The Security Log table displays logs related to security features.
Figure 60 shows the security log table. By default, the log is filtered to display IP Reputation logs, and the table lists the most recent records first.
You can use the following category filters to review logs of interest:
Within each category, you can use Filter Setting controls to filter the table based on the values of matching data:
The last column in each table includes a link to log details.
Before you begin:
Table 113 to Table 116 list the log columns in the order in which they appear in the log.
Column | Example | Description |
---|---|---|
date | date=2014-12-02 | Log date. |
time | time=10:27:01 | Log time. |
log_id | log_id=0200004230 | Log ID. |
type | type=attack | Log type: attack. |
subtype | subtype=ip_reputation | Log subtype: ip_reputation. |
pri | pri=warning | Log level. |
vd | vd=root | Virtual domain. |
msg_id | msg_id=13065998 | Message ID. |
count | count=1 | For IP reputation, count=1. |
severity | severity=high | Rule severity. |
proto | proto=6 | Protocol. |
service | service=http | Service. |
src | src=4.4.4.4 | Source IP address. |
src_port | src_port=49301 | Source port. |
dst | dst=2.2.2.2 | Destination IP address. |
dst_port | dst_port=80 | Destination port. |
policy | policy=vs1 | Virtual server name. |
action | action=deny | Policy action. |
srccountry | srccountry=cn | Location of the source IP address. |
dstcountry | dstcountry=us | Location of the destination IP address. |
msg | msg=msg | Security rule name, category, subcategory, and description of the attack. |
Column | Example | Description |
---|---|---|
date | date=2014-12-02 | Log date. |
time | time=10:27:01 | Log time. |
log_id | log_id=0200004230 | Log ID. |
type | type=attack | Log type: attack. |
subtype | subtype=synflood | Log subtype: synflood. |
pri | pri=warning | Log level. |
vd | vd=root | Virtual domain. |
msg_id | msg_id=13065998 | Message ID. |
count | count=1 | For DoS, number of timeouts sent per destination. |
severity | severity=high | Always “high” for DoS. |
proto | proto=0 | Protocol. |
service | service=http | Service. |
src | src=173.177.99.94 | Source IP address. |
src_port | src_port=49301 | Source port. |
dst | dst=10.61.2.100 | Destination IP address. |
dst_port | dst_port=80 | Destination port. |
policy | policy=unknown | For DoS, policy=unknown. |
action | action=deny | Policy action. |
srccountry | srccountry=cn | Location of the source IP address. |
dstcountry | dstcountry=us | Location of the destination IP address. |
msg | msg=msg | Security rule name, category, subcategory, and description of the attack. |
Column | Example | Description |
---|---|---|
date | date=2015-07-22 | Log date. |
time | time=10:27:01 | Log time. |
log_id | log_id=0202008074 | Log ID. |
type | type=attack | Log type: attack. |
subtype | subtype=waf | Log subtype: waf. |
pri | pri=alert | Log level. |
vd | vd=root | Virtual domain. |
msg_id | msg_id=1512 | Message ID. |
count | count=1 | Rule match count. |
severity | severity=low | Rule severity. |
proto | proto=6 | Protocol. |
service | service=http | Service. |
src | src=1.1.1.1 | Source IP address. |
src_port | src_port=34352 | Source port. |
dst | dst=2.2.2.2 | Destination IP address. |
dst_port | dst_port=80 | Destination port. |
policy | policy=vs1 | Virtual server name. |
action | action=pass | Policy action. |
sigid | sigid=1 | Attack signature ID. |
subcat | subcat=waf_subtype | WAF module: waf_web_attack_signature, waf_url_access, waf_http_protocol_cont and waf_sql_xss_injection_detect. |
http_host | http_host=192.168.1.140:8080 | HTTP Host header in HTTP request. Maximum length is 64. Longer URIs are truncated and appended with ... . |
http_url | http_url=/bigdata | URI in HTTP request. Maximum length is 128. Longer URIs are truncated and appended with ... . |
pkt_hdr | pkt_hdr=header | Contents of the packet header that matched the attack signature. |
srccountry | srccountry=Australia | Location of the source IP address. |
dstcountry | dstcountry=France | Location of the destination IP address. |
msg | msg="Find Attack ID: 1010010001 NAME: "HTTP Method Violation" CATEGORY: "HTTP Protocol Constraint" SUB_CATEGORY: "Request Method Rule"" | Security rule name, category, subcategory, and description of the attack. |
Column | Example | Description |
---|---|---|
date | date=2014-12-02 | Log date. |
time | time=10:27:01 | Log time. |
log_id | log_id=0200004230 | Log ID. |
type | type=attack | Log type: attack. |
subtype | subtype=geo | Log subtype: geo. |
pri | pri=warning | Log level. |
vd | vd=root | Virtual domain. |
msg_id | msg_id=13065998 | Message ID. |
count | count=1 | Rule match count. |
severity | severity=high | Rule severity. |
proto | proto=0 | Protocol. |
service | service=http | Service. |
src | src=173.177.99.94 | Source IP address. |
src_port | src_port=49301 | Source port. |
dst | dst=10.61.2.100 | Destination IP address. |
dst_port | dst_port=80 | Destination port. |
policy | policy=vs1 | Virtual server name. |
action | action=deny | Policy action. |
srccountry | srccountry=cn | Location of the source IP address. |
dstcountry | dstcountry=us | Location of the destination IP address. |
msg | msg=msg | Security rule name, category, subcategory, and description of the attack. |