Using the security log

Chapter 12: Logging and Reporting > Using the security log

Using the security log

The Security Log table displays logs related to security features.

Figure 60 shows the security log table. By default, the log is filtered to display IP Reputation logs, and the table lists the most recent records first.

You can use the following category filters to review logs of interest:

IP Reputation—Traffic logged by the IP Reputation feature
DoS—Traffic logged by the SYN Flood feature
WAF—Traffic logged by the WAF feature
Geo—Traffic logged by the Geo IP block list feature

Figure 60: Security log

Within each category, you can use Filter Setting controls to filter the table based on the values of matching data:

Date
Time
Proto
Service
Src
Src_port
Dst
Dst_port
Policy
Action

The last column in each table includes a link to log details.

Before you begin:

You must have Read-Write permission for Log & Report settings.

To view and filter the log:

Go to Log & Report > Log Browsing.
Click the Security Logs tab to display the attack log.
Click Filter Settings to display the filter tools.
Use the tools to filter on key columns and values.
Click OK to apply the filter and redisplay the log.

Table 113 to Table 116 list the log columns in the order in which they appear in the log.

Table 113: IP Reputation log
Column	Example	Description
date	date=2014-12-02	Log date.
time	time=10:27:01	Log time.
log_id	log_id=0200004230	Log ID.
type	type=attack	Log type: attack.
subtype	subtype=ip_reputation	Log subtype: ip_reputation.
pri	pri=warning	Log level.
vd	vd=root	Virtual domain.
msg_id	msg_id=13065998	Message ID.
count	count=1	For IP reputation, count=1.
severity	severity=high	Rule severity.
proto	proto=6	Protocol.
service	service=http	Service.
src	src=4.4.4.4	Source IP address.
src_port	src_port=49301	Source port.
dst	dst=2.2.2.2	Destination IP address.
dst_port	dst_port=80	Destination port.
policy	policy=vs1	Virtual server name.
action	action=deny	Policy action.
srccountry	srccountry=cn	Location of the source IP address.
dstcountry	dstcountry=us	Location of the destination IP address.
msg	msg=msg	Security rule name, category, subcategory, and description of the attack.

Table 114: DoS log
Column	Example	Description
date	date=2014-12-02	Log date.
time	time=10:27:01	Log time.
log_id	log_id=0200004230	Log ID.
type	type=attack	Log type: attack.
subtype	subtype=synflood	Log subtype: synflood.
pri	pri=warning	Log level.
vd	vd=root	Virtual domain.
msg_id	msg_id=13065998	Message ID.
count	count=1	For DoS, number of timeouts sent per destination.
severity	severity=high	Always “high” for DoS.
proto	proto=0	Protocol.
service	service=http	Service.
src	src=173.177.99.94	Source IP address.
src_port	src_port=49301	Source port.
dst	dst=10.61.2.100	Destination IP address.
dst_port	dst_port=80	Destination port.
policy	policy=unknown	For DoS, policy=unknown.
action	action=deny	Policy action.
srccountry	srccountry=cn	Location of the source IP address.
dstcountry	dstcountry=us	Location of the destination IP address.
msg	msg=msg	Security rule name, category, subcategory, and description of the attack.

Table 115: WAF log
Column	Example	Description
date	date=2015-07-22	Log date.
time	time=10:27:01	Log time.
log_id	log_id=0202008074	Log ID.
type	type=attack	Log type: attack.
subtype	subtype=waf	Log subtype: waf.
pri	pri=alert	Log level.
vd	vd=root	Virtual domain.
msg_id	msg_id=1512	Message ID.
count	count=1	Rule match count.
severity	severity=low	Rule severity.
proto	proto=6	Protocol.
service	service=http	Service.
src	src=1.1.1.1	Source IP address.
src_port	src_port=34352	Source port.
dst	dst=2.2.2.2	Destination IP address.
dst_port	dst_port=80	Destination port.
policy	policy=vs1	Virtual server name.
action	action=pass	Policy action.
sigid	sigid=1	Attack signature ID.
subcat	subcat=waf_subtype	WAF module: waf_web_attack_signature, waf_url_access, waf_http_protocol_cont and waf_sql_xss_injection_detect.
http_host	http_host=192.168.1.140:8080	HTTP Host header in HTTP request. Maximum length is 64. Longer URIs are truncated and appended with `...`.
http_url	http_url=/bigdata	URI in HTTP request. Maximum length is 128. Longer URIs are truncated and appended with `...`.
pkt_hdr	pkt_hdr=header	Contents of the packet header that matched the attack signature.
srccountry	srccountry=Australia	Location of the source IP address.
dstcountry	dstcountry=France	Location of the destination IP address.
msg	msg="Find Attack ID: 1010010001 NAME: "HTTP Method Violation" CATEGORY: "HTTP Protocol Constraint" SUB_CATEGORY: "Request Method Rule""	Security rule name, category, subcategory, and description of the attack.

Table 116: Geo IP log
Column	Example	Description
date	date=2014-12-02	Log date.
time	time=10:27:01	Log time.
log_id	log_id=0200004230	Log ID.
type	type=attack	Log type: attack.
subtype	subtype=geo	Log subtype: geo.
pri	pri=warning	Log level.
vd	vd=root	Virtual domain.
msg_id	msg_id=13065998	Message ID.
count	count=1	Rule match count.
severity	severity=high	Rule severity.
proto	proto=0	Protocol.
service	service=http	Service.
src	src=173.177.99.94	Source IP address.
src_port	src_port=49301	Source port.
dst	dst=10.61.2.100	Destination IP address.
dst_port	dst_port=80	Destination port.
policy	policy=vs1	Virtual server name.
action	action=deny	Policy action.
srccountry	srccountry=cn	Location of the source IP address.
dstcountry	dstcountry=us	Location of the destination IP address.
msg	msg=msg	Security rule name, category, subcategory, and description of the attack.