Log Fields (RTLD WAF)

Log data is reported as a JSON document. Log format determines whether log data identification information will be included and how the data is formatted. Each type of log format is described below.

If log data uses either the JSON Array or JSON Lines log format, then it will not contain information that uniquely identifies a set of log data. If log data is delivered to a destination other than AWS S3, Azure Blob Storage, or Google Cloud Storage, then there is no way to check for gaps in sequence numbers when attempting to identify missing log data.

A log entry describes a HTTP/HTTPS request that was submitted to our CDN.

Top-Level Name/Value Pairs

Top-level name/value pairs are unavailable for the JSON Array and JSON Lines log formats. If you require this information, please choose the standard JSON log format.

Top-level name/value pairs are described below.

Field

Friendly Name

Description

account_number

String

Customer Account Number

Indicates your CDN account number (e.g., 0001). This account number may be viewed from the upper-right hand corner of the MCC.

agent_id

String

Agent ID

Indicates the unique ID that identifies the Real-Time Log Delivery software agent that generated the log data.

datestamp

String

Date Stamp

Indicates the date on which the log data was generated.

Syntax:

YYYYMMDD

Example:

20210412

logs

Array of Objects

Log Data

Describes the log entries associated with the current JSON document. Each object contains a set of fields that describe the request/response for a single log entry.

profile_id

Number (Integer)

Profile ID

Identifies a RTLD profile by its system-defined ID.

seq_num

Number (Integer)

Sequence Number

Indicates the sequential number that identifies the order in which the log data was generated by the software agent identified by the agent_id field.

service

String

Service

This field always reports waf.

logs Array

The logs array contains an object for each log entry associated with the current JSON document. Each log entry describes a threat via the following fields:

Field

Friendly Name

Description

account_number

String

Customer AN

Category: GeneralProvides miscellaneous information about the request.

Indicates your CDN account number (e.g., 0001). This account number may be viewed from the upper-right hand corner of the MCC.

action_type

String

Action Type

Category: EventProvides high-level information about the violation.

Indicates the action that was triggered as a result of the violation. Valid values are:

  • BLOCK_REQUEST: Indicates that the request that violated a rule was blocked.
  • NOP: Indicates that an alert was generated in response to the rule violation.
  • REDIRECT_302: Indicates that the request that violated a rule was redirected to the URL associated with the instance defined by the Instance Name field.
  • CUSTOM_RESPONSE: Indicates that a custom response was returned to the client that submitted a request that violated a rule.

client_city

String

City Name

Category: Client GeographyProvides geographical information about the client that submitted the request.

Indicates the city from which the request originated.

client_country_code

String

Country Code

Category: Client GeographyProvides geographical information about the client that submitted the request.

Indicates the two-character ISO 3166-1 code for the country from which the request originated.

View a listing of country codes.

client_country

String

Country Name

Category: Client GeographyProvides geographical information about the client that submitted the request.

Indicates the country from which the request originated.

client_ip

String

IP Address

Category: Client NetworkDescribes the network of the client that submitted the request.

Indicates the IP address for the computer that submitted the request to our CDN.

host

String

Host

Category: Request HeaderDescribes request header values.

Indicates the Host header value sent in the client's request to the CDN.

referer

String

Referer

Category: Request HeaderDescribes request header values.

Indicates the Referer header value sent in the client's request to the CDN. This header reports the URL of the site from which the request originated.

This field will typically be set to a blank value for the HTTP Small and the ADN platforms.

rule_message

String

Rule Message

Category: EventProvides high-level information about the violation.

Provides a description of the rule that the request violated.

rule_tags

Array of String Values

Rule Tags

Category: EventProvides high-level information about the violation.

Indicates the tags associated with the rule that the request violated. These tags may be used to determine whether a rule, access control, or global setting was violated.

server_port

Integer

Server Port

Category: Network Provides information on where and how the request was handled by our network.

Indicates the port number on an edge server to which the client directed a request. Valid values are:

  • 80: HTTP request
  • 443: HTTPS request

sub_events_count

Integer

Sub Events Count

Category: Sub EventIndicates how the request violated the security configuration.

Indicates the total number of sub events.

sub_events

Array of Objects

Sub Events

Category: Sub EventIndicates how the request violated the security configuration.

Contains a list of fields that describe each sub event associated with the current event. A sub event is reported for each rule violation incurred by a request.

timestamp

Number (Decimal)

Epoch Time

Category: ResponseDescribes the response sent from an edge server to the client that submitted the request.

Indicates the Unix time, in seconds, at which an edge server delivered the requested content to the client.

Syntax:

Seconds.Microseconds

url

String

URL

Category: RequestDescribes the request submitted to the CDN.

Indicates the URL that was requested.

user_agent

String

User Agent

Category: Request HeaderDescribes request header values.

Indicates the user agentRefers to software that acts on behalf of a user. For example, a web browser (e.g., FireFox, Chrome, and Internet Explorer) is a user agent. A web browser will make HTTP/HTTPS requests based on user actions (e.g., requesting a web site or clicking a link). that submitted the HTTP request to our CDN.

uuid

String

Event ID

Category: RequestDescribes the request submitted to the CDN.

Indicates the unique ID assigned to the event.

Pass this ID to the Get Event Log Entry endpoint to retrieve this event log entry.

waf_instance_name

String

Instance Name

Category: Security ConfigurationProvides information about the security configuration that was violated.

