy action.
srccountry
srccountry
Location of the source IP address.
dstcountry
dstcountry
Location of the destination IP address.
msg
msg=
Security rule name, category, subcategory, and description of the attack.