WAF_Log

Using Web Application Firewall Logs

The Web Application Firewall > Log page provides a number of functions, including a flexible search mechanism, and the ability to export the log to a file or email it. The page also provides a way to clear the log. Clicking on a log entry displays more information about the event.

See the following sections:

• Searching the Log
• Controlling the Log Pagination
• Viewing Log Entry Details
• Exporting and Emailing Log Files
• Clearing the Log

Searching the Log

You can search for a value contained in a certain column of the log table, and can also search for log entries that do not contain the specified value.

To view and search Web Application Firewall log files, perform the following steps:

1. On the Web Application Firewall > Log page, type the value to search for into the Search field.
2. Select the column in which to search from the drop-down list to the right of the Search field.
3. Do one of the following:

• To start searching for log entries containing the search value, click Search.
• To start searching for log entries that do not contain the search value, click Exclude.
• To clear the Search field, set the drop-down list back to the default (Time), and display the first page of log entries, click Reset.

Controlling the Log Pagination

To adjust the number of entries on the log page and display a different range of entries, perform the following steps:

1. On the Web Application Firewall > Log page, enter the number of log entries that you want on each page into the Items per Page field. The Log page display changes to show the new number of entries.
2. To view the log entries beginning at a certain number, type the starting number into the Item field and press Enter on your keyboard.
3. To view the first page of log entries, click the left-most button
   
   
   
   in the arrow control pad.
4. To view the previous page of log entries, click the left arrow
   
   
   
   in the arrow control pad.
5. To view the next page of log entries, click the right arrow
   
   
   
   in the arrow control pad.
6. To view the last page of log entries, click the right-most button
   
   
   
   in the arrow control pad.

Viewing Log Entry Details

The log entry details vary with the type of log entry. The URI (Uniform Resource Indicator) is provided along with the command for detected threats. Information about the agent that caused the event is also displayed. For an explanation of the rather cryptic Agent string, the following Wikipedia page provides a description and links to external sites that can analyze any user agent string: http://en.wikipedia.org/wiki/User_agent

To view more details about an individual log entry, perform the following steps:

1. On the Web Application Firewall > Log page, click anywhere on the log entry that you want to view. The details are displayed directly beneath the entry.
2. To collapse the details for a log entry, click again on the entry.

Exporting and Emailing Log Files

You can export the current contents of the Web Application Firewall log to a file, or email the log contents by using the buttons in the top right corner of the Web Application Firewall > Log page.

Exported files are saved with a .wri file name extension, and open with Wordpad, by default.

Emailed files are automatically sent to the address configured on the Log > Settings page of the SRA management interface. If no address is configured, the Status line at the bottom of the browser will display an error message when you click the E-Mail Log button on the Web Application Firewall > Log page.

To export or email the log, perform the following steps:

1. To export the log contents, click the Export button in the top right corner of the
   Web Application Firewall > Log page. The File Download dialog box is displayed.
2. In the File Download dialog box, do one of the following:
• To open the file, click Open.
• To save the file, click Save, then browse to the folder where you want to save the file and click Save.
3. To email the log contents, click the E-Mail Log button in the top right corner of the
   Web Application Firewall > Log page. The log contents are emailed to the address specified in the Log > Settings page.

Clearing the Log

You can remove all entries from the Web Application Firewall log on the Web Application Firewall > Log page. The entries on the page are removed, and any attempt to export or email the log file while it is still empty will cause a confirmation dialog box to display.

To clear the Web Application Firewall log, perform the following:

1. On the top right corner of the Web Application Firewall > Log page, click Clear.
2. Click OK in the confirmation dialog box.