Indicates the name of the instance that activated the profile containing the rule that the requested violated.

waf_profile_name

String

Profile Name

Category: Security ConfigurationProvides information about the security configuration that was violated.

Indicates the name of the profile that triggered the violation.

waf_profile_type

String

Profile Type

Category: Security ConfigurationProvides information about the security configuration that was violated.

Indicates whether the request was screened as a result of an instance’s production or audit profile. Valid values are:

PRODUCTION | AUDIT

sub_events Array

The sub_events array contains a list of fields that describe each sub event associated with the current event. A sub event is reported for each rule violation incurred by a request.

Field

Friendly Name

Description

matched_on

String

Matched On

Indicates the variable that identifies where the violation was found.

View variable definitions.

matched_value

String

Matched Value

Indicates the value of the variable defined in the matched_on field.

rule_id

Integer

Rule ID

Indicates the ID for the rule that the request violated.

rule_message

String

Rule Message

Provides a description of the rule that the request violated.

total_anomaly_score

Integer

Total Anomaly Score

Indicates the total anomaly score for the current rule violation. This score is calculated by summing the anomaly score of the current rule violation with all rule violations reported above this sub event.

Sample Log Data

Sample log data that contains two log entries is provided below for all three log formats.

Example (JSON):

{
	"agent_id": "1234500008619D55A",
	"seq_num": 0,
	"service": "waf",
	"account_number": "0001",
	"profile_id": 0,
	"datestamp": "20201008",
	"logs": [{
			"timestamp": 1602200337.177535713,
			"user_agent": "curl/7.64.1",
			"url": "https://cdn.example.com/",
			"client_ip": "190.220.230.2",
			"referer": "",
			"host": "cdn.example.com",
			"uuid": "38046679731278771327748811544613832704",
			"client_country_code": "US",
			"waf_profile_name": "Site 1",
			"waf_profile_type": "PRODUCTION",
			"waf_instance_name": "Site 1 Instance",
			"sub_events_count": 1,
			"sub_events": [{
					"total_anomaly_score": 0,
					"matched_on": "REQUEST_METHOD",
					"matched_value": "POST",
					"rule_id": 80009,
					"rule_message": "Method is not allowed by policy"
				}
			],
			"rule_tags": [],
			"rule_message": "Method is not allowed by policy",
			"action_type": "BLOCK_REQUEST",
			"server_port": 443,
			"client_country": "United States",
			"client_city": "Los Angeles"
		}, {
			"timestamp": 1602200338.598465258,
			"user_agent": "curl/7.64.1",
			"url": "https://cdn.example.com/",
			"client_ip": "230.180.240.23",
			"referer": "",
			"host": "cdn.example.com",
			"uuid": "38046679731278771327748811544613832998",
			"client_country_code": "US",
			"waf_profile_name": "Site 1",
			"waf_profile_type": "PRODUCTION",
			"waf_instance_name": "Site 1 Instance",
			"sub_events_count": 1,
			"sub_events": [{
					"total_anomaly_score": 0,
					"matched_on": "REQUEST_METHOD",
					"matched_value": "POST",
					"rule_id": 80009,
					"rule_message": "Method is not allowed by policy"
				}
			],
			"rule_tags": [],
			"rule_message": "Method is not allowed by policy",
			"action_type": "BLOCK_REQUEST",
			"server_port": 443,
			"client_country": "United States",
			"client_city": "Los Angeles"
		}
	]
}

Example (JSON array):

[{
		"timestamp": 1602200337.177535713,
		"user_agent": "curl/7.64.1",
		"url": "https://cdn.example.com/",
		"client_ip": "190.220.230.2",
		"referer": "",
		"host": "cdn.example.com",
		"uuid": "38046679731278771327748811544613832704",
		"client_country_code": "US",
		"waf_profile_name": "Site 1",
		"waf_profile_type": "PRODUCTION",
		"waf_instance_name": "Site 1 Instance",
		"sub_events_count": 1,
		"sub_events": [{
				"total_anomaly_score": 0,
				"matched_on": "REQUEST_METHOD",
				"matched_value": "POST",
				"rule_id": 80009,
				"rule_message": "Method is not allowed by policy"
			}
		],
		"rule_tags": [],
		"rule_message": "Method is not allowed by policy",
		"action_type": "BLOCK_REQUEST",
		"server_port": 443,
		"client_country": "United States",
		"client_city": "Los Angeles"
	}, {
		"timestamp": 1602200338.598465258,
		"user_agent": "curl/7.64.1",
		"url": "https://cdn.example.com/",
		"client_ip": "230.180.240.23",
		"referer": "",
		"host": "cdn.example.com",
		"uuid": "38046679731278771327748811544613832998",
		"client_country_code": "US",
		"waf_profile_name": "Site 1",
		"waf_profile_type": "PRODUCTION",
		"waf_instance_name": "Site 1 Instance",
		"sub_events_count": 1,
		"sub_events": [{
				"total_anomaly_score": 0,
				"matched_on": "REQUEST_METHOD",
				"matched_value": "POST",
				"rule_id": 80009,
				"rule_message": "Method is not allowed by policy"
			}
		],
		"rule_tags": [],
		"rule_message": "Method is not allowed by policy",
		"action_type": "BLOCK_REQUEST",
		"server_port": 443,
		"client_country": "United States",
		"client_city": "Los Angeles"
	}
]		

Example (JSON lines):

{"user_agent": "Mozilla/5.0 (Windows NT ...Represents a log entry.}
{"user_agent": "Mozilla/5.0 (Windows NT ...}